Microsoft To Offer Open Source Security App For Developers

The company said its upcoming !exploitable Crash Analyzer software is a heuristics-based tool that improves with additional collaboration.
In 2001, Microsoft CEO Steve Ballmer famously referred to open source software, specifically the GPL, as intellectual property cancer.

These days, Microsoft has moderated its stance. "Open source is neither an industry fad, nor a magic bullet," the company explains on the open source section of its Web site. "Rather, the development methods commonly encompassed by the term open source have provided customers and developers with additional options among many in the technology ecosystem."

So it is that on Friday, Microsoft's Security Science team plans to announce the release of an open source crash analysis tool at the CanSecWest security conference in Vancouver, British Columbia.

And as if to assure the world that its hip to this whole open source thing, the company has bestowed upon its software a "l33t" name: the !exploitable Crash Analyzer. It's an endearing effort, sort of like watching a parent trying on Heelys. With any luck, Yahoo! will feel flattered by Microsoft's move on its exclamation point rather than litigious.

The program is a Windows Debugger extension that identifies crashes that occur during application development and testing and attempts to group them and highlight their security implications.

Microsoft is releasing it to help developers write more secure code. It plans to make the application available as a free download though the Microsoft Security Engineering Center Web site on Friday.

Asked why the company chose to make its !exploitable Crash Analyzer open source, a company spokesperson explained, "Microsoft is committed to providing a more secure computing experience and realizes this can only be done through industry collaboration. As always, Microsoft is open to new ways of pursuing its goals of a more secure Internet, and in contexts where it makes sense, open source code helps achieve this goal. The tool is a heuristics-based tool that improves with additional collaboration, therefore the open source release allows developers, testers, and security researchers throughout the industry to work together to create a more secure computing environment."

Roger Kay, founder and president of consulting firm Endpoint Technologies Associates, explains that while Microsoft wants to make its own software secure, the security of its software is often affected by the security of its partners' software.

"Microsoft necessarily has to worry about other people's stuff because it sits on their stuff," he said. "If there's a vulnerability on someone else's app, all the trouble they have gone to secure their software may be for naught."

Just as Google actively tries to stop online malware to protect the environment in which its users operate, Microsoft also wants to keep computing worry free. "Microsoft sees security as a general good, something that should be spread around as widely as possible," Kay explained.

The !exploitable Crash Analyzer provides a way for Microsoft to do that. "The essence of it is they have figured out a way to understand the nature of a crash," explained Kay. "Lots of times, crashes look different but are actually governed by the same underlying process." Armed with that knowledge, a fix can be more effective.

The software also helps to prioritize crashes, so that developers know which problems need to be addressed immediately and which ones can wait.

Kay said that developers don't always have the resources or incentive to repair their software in a timely manner. The !exploitable Crash Analyzer, he said, "will help many developers figure out what's going on."

InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).