Microsoft offers tools for secure app development

Microsoft is introducing on Wednesday two testing tools to help Windows programmers build better security into their C and C++ applications, but an industry analyst was dismissive of how useful the tools would be for enterprise developers. It also verifies use of strong-named assemblies and up-to-date build tools. "Essentially, what it does is it checks for a variety of SDL requirements like GS flag, which is used to prevent buffer overflows," said David Ladd, principal security program manager for the security development lifecycle team at Microsoft. Offered at no cost, the tools enable implementation of Microsoft's SDL (Security Development Lifecycle) process, for injecting security and privacy provisions into the development lifecycle as opposed to testing during pre- and post-deployment of an application. [ Last week, Microsoft revealed some features planned for its upcoming Silverlight 4 application technology. ] One of the tools, BinScope Binary Analyzer, analyzes binary code to validate adherence to SDL requirements for compilers and linkers. Buffer overflows enable hackers to take control of an application, Ladd said. "To the extent that you can prevent those at compile time, that's a good thing from a security standpoint," he said.

The second tool, Microsoft MiniFuzz File Fuzzer implements the fuzz testing technique. The tool requires symbol files, providing security against hackers potentially using the tool to analyze software on the Web for weaknesses. Testers check application behavior by parsing files that have been deliberately corrupted. An analyst, however, doubted that enterprise developers would have much use for the tools. Security tests are applied to take code through different flow patterns and identify whether resulting crashes should be investigated as potential application security risks. "If you find a file failure and it has security ramifications, you want to go out and fix that problem," Ladd said.

These developers are more likely to be using Java and .Net managed code technologies with Visual Basic. Corporate developers also do not generally develop applications for open files, which is what the fuzz-testing tool is used for, he said. "There isn't much of a story for enterprises for these tools themselves," Gualtieri said. "These tools are more helpful for systems and software vendors than they are for most enterprise IT shops," he said. Net and C# rather than C or C++, said Michael Gualtieri, senior analyst at Forrester Research. By releasing the tools, though, Microsoft continues to demonstrate its commitment to making the SDL process real for developers, said Gualtieri. Microsoft previously has released a threat management tool and process management template based on SDL. Microsoft on Wednesday also is releasing a paper entitled "Manual Integration of the SDL Process Template," to guide Microsoft Visual Studio Team System users through a manual process to incorporate elements of the SDL process template into Team System projects. A Microsoft representative said many of the checks featured in BinScope Binary Analyzer are inherently built into .NET coding.

The tools and paper can be accessed through this Web page.

0 comments:

Post a Comment