Foreword

Foreword

Improving security was a major focus while we were developing Windows 2000. At one point, we decided to run an unusual experiment to test the product s mettle before we released it. We set up a Windows 2000 Web server called Windows2000test.com, put it out there, and waited to see what happened. We made no announcement of any kind; we didn t call any attention to it in any way whatsoever. Within a couple of hours, hundreds of people were already trying to hack it. Within days, tens of thousands of people were hammering away.

These days, as soon as a product gets into their hands, hackers begin an intensive effort to find and exploit security holes. If the product developers don t make an equally intensive effort to build security into their code, the hackers will almost surely succeed. A product s security is every bit as important as its features. Don t get me wrong people would have no reason to buy a product without great features. But while developers know how to build features, they often don t know how to design and build security. This book changes that.

Writing Secure Code offers practical insights into secure design, secure coding, and testing techniques, many of which are not documented elsewhere. It will give you a richer understanding of what it takes to build secure applications. Michael and David are, respectively, members of the Secure Windows Initiative and the Trustworthy Computing Security Team at Microsoft. They have witnessed firsthand the sometimes basic coding mistakes that undermine product security, and their projects have helped us significantly improve how we designed and implemented security in products such as Windows 2000 and Windows XP. Their goal in writing this book is to pass on to you, the developer community, everything Microsoft has learned.

Brian Valentine

Senior Vice President, Windows Division

Microsoft Corporation