Microsoft offers tools for secure app development

By , InfoWorld |  Development, application security, c

Microsoft is introducing on Wednesday two testing tools to help Windows programmers build better security into their C and C++ applications, but an industry analyst was dismissive of how useful the tools would be for enterprise developers.

Offered at no cost, the tools enable implementation of Microsoft's SDL (Security Development Lifecycle) process, for injecting security and privacy provisions into the development lifecycle as opposed to testing during pre- and post-deployment of an application.

[ Last week, Microsoft revealed some features planned for its upcoming Silverlight 4 application technology. ]

One of the tools, BinScope Binary Analyzer, analyzes binary code to validate adherence to SDL requirements for compilers and linkers. It also verifies use of strong-named assemblies and up-to-date build tools. "Essentially, what it does is it checks for a variety of SDL requirements like GS flag, which is used to prevent buffer overflows," said David Ladd, principal security program manager for the security development lifecycle team at Microsoft.

Buffer overflows enable hackers to take control of an application, Ladd said. "To the extent that you can prevent those at compile time, that's a good thing from a security standpoint," he said. The tool requires symbol files, providing security against hackers potentially using the tool to analyze software on the Web for weaknesses.

The second tool, Microsoft MiniFuzz File Fuzzer implements the fuzz testing technique. Testers check application behavior by parsing files that have been deliberately corrupted. Security tests are applied to take code through different flow patterns and identify whether resulting crashes should be investigated as potential application security risks.

"If you find a file failure and it has security ramifications, you want to go out and fix that problem," Ladd said.

An analyst, however, doubted that enterprise developers would have much use for the tools. These developers are more likely to be using Java and .Net managed code technologies with Visual Basic.Net and C# rather than C or C++, said Michael Gualtieri, senior analyst at Forrester Research. Corporate developers also do not generally develop applications for open files, which is what the fuzz-testing tool is used for, he said.

"There isn't much of a story for enterprises for these tools themselves," Gualtieri said.

"These tools are more helpful for systems and software vendors than they are for most enterprise IT shops," he said. By releasing the tools, though, Microsoft continues to demonstrate its commitment to making the SDL process real for developers, said Gualtieri.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

DevelopmentWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness