What’s your take on Microsoft’s new SDL tools? Are these the same tools that Microsoft uses internally?
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
As part of Microsoft’s contribution to improving secure software development, it has recently made its Security Development Lifecycle (SDL) methodology public so everyone can learn from its experiences in securely developing robust applications. As part of this initiative it has also made some of its security development tools available for free to make it easier for development teams to implement an SDL process in their organizations. It has recently released new versions of Threat Modeling, MiniFuzz and RegExFuzz. Let's briefly look at each.
The Threat Modeling tool is used in the SDL Design Phase to help engineers analyze the security of their projects, and to find and address design and security issues before coding begins. Threat modeling is a core element of the SDL as it helps define an application’s attack surface so steps can be taken to reduce the likelihood for exploitation.
MiniFuzz is a simple fuzzer tool providing basic file fuzzing capabilities that can be used by developers, testers and even those unfamiliar with file fuzzing tools. It helps detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to stress the code in an attempt to expose unexpected and potentially insecure application behaviors.
The RegEx Fuzzer specifically tests whether regular expressions are exponential as those with very long evaluation times can be exploited by attackers to cause a denial-of-service (DoS) condition. As with MiniFuzz, it is used during the verification phase.
These tools are designed to be used by people who are not necessarily security experts, and they are only some of the free Microsoft security tools available. You can download more tools specifically designed for each phase of the security development lifecycle. They represent Microsoft’s most current experience and are continuously updated. However, these tools shouldn’t be the only ones in your security testing toolbox. You may find other free or open source tools more suited to your environment or style of working, and different tools may catch problems that other tools miss. But these tools are designed to be easy to use and work together, and anyone developing for the Windows environment should certainly take advantage of them.
This was first published in December 2011