Welcome to MSDN Blogs Sign in | Join | Help

VC++ Blog Tour Stop: Content Part 4: Roadmap to Securing C++ Applications

This is an interesting subject to write about, for many reasons.  Given that there are a lot of great resources on the web now, specifically about Whidbey even, I won't spend a lot of time or go into much detail here.

The main points we made on tour were:

  • Build security in layers
  • Use the features that improve security
  • Use the features that detect vulnerabilities

The layers of security that we discussed on tour were:

Block Attacker Access to the Machine - This includes taking actions such as enabling the Windows Firewall and using authentication for RPC.  Using the most recent release of the Windows operating systems will make sure you have the latest security features - currently that means Windows XP SP2 and Windows Server 2003 SP1.

Prevent Security Bugs - Use the features that allow you to analyze your static code; replace risky libraries with more secure options; always, always, always validate data and remember to limit test.  In Visual C++ 2005, we added more secure versions of the C++ libraries.

Mitigate Vulnerabilities - Use the features that improve runtime error detection and ensure you use antivirus monitoring software.  With recent releases of Visual C++ this means compiling with /GS and /SAFESEH.

Service with Reliability - Make sure you can service what you ship; collect information about errors and buffer overruns.  Take advantage of the Windows Error Reporting Tool and remember to use the new deployment model that I wrote of in September.

Resources:

Michael Howard's (the security guru of Microsoft) Blog - http://blogs.msdn.com/michael_Howard/

Libraries team blogs: http://blogs.gotdotnet.com/martynl/ and http://blogs.gotdotnet.com/nikolad/

MSDN2 Documentation on Security Best Practices - http://msdn2.microsoft.com/en-US/library/k3a3hzw7(en-US,VS.80).aspx

MSDN2 Documentation on Deployment - http://msdn2.microsoft.com/en-us/library/zebw5zk9(en-US,VS.80).aspx

Keep your Microsoft software up to date- http://update.microsoft.com

Windows Error Reporting - http://oca.microsoft.com/en/welcome.aspx and http://www.microsoft.com/resources/satech/cer/

 - april

 

 

 

 

Published Wednesday, January 25, 2006 2:04 PM by AprilR
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
required 
(required) 
 
Page view tracker