Feeds

Microsoft security tools give devs the warm fuzzies

Testing times

Security and trust: The backbone of doing business over the internet

Microsoft has released a general-purpose software tool for assessing the security of applications, part of a growing suite of free offerings designed to help third-party developers design safer programs.

Microsoft Minifuzz is a lightweight file fuzzer, a type of tool that detects software bugs by throwing random data at an application. Under Redmond's Secure Development Lifecycle (SDL), all code under development must be extensively fuzzed so buffer overflows and other common flaws can be identified before it goes into production. Plenty of larger developers have adopted the practice, but smaller shops aren't climbing on board yet.

"Not many people are actually taking advantage of fuzzing up to this point," said David Ladd, principal security program manager for Microsoft's SDL team. "What we wanted to do was release Minifuzz to try to lower the barriers of entry for people to start doing fuzzing as a test mechanism."

The tool is one of two security offerings Microsoft released on Wednesday. The BinScope Binary Analyzer inspects applications to ensure a variety of safe coding methods were followed during their development. Among the things it checks for is if the program was created using a current compiler and if it was compiled with the /GS flag, a setting that helps prevent buffer overflows from being exploited.

To prevent miscreants from using the program to spot vulnerabilities in other developers' software, BinScope works only when a user has access to the binary's private symbol, a collection of debugging information that isn't typically available to outsiders.

The new offerings, which are available here, add to several other security security tools Microsoft has released over the past year or so as it tries to foster the adoption of SDL practices in the wider software ecosystem.

Threat modeling

Last year, the company released the SDL Threat Modeling tool, which streamlines the development of secure applications by helping teams track and mitigate security and privacy flaws that are likely to affect specific types of applications.

More recently, Redmond released an open-source tool called the !exploitable Crash Analyzer that helps developers assess the severity of bugs that cause a program to seize up.

After being widely regarded by security professionals as a supplier of some of the most insecure software in the industry, Microsoft spent much of the past decade fashioning a rigorous process for preventing bugs in future releases and quickly responding to vulnerabilities in current products. Now, the company is trying to help third parties - particularly those who write applications that run on Windows - adopt many of the same practices.

One of the key lessons Microsoft has learned is that bugs caught early in a product's development are by far the least expensive to fix, both in terms of money and good will.

"Security is much more than any one company," Ladd said. "If everyone starts to work on security in the development phase, it makes for a more safe computing experience for everyone involved." ®

Security and trust: The backbone of doing business over the internet

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.