Secure software education. Does it start with our tools?

[dana at vulscan.com (Dana Epp)]

Hey guys,
 
Last month I blogged (http://silverstr.ufies.org/blog/archives/000989.html) about my disappointment with the fact that 
the new service pack for Visual Studio 2005, on Vista, suggests with a specific dialog box that you run the IDE as 
Administrator. (http://msdn2.microsoft.com/en-us/vstudio/aa972193.aspx).
 
The actual dialog box is alarming and misleading, because it really gives poor advice and the false impression that 
developers HAVE to be building software as Administrator. Am I being selfish in believing that this is the LAST thing 
we want to do when trying to educate developers to not write code with administrative privileges? I know you can simply 
uncheck the thing and move on, (as recommended by Michael Howard at 
http://blogs.msdn.com/michael_howard/archive/2007/01/04/my-take-on-visual-studio-2005-sp1-and-windows-vista.aspx), but 
the reality is that this guidance isn't helping us as we try to educate developers to write software requiring less 
privileges, when the tools we use suggest that it doesn't adhere to that!
 
For years we have been trying to educate developers to run with least privilege so they can build safer software in a 
more restricted environment. Particularly important in a Windows environment where quite a few attack vectors would be 
significantly lessened if the software would have simply required less privileges at design time. I fear that when 
developers see such guidance they will simply run all their tools in an elevated context, or worse yet turn off things 
like UAC altogether so they can go about their "daily business". Now, I am pretty sure that a lot of us on this list 
have been building software in least privilege environments for years. But what does this say to those that don't know 
any better when they see such dialog boxes when they start their tools?  
 
Microsoft has even written a Vista "Issue list" for when you run Visual Studio as a Standard User. 
(http://msdn2.microsoft.com/en-us/vstudio/aa972193.aspx). There are plenty of examples there where the work around is 
"Run Visual Studio with elevated administrator permissions" when it doesn't have to be. So its clear they know this is 
an issue.
 
Am I wrong for being disappointed in Microsoft's approach at this stage of the game? We aren't talking about an old IDE 
written for Windows95. This was built FOR and ON Vista. With Microsoft's great strides in their SDLC process to date, 
should we be expecting them to lead the charge in educating developers to run as Standard Users?  What are your 
thoughts on this? 
 
---
Regards,
Dana Epp [Microsoft Security MVP]
Blog: http://silverstr.ufies.org/blog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070111/41a59efe/attachment.html