News

Lost in the Tech Ed noise

• By Mike Gunderloy
• May 28, 2004

Pretty much every developer who pays attention knows by now that Microsoft made some major product announcements the first day of this year's Tech Ed. There was the revelation of the Visual Studio Team System, of course, and the release version of Web Services Enhancements (WSE) 2.0. But there are a couple of other new downloads available from Microsoft that you should also know about, even if they didn't get as much press attention.

First among these (and probably the more obscure) is the new Threat Modeling Tool. Threat modeling is one of those disciplines that more developers should know about in these increasingly security-conscious days. Threat modeling is a structured process to help improve the security of an application by thinking carefully about its vulnerable points. Briefly, you identify both the assets of your applications (such as critical data) and the threats to those assets, and then rate the potential impact of each threat. By moving carefully through this process for each potential threat, you can decide where it makes the most sense to put your coding effort as you try to mitigate the threats.

What the the Threat Modeling Tool brings to the process is a careful framework that helps you impose the structure. It presents you with a treeview where the different nodes represent threats, assets, and so on. As you add nodes to the tree, each node gets a specific user interface to let you fill in relevant properties. At the end of the process, you click a button to get the entire threat model saved as XML, or to view it nicely formatted via XSLT. The help file the comes along with the application is a good introduction to the practice of threat modeling. If you want a much more in-depth look, there's a book on the subject coming from Microsoft Press in June.

The other tool that developers should take a look at is the SQL Server Best Practices Analyzer. The Best Practices Analyzer is designed to make it easy to tell whether you're making good use of SQL Server by following Microsoft's recommendations. Although I don't much like its user interface (which to my mind is a poor squeezing of a Web interface into what could have been a rich client), the information is valuable. After setting things up, you select the databases to scan and the rules to apply. What comes back is a list of places where you are (or are not) in compliance with the rules. A few clicks will bring back additional detail.

For example, one of the things that the BPA will check is whether you're using SELECT * anywhere. Probably most developers know that SELECT * is dangerous; you ought to use column lists to be sure you're getting only and exactly the columns that you need. But have you ever been lazy and put together a SELECT * view, thinking you'd change it later? BPA will catch you if you did, and give you the exact details of the database objects that ought to be fixed.

Microsoft posts a constant stream of utilities, documentation, and fixes to its download site. Keeping an eye on this stream will often reward you with gems like the Threat Modeling Tool and the Best Practices Analyzer. For all that they're in business to make money, the company gives away some very useful code indeed.