The Register® — Biting the hand that feeds IT

Feeds

Microsoft security tools give devs the warm fuzzies

Testing times

By Dan Goodin, 16th September 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Microsoft has released a general-purpose software tool for assessing the security of applications, part of a growing suite of free offerings designed to help third-party developers design safer programs.

Microsoft Minifuzz is a lightweight file fuzzer, a type of tool that detects software bugs by throwing random data at an application. Under Redmond's Secure Development Lifecycle (SDL), all code under development must be extensively fuzzed so buffer overflows and other common flaws can be identified before it goes into production. Plenty of larger developers have adopted the practice, but smaller shops aren't climbing on board yet.

"Not many people are actually taking advantage of fuzzing up to this point," said David Ladd, principal security program manager for Microsoft's SDL team. "What we wanted to do was release Minifuzz to try to lower the barriers of entry for people to start doing fuzzing as a test mechanism."

The tool is one of two security offerings Microsoft released on Wednesday. The BinScope Binary Analyzer inspects applications to ensure a variety of safe coding methods were followed during their development. Among the things it checks for is if the program was created using a current compiler and if it was compiled with the /GS flag, a setting that helps prevent buffer overflows from being exploited.

To prevent miscreants from using the program to spot vulnerabilities in other developers' software, BinScope works only when a user has access to the binary's private symbol, a collection of debugging information that isn't typically available to outsiders.

The new offerings, which are available here, add to several other security security tools Microsoft has released over the past year or so as it tries to foster the adoption of SDL practices in the wider software ecosystem.

Threat modeling

Last year, the company released the SDL Threat Modeling tool, which streamlines the development of secure applications by helping teams track and mitigate security and privacy flaws that are likely to affect specific types of applications.

More recently, Redmond released an open-source tool called the !exploitable Crash Analyzer that helps developers assess the severity of bugs that cause a program to seize up.

After being widely regarded by security professionals as a supplier of some of the most insecure software in the industry, Microsoft spent much of the past decade fashioning a rigorous process for preventing bugs in future releases and quickly responding to vulnerabilities in current products. Now, the company is trying to help third parties - particularly those who write applications that run on Windows - adopt many of the same practices.

One of the key lessons Microsoft has learned is that bugs caught early in a product's development are by far the least expensive to fix, both in terms of money and good will.

"Security is much more than any one company," Ladd said. "If everyone starts to work on security in the development phase, it makes for a more safe computing experience for everyone involved." ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (9)
Latest Comments
jwernerny

Good Tools in search of a Good Platform

I will give Microsoft credit, when they set out to do something, they do it. When you start really digging into application security, some of the best references and tools do come from Microsoft. The only downsides are that they are very PC/Windows/Web centric, and they tend to require the very latest of other Microsoft programs to run. For example: The SDL Modeling Tool focuses on what Microsoft technologies you are deploying, and the latest version requires the latest version of Visio Professional.

For those of us more concerned with embedded devices, the books are still very helpful, but the tools have limited use. [Okay, to be fair, the SDL Modeling Tool does allow you to create your own libraries mapping technologies to attacks, but it is not quite the turnkey solution it is for the MS environment.]

Application security should not be something limited to just desktop and server machines. When an exploit in the embedded firmware of a smart power meter is used to shut down a power grid, it makes the whole problem of the virus on your PC a bit of a moot point.

- John

0
0
Geoff Mackenzie

Never mind

"To prevent miscreants from using the program to spot vulnerabilities in other developers' software"

Useless then. Cheers.

0
0
Shakje

Maybe I can get the first on-topic comment in...

sounds pretty useful, I know a few of our apps I'll be running through it.

0
0

More from The Register

Bjarne Again: Hallelujah for C++
Plus: Now officially OK to admit you never used STL algorithms
101
Interwebs taunt Sir Jony over Apple eye candy makeover
Hey Ive, Ive... add more unicorns, willya?
79
SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
119
Red Hat to ditch MySQL for MariaDB in RHEL 7
So long, Oracle! Don't let the door hit you on the way out
65
Shy? Socially inadequate? Fiddling with your phone could help
App 'tells the brutal truth' about social inadequates' chatup lines
22
Java EE 7 melds HTML5 with enterprise apps
New release arrives with GlassFish, NetBeans support
12
breaking news
'Office Facebook' firm Tibbr wants you to PAY for mobe-meetings app
Great idea. Punters won't cough for it though
9
breaking news
The only Waze is Google: Ad giant tipped to gobble map app 'for $1.3bn'
Pac-Man-satnav-ish upstart in bidding war with Apple, Facebook
16
breaking news
PM Cameron calls for modern, programmable computers! (We think)
IT education musings to G8 chiefs to mystify IT industry
105
Apple at WWDC: Sleek new iOS, death of the big cats, pint-sized Mac Pro
CEO Cook: 'The biggest change to iOS since the introduction of the iPhone'
151