Microsoft releases SDL development tools
by Steve Ragan - Sep 17 2009, 20:15Coming on the heels of a report that IT has largely ignored the issue of web application vulnerabilities and client-side vulnerabilities in favor of patching operating system flaws, Microsoft has released a host of development tools aimed at their SDL (Security Development Lifecycle) initiative.
The tools, the BinScope Binary Analyzer and the MiniFuzz File Fuzzer, are in addition to the other SDL offerings, each aimed at strengthening the verification phase of software development. BinScope and MiniFuzz specifically are designed to help both developers and testers catch vulnerabilities in application code before the public gets their hands on it.
BinScope examines binaries, checking to see if they comply with SDL requirements, ensuring that the code isn’t vulnerable to some of the most common security coding errors. For example, it checks to ensure SDL-required compiler linker and/or compiler flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place. It also reports on dangerous constructs that are prohibited or discouraged by the SDL.
MiniFuzz, will spot code imperfections that could later lead to vulnerable code, as well as testing variables that are designed to expose unwanted behavior. “Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL),” Microsoft said in a statement.
Another tool, aimed at web application development, has gotten an upgrade as well. The Microsoft anti-Cross Site Scripting Library (anti-XSS) version 3.1 was released along with BinScope and MiniFuzz.
The anti-XSS Library is designed to help ASP.NET developers avoid mistakes that lead to XSS attacks, one of the top attack vectors discovered in web applications. New to version 3.1 of anti-XSS is support for Shift_JS, extended online help that adds performance data sheets, expanded white list with more language support, a sample application, Security Runtime Engine HTTP module, HTML sanitization methods, and various other performance improvements.
Each of the new SDL offerings, as well as other tools, can be downloaded from the SDL Tools Repository located here.
Comment on this Story