One of the highlights of the RSA Europe Conference was meeting with a very interesting gentleman who works for Microsoft. Simon Rose Femerling works with the Microsoft Ace Team. We had some really interesting conversations about security, including research conducted in the hotel bar at 3 a.m. to try and determine the motivation of the average consumer in buying a computer and whether or not security is one of their criteria. Needless to say that is one research paper that won’t get published.
One thing that really impressed me about Simon was his dedication and enthusiasm to improve computer security for us all while at the same time understanding the real world challenges facing businesses and system administrators.
Not only does Simon work with his colleagues in Microsoft in helping developers understand that security needs to be built into applications from the beginning, Simon is also heavily involved in the Open Web Application Security Project (OWASP). Within the OWASP project Simon runs the Pantera Web Assessment Studio Project, which is a web application penetration testing tool. If you are working in the web application area I strongly recommend you have a look at the Pantera Web Assessment Studio Project.
While chatting over a few beers Simon gave me an insight into the work he and his colleagues are doing. One of the projects is now available for free from the team’s Blog. It is their XSSDetect tool which runs as a Visual Studio plug-in to enable developers detect XSS (cross site scripting) attack vulnerabilities within their code.
Given that web application attacks are becoming more and more prevalent, indeed recent research shows that 70% of web attacks are at the application layer, the above tools and the work that Simon and his colleagues are doing are becoming more and more important.
If you are working with .NET I recommend that you download the XSSDetect tool and have a look at it. It may save you a few embarrassing situations in the future. If you find any issues with it then feed it back to the Microsoft Ace Team so they can improve the tool.
Over the past few months I have been increasingly impressed by Microsoft‘s improvements in security. My impressions have not been formed or shaped by the Microsoft marketing machine but based on the people I have met who work for Microsoft. People like Simon, and those I met while keynote speaker at Microsoft Ireland’s IT Professional Security Training Event, demonstrate to me that Microsoft have people working for them that really care about security. And of course the way Microsoft release their patches is an example other vendors should be following. Anyone from Apple or Oracle should take heed.
So well done Simon, the Microsoft (Application, Consulting and Engineering) ACE Team and the rest of your colleagues. As is often said “security is not a destination but a journey” but from where I am sitting it looks like Microsoft are well on their way.