Article

Microsoft releases Attack Surface Analyzer to developers

Robert Westervelt, News Director

Microsoft has issued a new tool that helps developers analyze whether newly developed applications will change the way cybercriminals can target vulnerabilities and gain access to Windows.

Assessing the attack surface of an application or software platform can be an intimidating process at first glance.

 

David Ladd,
principal security program manager,Microsoft's SDL team

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Called the Attack Surface Analyzer, the beta version of the new SDL verification tool is now available to the general public. The tool takes a snapshot of the state of the Windows system before and after an application is installed.

The new tool was one of several announcements made at the Black Hat D.C. Conference in Arlington, Va., where Microsoft typically highlights its secure software development initiatives. The software giant has been releasing tools and documents outlining its internal processes to the industry at large as part of its Trustworthy Computing program to assist companies in building more secure software development processes.

Microsoft said the new tool can be more used by other IT professionals. IT auditors can use the Attack Surface Analyzer to evaluate the risk introduced by a newly installed application and incident responders can gain a better understanding of the state of security in a system during investigations.

The tool is being made available to help Microsoft gather feedback and real world usage data from its customers, said David Ladd, principal security program manager of Microsoft's SDL team.

"Microsoft has required attack surface validation of applications prior to release for years - however assessing the attack surface of an application or software platform can be an intimidating process at first glance," Ladd wrote in a blog post about the Attack Surface Analyzer.

The new tool works in Windows 7, Windows Vista, Windows Server 2008 and Windows Server 2008 R2.

In addition, Microsoft announced the next version of its SDL Threat Modeling Tool. Ladd said version 3.1.6 allows for early and structured analysis and proactive mitigation of potential security and privacy issues in new and existing applications. The tool, currently in beta, supports Microsoft Visio 2010 for diagram design. The final version will ship in fall 2011. Last year, Microsoft added support for Agile development methodologies to its SDL lineup.

Microsoft also is updating its existing BinScope Binary Analyzer, a tool that checks for coding weaknesses in binaries that are commonly exploited by attackers. Version 1.2 of the tool integrates with Visual Studio 2008 and 2010 and works with Microsoft Team Foundation Server 2008 and Microsoft Team Foundation Server 2010 to output results into work items.

Microsoft to start SDL consulting services
In addition the software giant said it will begin offering consulting services to help companies improve their security development lifecycle processes. The services will begin in February.

"This is an end to end consulting solution that leverages extensive company experience with secure development practices," Ladd said in a statement. "The goal is to help organizations improve software security, reduce customer risk, and reduce total cost of development."

As part of the consulting services, Microsoft will offer training and guidance documents on various aspects of the software development lifecycle. The price of the service will vary according to the extent of Microsoft's consulting engagement, Ladd said.