A couple of weeks ago I hosted a meeting with a group of CxOs where I spoke about Microsoft’s Trustworthy Computing initiative and Microsoft’s commitment to security. I spoke at length about improvements in our internal efforts to build and release secure code. Invariably, several of the questions that I got asked by that group of people (something that I get asked quite often – “What are you doing to promote these lessons to the companies and people that build applications on Microsoft platforms?”).
While we are always our first test cases (what we love to call inside Microsoft as eating your own dog-food), we are absolutely committed to sharing our knowledge, our best practices, our tools with our customers and the development community at large. Here is a collection of things that we are doing on this:
Secure Platform: We’ve delivered the .NET framework v1.1 that encapsulates many fundamental security mechanisms, making it simpler for developers to add security to their applications. Cryptography APIs and integrated PKI capabilities enable developers to build on a more secure platform.
Development Tools: Visual Studio .NET 2003, in conjunction with security tools like FxCop help enable your ability to develop line of business applications with inherent security. Take a look at this neat article by John Robbins on how FxCop can enhance your productivity. Visual Studio 2005 Team System developers will see a new class of static code analysis tools that are fully integrated within the IDE. Work on the WS-I standards process and work to implement web services security enhancements help developers as well.
Developer Guidance: One of our best security web sites is the Microsoft Security Developer Center at http://msdn.microsoft.com/security that includes prescriptive guidance, training and articles to help the development community. For those of you who did not get a chance to attend our Professional Developer’s Conference in 2003, a dedicated developer Security Symposium was held at Microsoft’s Professional Developer’s Conference in October 2003 to focus on secure coding practices. We have also been hosting TechNet seminars since the fall of 2003 to educate IT professionals on good security practices. I have heard that many people find our monthly security webcasts quite useful. These webcasts are designed to inform participants about the latest developments on the security front.