Sample Application Security
Keith Pleas wrote an interesting article for MSDN: Guidance on Patterns & Practices: Security [by way of Julie Lerman]
In the article, Keith talks about some of the things I have mentioned in my own blog before:
There are too many samples out there with bad security practices that have become production code in one form or another.
or, as Keith states it:
"A familiar aphorism states that "If all you've got is a hammer, everything looks like a nail." Well then, is it any surprise that a lot of production Web applications look like the demo samples? What is clearly needed is a new generation of real-world sample applications that are designed and built using the "best practices" not just for security (our focus here), but for robustness, scalability, testing, and deployment; in fact, of all phases of the software development lifecycle. It is also important to recognize that this guidance will improve over time until it ultimately becomes part of the underlying platform."
In the article, he mentions we have bad samples and very large books on secure practices with very little in between. Most new developers (and some seasoned developers in a hurry) will pick up the sample, marvel at how simple it is, tweak it a little, and deploy it as a production application. Keith offers the current Patterns and Practices Group's Enterprise Development Reference Architecture (EDRA) project (previously known as "Shadowfax") as a sample that tries to provide some security best practices examples. I haven't looked at this in awhile, but what I remember seeing was pretty good.
What I liked best about the article was Keith's analysis of the previous and existing samples offered by Microsoft. While not as thorough as I would have liked, it was a good example that all developers should get in the habit of practicing. Anytime you are tempted to use a sample application for anything other than a learning process, be sure to examine it very carefully for security holes. In fact, examine your own code regularly and with others. You owe yourself and your users nothing less.