January 18, 2011, 5:35 PM — Microsoft is expanding its roster of SDL (security development lifecycle) tools and services with the beta release of an attack surface analyzer tool as well as the introduction of consulting services on secure development.
Microsoft's Attack Surface Analyzer is an SDL verification tool for developers and IT professionals to identify whether newly developed or installed applications inadvertently change the attack surface of a Microsoft OS. The free tool is downloadable from Microsoft's website and is the same tool used by internal Microsoft product development teams.
[ Also in the security and software development realms, the PHP language recently was beset by a bug discovered that could cause systems to face a denial of service attack. | Master your security with InfoWorld's interactive Security iGuide. ]
"Microsoft has required attack surface validation of applications prior to release for years -- however, assessing the attack surface of an application or software platform can be an intimidating process at first glance," said David Ladd, principal security manager at Microsoft, in a blog post. "To help ease the process, we are releasing a tool called Attack Surface Analyzer to assist both testers and IT pros in assessing the security of an application. The Attack Surface Analyzer is being released as a beta to allow us time to gather feedback and real-world usage data from our customers."
Microsoft also is updating its existing Threat Modeling and BinScope Binary Analyzer tools to enhance developer usability. These tools also are free and are accessible at Microsoft's security website. The threat modeling tool offers guidance on building and analyzing threat models, while the binary analyzer checks binaries to ensure they were built based on SDL requirements and recommendations.
