Lost in the Tech Ed noise
Pretty much every developer who pays attention knows by now that Microsoft
made some major product announcements the first day of this year's Tech Ed.
There was the revelation of the Visual Studio Team System, of course, and the
release version of Web Services Enhancements (WSE) 2.0. But there are a couple
of other new downloads available from Microsoft that you should also know about,
even if they didn't get as much press attention.
First among these (and probably the more obscure) is the new Threat
Modeling Tool. Threat modeling is one of those disciplines that more
developers should know about in these increasingly security-conscious days.
Threat modeling is a structured process to help improve the security of an
application by thinking carefully about its vulnerable points. Briefly, you
identify both the assets of your applications (such as critical data) and the
threats to those assets, and then rate the potential impact of each threat. By
moving carefully through this process for each potential threat, you can decide
where it makes the most sense to put your coding effort as you try to mitigate
What the the Threat Modeling Tool brings to the process is a careful
framework that helps you impose the structure. It presents you with a treeview
where the different nodes represent threats, assets, and so on. As you add nodes
to the tree, each node gets a specific user interface to let you fill in
relevant properties. At the end of the process, you click a button to get the
entire threat model saved as XML, or to view it nicely formatted via XSLT. The
help file the comes along with the application is a good introduction to the
practice of threat modeling. If you want a much more in-depth look, there's a book on the subject
coming from Microsoft Press in June.
The other tool that developers should take a look at is the SQL
Server Best Practices Analyzer. The Best Practices Analyzer is designed to
make it easy to tell whether you're making good use of SQL Server by following
Microsoft's recommendations. Although I don't much like its user interface
(which to my mind is a poor squeezing of a Web interface into what could have
been a rich client), the information is valuable. After setting things up, you
select the databases to scan and the rules to apply. What comes back is a list
of places where you are (or are not) in compliance with the rules. A few clicks
will bring back additional detail.
For example, one of the things that the BPA will check is whether you're
using SELECT * anywhere. Probably most developers know that SELECT * is
dangerous; you ought to use column lists to be sure you're getting only and
exactly the columns that you need. But have you ever been lazy and put together
a SELECT * view, thinking you'd change it later? BPA will catch you if you did,
and give you the exact details of the database objects that ought to be
Microsoft posts a constant stream of utilities, documentation, and fixes to
its download site. Keeping an eye on this stream will often reward you with gems
like the Threat Modeling Tool and the Best Practices Analyzer. For all that
they're in business to make money, the company gives away some very useful code
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.