14 DAY TRIAL // Microsoft has updated a free security tool it released in 2008 designed to allow developers to sanitize the code of the applications.
The refreshed version of banned.h is now available through the Download Center, and devs can grab it immediately to remove banned functions from code.
Since it was initially introduced a couple of years ago, some developers might already be familiar with banned.h.
The tool is yet another example of Microsoft trying to share its Security Development Lifecycle best practices with third-party devs by making it extremely simple for them to identify and remove any banned application programming interfaces that they included in the code of the applications.
By banned APIs, the software giant actually refers to APIs that pose a high degree of risk to users by being potentially insecure.
Jeremy Dallman, Senior Security Program Manager/Strategist enumerated some of the changes in the updated version of banned.h, including:
“1. We broke the banned APIs into Required and Recommended categories:
• Required is a list of APIs with a history of vulnerabilities.
• Recommended is a list of functions you should consider removing from code over time. In general, these functions have less of a checkered history, but are potentially dangerous.
2. Made banned.h work well with StrSafe
3. Banned.h is now a superset of the /W4 C4996 compiler warnings.
4. Although C4996 is a good basic security step, banned.h is a more complete solution.”
Dallman underlined that updating banned.h is illustrative of the company’s commitment to helping developers build applications that are as secure as possible, including by making sure that the usage of insecure APIs is avoided.
“Whether you include the banned.h header file, utilize the banned API Extension in the Visual Studio 2010 IDE, or leverage the /W4-C4996 warnings in the Visual Studio 2005 compiler, you now have three seamless ways to check your code and meet another SDL requirement during development,” he stated.