What’s your take on Microsoft’s new SDL tools? Are these the same tools that Microsoft uses internally?
As part of Microsoft’s contribution to improving secure software development, it has recently made its Security Development Lifecycle (SDL) methodology public so everyone can learn from its experiences in securely developing robust applications. As part of this initiative it has also made some of its security development tools available for free to make it easier for development teams to implement an SDL process in their organizations. It has recently released new versions of Threat Modeling, MiniFuzz and RegExFuzz. Let's briefly look at each.
The Threat Modeling tool is used in the SDL Design Phase to help engineers analyze the security of their projects, and to find and address design and security issues before coding begins. Threat modeling is a core element of the SDL as it helps define an application’s attack surface so steps can be taken to reduce the likelihood for exploitation.
MiniFuzz is a simple fuzzer tool providing basic file fuzzing capabilities that can be used by developers, testers and even those unfamiliar with file fuzzing tools. It helps detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to stress the code in an attempt to expose unexpected and potentially insecure application behaviors.
The RegEx Fuzzer specifically tests whether regular expressions are exponential as those with very long evaluation times can be exploited by attackers to cause a denial-of-service (DoS) condition. As with MiniFuzz, it is used during the verification phase.
These tools are designed to be used by people who are not necessarily security experts, and they are only some of the free Microsoft security tools available. You can download more tools specifically designed for each phase of the security development lifecycle. They represent Microsoft’s most current experience and are continuously updated. However, these tools shouldn’t be the only ones in your security testing toolbox. You may find other free or open source tools more suited to your environment or style of working, and different tools may catch problems that other tools miss. But these tools are designed to be easy to use and work together, and anyone developing for the Windows environment should certainly take advantage of them.
This was first published in December 2011