My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Sunday, March 7, 2004
« I am a Lowly User of my Machine | Main | Connection Strings, DPAPI and Web Farms »

The first Integrated Development Environments (IDEs) for software development appeared in the early 1990s. These IDEs combined a code editor, compiler and debugger into a unified framework. Later developments allowed third-party tools to be integrated with the IDE through the use of open APIs. In 2002 the Meta Group extended the terminology to Integrated Life-cycle Development Environments (ILDEs). An ILDE includes functionality such as integrated requirements management, change request management, knowledge sharing, task management, version control, testing and bi-directional asset linking. Borland has begun utilizing the term ILDE as well as Application Lifecycle Management (ALM), while IBM Rational incorporates similar concepts within its Rational Unified Process (RUP).

ILDE, ALM, or RUP can deliver benefits to the application development process when used appropriately. However, one concern I have is the lack of priority that both Borland and Rational have given to deliver secure coding tools within their development environments. My impression is that none of these major vendors have yet got security. Recently Microsoft has begun disclosing details on its Whidbey Visual Studio, due for release later this year. It will deliver some assistance for developers including "support constraining and validating your design against the Web Services Enhancements (WSE), IIS Security, SQL Security, and ASP.NET Security." Again Microsoft's committed stance towards improved security has moved it from the position of security laggard to security innovator. Tools from Microsoft Research such as Prefast, Prefix, FxCop, SDV, Aegis and ESP are examples of first phase security related tools that all tool vendors should be providing.

The challenge is for all tool vendors: Borland, IBM Rational, Sun, the Eclipse platform and Microsoft to dramatically improve the security components within their life-cycle application development frameworks. Certainly tools are not the total solution. Ongoing training of coding staff is also critical. However programmers are always under pressure to deliver functional code, and smart security tools are required to assist it is secure functional code.

Resources
Development Tools
Borland ALM: http://www.borland.com/alm/
IBM Rational RUP: http://www-136.ibm.com/...
Microsoft Developer Tools Roadmap 2004-2005: http://msdn.microsoft.com/...
Microsoft Research tools (ppt file): http://research.microsoft.com/...
Microsoft Whidbey FAQ: http://msdn.microsoft.com/...

Background
Microsoft security - don't underestimate its secure future: http://davidcartwright.com/...

[SECURITY++ David Cartwright's weblog]

+1  - Completely agree with David's sentiments here.
 
One additional item I should have added in my earlier post is exactly what David is asking for. Tool support for Secure Coding.
 
 
Tags:: Security
3/7/2004 4:10 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink    Tracked by:
"Enterprise Architecture and Anti-metaphors" (Thought Leadership) [Trackback]
Comments are closed.