Microsoft introduces security development lifecycle tools for binary analysing and fuzzing

News by Dan Raywood

Microsoft has introduced new tools to evolve and share the company's security and privacy best practices and security development lifecycle expertise.

Microsoft has introduced new tools to evolve and share the company's security and privacy best practices and security development lifecycle expertise.

New tools have been introduced to provide third-party software developers and testers with easy to use, automated solutions that identify vulnerabilities in their code that may lead to risks.

Steve Lipner, senior director of security engineering strategy at Microsoft's Trustworthy Computing Group, claimed that the new releases are part of a programme of software for organisations.

Lipner said: “It is important for us to develop secure development for customers but we are aware that organisations do develop so we try to share the knowledge that we have learnt.”

The tools include the BinScope Binary Analyzer that provides developers, testers and security researchers with a comprehensive analysis of their binary source code that helps them verify if all the necessary security flags, protections and checks are in place to ensure the application is not vulnerable to some of the most common security threats.

Lipner said: “The BinScope checks developed and applied content so that everything is as safe as possible. One of the checks is to see if ‘dynamic space' is a used option, if it is in place it is hard to predict where in the application there could be something malicious.”

The MiniFuzz File Fuzzer Tool gives developers an easy to use, customisable and robust solution for verifying the security of their code. This automated tool spots unexpected application behaviour and helps application developers/testers quickly identify problem behaviour and investigate potential security risk in their applications. 

Lipner said: “Fuzzing is where you test the application to where it fails and see where it failed. We have produced a simple file fuzzing tool to see what file fuzzed security vulnerabilities in the applications have been created.

“You collect a sample of a corrupted file and you run this against the application and it reports the bugs to see if anything is exposable and we repeat this with 10,000 variants and then get a good file fuzz capability.”

The tools are available for download through the download centre and the SDL website.

Lipner said: “These tools fit into the certification of SDL and are designed to be used by professionals to find bugs to help organisations meet the requirements of SDL. Every degree of security needs professional developers to use the tools as part of the process, if you are using code it is important that you write secure code if it is going anywhere near the internet.”

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events