Gaps In .Net?

There is an old saying that a net is nothing more than a bunch of holes held together by strings. Similar criticisms have been leveled against Microsoft's earlier forays into connected software platforms.

So, for the launch of Microsoft .Net, an infrastructure with cross-platform connectivity at its heart, the software giant made reinforcing confidence in the product's security one of its key selling points. Now, Microsoft wants .Net to be the weapon of choice for financial services firms and exchanges, and last year the London Stock Exchange became the latest institution to commit to the technology as it began work on an updated SETS electronic trading platform.

The Microsoft .Net project evolved from the old Component Object Model (COM) architecture that was the basis for a number of Microsoft's products over the last decade, and it retains a good deal of the functionality of its predecessor. Since .Net's beginnings, it has been used across the spectrum of the company's offerings, most significantly in ASP.Net, Web services and the omnipresent Windows operating systems. For developers, .Net offers platform and language independence, as well as the promise of improved deployment methods to end the so-called "DLL Hell" that dogged the implementation of earlier systems.

Microsoft would, of course, like .Net to be used everywhere there is a server hosting applications and data, but this ubiquity, while bolstering the company's bottom line, may have ramifications down the line. In January 2002, several anti-virus firms were anonymously sent copies of W32.Donut, a "proof-of-concept" virus that incorporated elements of the .Net infrastructure. It was seen as a sign that malware-makers were keeping pace with legitimate programmers. Three months later, Sharpei, a non-destructive worm, came to the attention of security professionals. Partially programmed in C#, Sharpei was never spread, and was believed by some members of the Internet security community to be a beta test for more advanced malware targeting platforms built on .Net. So far, this threat has failed to materialize. Graham Cluley, senior technology consultant for Sophos, an IT security firm, says, "We've only seen a handful of .Net-specific viruses, and none of them have spread successfully in the wild."

The common experience of computer viruses is one of constant threat and response: A virus is discovered and a patch is developed to immunize systems against the threat. This often gives the appearance that the security firms are always one step behind developers. Not so, says Cluley. "The majority of heavily publicized security vulnerabilities these days seem to be uncovered by reverse-engineering or code review," he says. "Security patches and updates tell only part of the story, because they tend to annotate only those problems that were discovered reactively. They don't publicize all the attacks that failed because they had been anticipated and programmed against proactively."

Cluley says that .Net critics fail to take into account the fact that reactive updates tend to fix other related vulnerabilities at the same time. "Thus, these efforts proactively prevent a whole class of hitherto unused attacks."

But the wide-ranging attacks on consumer machines are a different prospect to the kind of specifically targeted devices that have cropped up over the past few years. Consumers are notoriously slow to update their anti-virus software, while investment firms are more proactive. Viruses that have been unleashed on the public are highly unlikely to have any significant effect on the operation of a major financial institution. However, Cluley says, "Targeted malware is the flavor of the month."

Rohan Douglas is CEO of Quantifi, a credit analytics and risk analysis firm that focuses on the global derivatives market, and was one of the earliest proponents of the .Net infrastructure in financial services. He calls the perception that the framework has security failings "a misunderstanding." Douglas says that although the root of the mistrust lies in the hangover from previous Microsoft technologies, there is little reason to doubt .Net. Furthermore, Douglas says the critics are not necessarily decision-makers. Quantifi began using .Net over three years ago, at which point the majority of its clients were first-time users of the technology. Now almost all financial institutions are using .Net internally in some capacity.

Should shareholders in the LSE, then, sleep easy in the days and nights leading up to the rollout of the new SETS in 2007? No, says Paul Pickup, IT consultant at Trading Technology: "Microsoft .Net isn't at the level of maturity that enables you to handle a large number of transactions securely," he says.

Pickup says the platform does not commercially support the level of functionality required by high-volume exchanges, and is particularly lacking an inbuilt facility for server failover, key in disaster recovery and business continuity. Whereas other platforms support switching to other nodes on failure, Pickup says that .Net has no tried-and-proven ability to do so. "By committing themselves to .Net, the LSE will also be tied to Microsoft SQL Server databases, which have fewer commercially available facilities to support active/active clusters or replicate data in near-real time than more industrial-strength products like Oracle's."

Past attempts to implement .Net-based trading platforms have not been resounding successes. The Sydney Futures Exchange (SFE) was forced to delay a proposed rollout of the .Net-based Exigo system, following the emergence of technical problems with .Net.

SFE officials deny that the failure was specifically due to .Net, but comparisons between the SFE and the LSE are inevitable. While Pickup says that he might advise small, low-volume exchanges and brokerages to use the .Net framework to keep costs down, in the largest organizations the desire to replace high-cost legacy systems needs to be offset against the risk involved. "It's a huge technical challenge," he says, "It's not a stupid thing to do, but it's a very high-risk strategy."

In response, the Microsoft spokesperson says Barclays Capital implemented a fixed-income trading system using Windows servers and .Net, and further claims that Barclays has "similar transaction scalability requirements" to the LSE. SQL Server 2005, according to an unpublished Gartner report supplied by Microsoft, "will become a serious contender against both Oracle and IBM for large applications." The Microsoft spokesperson says .Net supercedes J2EE. "IDC reports that .Net is more prevalent across all geographies," says the spokesperson.

Pickup says he still has doubts. "The use of any new architecture such as J2EE in such a high-volume exchange is a very high-risk strategy," he says.

The eventual success of the overhauled SETS could be a key factor in the LSE's value to a potential buyer. However, a source close to the LSE, who requests anonymity, says a buyer might balk at the scope and cost of the project. "I predict that a takeover by Nasdaq, Euronext or the NYSE will shelve this project, which seems to be adding little value except to be a showcase for Microsoft's .Net," the source says.

LSE officials decline to comment.