ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
BNET UK
silicon.com
ZDNet.co.uk

You are here: ZDNet.co.uk > News > Software

Desktop platforms Toolkit

Microsoft turns to automatic code checks

Published: 27 May 2004 12:25 BST

When Microsoft needed help in taming the large number of flaws that had crept into its Windows operating system, it looked to technology known as "static source code checkers" and a company called Intrinsa.

Intrinsa's product, known as PREfix, analysed the code created by developers and flagged potential errors. The software giant found the program so helpful that it bought the company for $60m (£32.9m) in 1999. Today, a handful of other developers of similar products hope to convince customers that they should be using their programs to spot-check security.

For Microsoft, such tools have become an integral part of its Trustworthy Computing Initiative, which aims to make Windows computers more reliable. The software maker trains 20,000 developers annually in secure programming, but the tools enforce discipline on a daily basis, said Michael Howard, security programme manager for the company.

"We are not seeing the same (security) issues as five years ago," he said. "We have educated people, so they understand these issues, and the tools are a lot better. People are not writing bad code. They are writing better code in the first place."

A handful of other companies have started to sell tools similar to the static source code checker used by Microsoft. Although the tools have been developed mainly by academics intent on collecting data about software flaws, these companies think the programs are mature enough for commercial applications. Moreover, with corporate information technology managers fed up with security flaws, many are ready to adopt the technology.

The spotlight on developers has increased in intensity in recent months with the release of a technology industry plan for better development and a report from the Business Roundtable that castigated software makers for failing to produce reliable products. Companies are reliant on the Internet, whether they're selling online, connecting to partners or just using email. Yet almost 4,000 flaws have been found in each of the past two years, according to the CERT Coordination Centre.

"Most of the significant cyberincidents that have harmed American business and consumers over the past several years have had as their root cause defective and readily exploitable software code," the Business Roundtable, which includes 150 chief executives from large US companies, said in a four-page "Framework for the Future." "Most software development processes used today do not incorporate effective tests, checks or safeguards to detect those software coding defects that result in product vulnerabilities."