Feeds

Microsoft security tools give devs the warm fuzzies

Testing times

Build a business case: developing custom apps

Microsoft has released a general-purpose software tool for assessing the security of applications, part of a growing suite of free offerings designed to help third-party developers design safer programs.

Microsoft Minifuzz is a lightweight file fuzzer, a type of tool that detects software bugs by throwing random data at an application. Under Redmond's Secure Development Lifecycle (SDL), all code under development must be extensively fuzzed so buffer overflows and other common flaws can be identified before it goes into production. Plenty of larger developers have adopted the practice, but smaller shops aren't climbing on board yet.

"Not many people are actually taking advantage of fuzzing up to this point," said David Ladd, principal security program manager for Microsoft's SDL team. "What we wanted to do was release Minifuzz to try to lower the barriers of entry for people to start doing fuzzing as a test mechanism."

The tool is one of two security offerings Microsoft released on Wednesday. The BinScope Binary Analyzer inspects applications to ensure a variety of safe coding methods were followed during their development. Among the things it checks for is if the program was created using a current compiler and if it was compiled with the /GS flag, a setting that helps prevent buffer overflows from being exploited.

To prevent miscreants from using the program to spot vulnerabilities in other developers' software, BinScope works only when a user has access to the binary's private symbol, a collection of debugging information that isn't typically available to outsiders.

The new offerings, which are available here, add to several other security security tools Microsoft has released over the past year or so as it tries to foster the adoption of SDL practices in the wider software ecosystem.

Threat modeling

Last year, the company released the SDL Threat Modeling tool, which streamlines the development of secure applications by helping teams track and mitigate security and privacy flaws that are likely to affect specific types of applications.

More recently, Redmond released an open-source tool called the !exploitable Crash Analyzer that helps developers assess the severity of bugs that cause a program to seize up.

After being widely regarded by security professionals as a supplier of some of the most insecure software in the industry, Microsoft spent much of the past decade fashioning a rigorous process for preventing bugs in future releases and quickly responding to vulnerabilities in current products. Now, the company is trying to help third parties - particularly those who write applications that run on Windows - adopt many of the same practices.

One of the key lessons Microsoft has learned is that bugs caught early in a product's development are by far the least expensive to fix, both in terms of money and good will.

"Security is much more than any one company," Ladd said. "If everyone starts to work on security in the development phase, it makes for a more safe computing experience for everyone involved." ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Uber, Lyft and cutting corners: The true face of the Sharing Economy
Casual labour and tired ideas = not really web-tastic
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.