Sample Application Security

Keith Pleas wrote an interesting article for MSDN: Guidance on Patterns & Practices: Security [by way of Julie Lerman]

In the article, Keith talks about some of the things I have mentioned in my own blog before:

There are too many samples out there with bad security practices that have become production code in one form or another.

or, as Keith states it:

"A familiar aphorism states that "If all you've got is a hammer, everything looks like a nail." Well then, is it any surprise that a lot of production Web applications look like the demo samples? What is clearly needed is a new generation of real-world sample applications that are designed and built using the "best practices" not just for security (our focus here), but for robustness, scalability, testing, and deployment; in fact, of all phases of the software development lifecycle. It is also important to recognize that this guidance will improve over time until it ultimately becomes part of the underlying platform." 

In the article, he mentions we have bad samples and very large books on secure practices with very little in between. Most new developers (and some seasoned developers in a hurry) will pick up the sample, marvel at how simple it is, tweak it a little, and deploy it as a production application. Keith offers the current Patterns and Practices Group's Enterprise Development Reference Architecture (EDRA) project (previously known as "Shadowfax") as a sample that tries to provide some security best practices examples. I haven't looked at this in awhile, but what I remember seeing was pretty good.

What I liked best about the article was Keith's analysis of the previous and existing samples offered by Microsoft. While not as thorough as I would have liked, it was a good example that all developers should get in the habit of practicing. Anytime you are tempted to use a sample application for anything other than a learning process, be sure to examine it very carefully for security holes. In fact, examine your own code regularly and with others. You owe yourself and your users nothing less.

Published Tuesday, January 25, 2005 8:00 AM by RHurlbut
Filed under: , , , , , ,

Comments

Tuesday, January 25, 2005 9:08 AM by Aaron Weiker

# re: Sample Application Security

This kind of relates to something that has been bugging me the past couple days. I've been reading more about Yukon and in pretty much every single paper I've looked at least somewhere there was a "SELECT * FROM ...". But yet at the same time these same people will tell us not to do that in real life. Well, I'm sorry, that's not going to happen as long as you keep giving examples one way and then preaching another.

So please, if you see me doing this, call me on it as you will be doing a dis-service to everyone else who happens to see the "bad" example.
Tuesday, January 25, 2005 3:58 PM by Jason Jones

# re: Sample Application Security

I think this isn't a simple problem.

One one hand, I often get annoyed at overly engineered code samples. A good sample that actually teaches something, in my opinion, should be the simplest possible program that demonstrates the concept.

A beginning programmer has no mental tools to exclude what's irrelevant to the example but related to best practices. Is it relevant that this AutoResetEvent is exposed through a property rather than simply being a public member? If the novice can't get his own code working, he often tries to mimic the sample as completely as possible, potentially introducing a lot of complexity that doesn't relate to his particular problem.

On the other hand, I agree that a lot of sample code makes it to production environments. As I said, not an easy question.
Tuesday, January 25, 2005 4:18 PM by Robert Hurlbut

# re: Sample Application Security

Jason, you are right, it isn't an easy question. But, I applaud the newer line of samples (if I understand Keith correctly) that attempt to teach the developer how to do it right the first time.

This can be the bane of any sample code --

Do as I code, not as I want you to do based on the warnings I just gave you in the fricken' article that accompanies this code!