RSS Alerts

Related Links

  • Microsoft
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • On-demand service aims to cut cost of fixing software security flaws
    UK business typically spends 75% of software development budgets on eliminating security flaws, according to IT cost studies by security firm Comsec Consulting.
  • Microsoft updates its software development best practices to support secure cloud environments
    According to Steve Lipner, senior director of security engineering strategy with Microsoft Trustworthy Computing Group, software development and secure cloud environments are all about best practice.
  • Information security and the recession
    As the recession continues to chew into budgets, and cyber criminals see increased opportunity for looting, CIOs must ensure that information security defences remain strong and affordable, even if this means a little bargaining. Stephen Pritchard looks at how organisations can negotiate the rough seas ahead.
  • Search for security
    With more than 30 000 web pages being infected every day, search engine results could increasingly lead to malware infection. Kari Larsen asks what the search engines are doing to mitigate security threats, and how users can protect themselves.
  • What’s in store for 2010?
    The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you’re in luck as Davey Winder has dusted off the crystal ball and spoken to a broad church of infosec professionals to get some informed predictions for 2010

News

Microsoft releases tools exposing software security vulnerabilities

17 September 2009

Microsoft is releasing new tools to expose security vulnerabilities in new and updated software.

The tools, BinScope and MiniFuzz are part of Microsoft’s Security Development Lifecycle (SDL) and can be used at the validation stage of software development. The aim is to remove potential security problems before software is shipped.

Steve Lipner, senior director of security engineering at Microsoft’s Trustworthy Computing Group, told Infosecurity: “BinScope is a developer tool – it’s aimed at helping developers or development organisations build secure software that can be used in secure IT environments. Using BinScope is mandatory for essentially all software that Microsoft ships.”

It checks that flags such as /GS, /SafeSEH, /NXCOMPAT, and /DYNAMICBASE are set, that strong-named assemblies are being used, up-to-date complier and linker versions are being used, and that good ATL headers are applied.

Lipner said following some security vulnerability reports over the summer, Microsoft not only published security updates to the software in question, but also looked at how to avoid such problems for the future, imposing new requirements through the SDL.

“We also released the guidance to external customers and we updated the BinScope tool so that if a developer tester runs BinScope on binaries before a product is released, it will verify that that binary was built with the new safe ATL headers”, Lipner told Infosecurity.

MiniFuzz, on the other hand, is a file fuzzer, which means you corrupt valid input data, run them against an application and report the bugs.

“It’s simple, lightweight and basic, but it’s also very effective for finding security vulnerabilities in programmes that process input files”, Lipner said.

Both BinScope and MiniFuzz can be run as stand-alone products or as part of Microsoft Visual Studio.

Lipner also said Microsoft is releasing a white paper, Manual Integration of the SDL Process Template, which tells developers using their own templates how to take the SDL template apart and then integrate it with their own process templates.

“We think that these releases will be very helpful to organisations in applying SDL to their environments and thus developing more secure code”, Lipner said.

Asked whether releasing this information could compromise application security, Lipner said that as long as the good guys have the tools before the bad guys, the baddies won’t have anything to find.

Furthermore, BinScope requires that the user has the development symbols for the application: “If you’re not the developer, you cannot use BinScope to find vulnerabilities in a piece of software because you have to have the development symbols that are an artefact of the fact that you built that software”, Lipner added.

 

This article is featured in:
Application Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water