Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Those of you that have been reading my blog a while know that part of my interest in security metrics is in trying to find ways to measure if Microsoft efforts to improve fundamental in security products is bearing fruit. Central to the Microsoft efforts is the Security Development Lifecycle process.
One of the cool efforts that has been happening over the past couple of years is that the SDL team (read their blog!) has been taking tools and technology that was developed internally to support the Microsoft SDL process and releasing it, cost free, to the community so that the tools could be leveraged by all types of developers. (I say “all types” and that’s true, though in some cases the tools either do more or were designed to work primarily with Visual Studio projects. Tools like MiniFuzz, though, can be used to fuzz applications regardless of the development tools used.)
Today the SDL team are making available BinScope Binary Analyzer and MiniFuzz File Fuzzer as no cost downloads.
We put together a couple of demo videos also. You can find them on edge.technet.com on this links (BinScope video, MiniFuzz video) or you can watched the embedded videos directly in this post below.
The BinScope Binary Analyzer is an SDL-required security tool that has been used by Microsoft teams since the early days of the SDL. It analyzes your binaries for a wide variety of security protections with a very straightforward and easy-to-use interface. At Microsoft, developers and testers are required to use this tool in the Verification Phase of the SDL to ensure that they have built their code using the compiler/linker protections required by the Microsoft SDL.
The analyzer performs a diverse set of security checks. These checks include:
Watch this video to get an overview and see a demonstration of BinScope in action:
The MiniFuzz File Fuzzer is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their software development processes. A less capable and non-graphical version of this tool was originally published on the CD that came with the book The Security Development Lifecycle by Steve Lipner and Michael Howard. Since that tool was effective at finding quality bugs, we wanted to offer it more widely along with our other SDL tools, improve the user experience, and provide integration with Visual Studio and Team foundation Server.
Because we have found fuzzing to be effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of the MiniFuzz File Fuzzer, we have made a simple file fuzzer available to assist developer efforts to find and address more security bugs in code before it ships to customers. Simply provide the tool with a set of correctly formed files to serve as templates, and it will generate corrupted versions for testing. The effectiveness of fuzz testing can be increased by providing more variation in the template files.
These tools are not the first ones that the SDL team has made available. Check out the SDL Tools Repository to download BinScope Binary Analyzer and MiniFuzz File Fuzzer, as well as other tools like FxCop, the SDL Process Template for Visual Studio Team System, the SDL Threat Modeling tool, CAT.NET and the Anti-XSS library.
Best regards ~ Jeff