Microsoft coders get a bug-catcher

Web developers in need of another set of eyes to check their code for security holes should soon be able to add an application scanner to Microsoft's Visual Studio .Net.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Microsoft developers now have a new tool to help them catch security bugs in their own code.

The software giant plans to announce on Monday that a plug-in created by security firm Sanctum, scheduled for release in March, will be the first to easily integrate with Microsoft's development platform Visual Studio .Net. The tool, AppScan Developer Edition 1.5, can be run on Web applications in real time to catch common programming flaws.

"The cool thing with the integration with Visual Studio is that, because it's there in your face, you run it early and you run it often," said Michael Howard, senior program manager for Microsoft and the author of the company's textbook on secure programming. "You can find issues before they get far down the development path, before they become expensive to remove."

The announcement comes as Microsoft moves into the second year of its "Trustworthy Computing" initiative, the most visible part of which is its push to heighten product security. Last year, the company spent more than two months and $200 million dollars training its own developers in secure programming.

Tools like Sanctum's go a long way toward moving that training outside Microsoft to the independent developer community, said Michael Kass, product manager for Microsoft's .Net Framework.

"There are two sides to Trustworthy Computing," Kass said. "First, training our developers and making sure that we ship more secure applications. The other side is evangelizing best practices."

Until now, Sanctum had primarily been providing products to security consultants and network auditors, which would use AppScan 3.5 to test Web sites and applications for commons security flaws. With AppScan DE 1.5, Sanctum is moving its product up the development chain to catch bugs early, said Ben Straley, the company's product marketing manager.

"The way that we look at the application lifecycle is that there is a role for (testing) at every stage," he said. "Moreover, (AppScan DE 1.5 is) not just a useful testing tool, it is an educational tool as well."

AppScan DE 1.5 goes on sale in March. No price has yet been announced.