26/08/11

Microsoft Releases New Versions of Software Security Tools


SDLMicrosoft has released new versions of several of its software security tools, including its Threat Modeling Tool and a pair of fuzzers. All of the tools are part of the company's Security Development Lifecycle program, which it has been sharing with external organizations for a few years now.

Microsoft's internal teams developed a number of tools that they use in writing and assessing software and the company has making some of them available publicly. One of the key tools in the SDL arsenal is the company's Threat Modeling Tool, which is used by developers and engineers at the beginning of a project to help find potential threats before they start writing code. The new version of the tool includes more stable support for Visio 2010 and Team Foundation Server.

Microsoft also released new versions of two specialized fuzzers: RegExFuzz and MiniFuzz. Both fuzzers are meant to be used in the Verification Phase of the SDL program. MiniFuzz is a basic fuzzer and the RegExFuzz tool is designed specifically for finding problems with regular expressions in software.

"The RegExFuzz Tool provides regular expression fuzzing capabilities that can be applied during the SDL Verification phase to check that regular expression evaluation times are not exponential. Regular expressions with very long evaluation times can lead to DoS attacks. In this new version, we focused on bug fixes requested from field use of the tool," Microsoft said in its blog post on the new tool releases. 

Threat Modeling Tool v3.1.8
The Threat Modeling Tool is used in the SDL Design Phase to find security problems before coding begins.  Through beta testing we obtained valuable input on what changes could be made to improve the tool.  In this new version, we focused on stabilization of the Visio 2010 and Team Foundation Server (TFS) 2010 support that was provided as part of the beta release, and fixed bugs that were discovered.
Thank you to all of our beta testers who reported issues in the forum as well as through the select beta program.  Your input was critical to improving the tool and customer experience.
> Learn more or download the tool

MiniFuzz Tool v1.5.5
The MinFuzz Tool provides basic file fuzzing capabilities that can be applied by developers, testers and even those with limited experience with fuzz testing as part of the SDL Verification phase. In this new version of the tool, we have included support for Team Foundation Server (TFS) 2010, fixed stability bugs and made it easier to control target application shutdown.  
> Learn more or download the tool

RegExFuzz Tool v1.1.0
The RegExFuzz Tool provides regular expression fuzzing capabilities that can be applied during the SDL Verification phase to check that regular expression evaluation times are not exponential. Regular expressions with very long evaluation times can lead to DoS attacks. In this new version, we focused on bug fixes requested from field use of the tool.  A readme document has been added to the download which documents the fixes, remaining known issues, and planned future enhancements.
> Learn more or download the tool

As the threat landscape continues to evolve, we remain committed to freely sharing our secure engineering best practices and security tools with the broader community. We hope you find our tools useful and, as always, we welcome any comments or feedback you may have.  

Tidak ada komentar:

Posting Komentar