What’s your take on Microsoft’s new SDL tools? Are these the same tools that Microsoft uses internally?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
As part of Microsoft’s contribution to improving secure software development, it has recently made its Security Development Lifecycle (SDL) methodology public so everyone can learn from its experiences in securely developing robust applications. As part of this initiative it has also made some of its security development tools available for free to make it easier for development teams to implement an SDL process in their organizations. It has recently released new versions of Threat Modeling, MiniFuzz and RegExFuzz. Let's briefly look at each.
The Threat Modeling tool is used in the SDL Design Phase to help engineers analyze the security of their projects, and to find and address design and security issues before coding begins. Threat modeling is a core element of the SDL as it helps define an application’s attack surface so steps can be taken to reduce the likelihood for exploitation.
MiniFuzz is a simple fuzzer tool providing basic file fuzzing capabilities that can be used by developers, testers and even those unfamiliar with file fuzzing tools. It helps detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to stress the code in an attempt to expose unexpected and potentially insecure application behaviors.
The RegEx Fuzzer specifically tests whether regular expressions are exponential as those with very long evaluation times can be exploited by attackers to cause a denial-of-service (DoS) condition. As with MiniFuzz, it is used during the verification phase.
These tools are designed to be used by people who are not necessarily security experts, and they are only some of the free Microsoft security tools available. You can download more tools specifically designed for each phase of the security development lifecycle. They represent Microsoft’s most current experience and are continuously updated. However, these tools shouldn’t be the only ones in your security testing toolbox. You may find other free or open source tools more suited to your environment or style of working, and different tools may catch problems that other tools miss. But these tools are designed to be easy to use and work together, and anyone developing for the Windows environment should certainly take advantage of them.
Dig Deeper on Secure software development
Related Q&A from Michael Cobb
A flaw in the open source graphics library libpng enabling denial-of-service attacks was discovered. Expert Michael Cobb explains how the ...continue reading
Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains...continue reading
Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.