Testing

Microsoft getting busy with Security this week...

AJ Warnock — Tue, 29 Sep 2009 18:58:50 GMT

Well, it looks like Microsoft has been busy on the security front this month. Not only did they release their security essentials this week but also some interesting testing tools, too.

Microsoft Essentials

Essentials is the Microsoft answer to real-time Home PC protection. It guards against viruses, spyware and other malicious software. It is now available for download from Microsoft.

MiniFuzz File Fuzzer

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.

BinScope Binary Analyzer

BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft's Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used.

I would recommend you check these out…

Imortant VS Patch

AJ Warnock — Thu, 30 Jul 2009 14:06:21 GMT

Emergency patches issued for IE and Visual Studio

Microsoft on Tuesday issued two out-of-band security patches -- one for the development tools suite Visual Studio and another for Internet Explorer.

Read the full article here:

Emergency patches issued for IE and Visual Studio

Got SDL?

AJ Warnock — Wed, 15 Jul 2009 15:39:44 GMT

If you have not heard there is an updated MS SDL Starter Kit available for download. This kit provides a compilation of baseline developer security training materials on core Microsoft Security Development Lifecycle (SDL) topics.

The core Microsoft Security Development Lifecycle (SDL) topics include:

Secure design principles
Secure implementation principles
Secure verification principles
SQL injection
Cross-site scripting
Code analysis
Banned application programming interfaces (APIs)
Buffer overflows
iSource code annotation language
Security code reviews
Compiler defenses
Fuzz testing
Microsoft SDL threat modeling principles
The Microsoft SDL threat modeling tool

Each set of guidance contains Microsoft Office PowerPoint slides, speaker notes, train-the-trainer audio files, and sample comprehension questions. All materials have limited formatting so that you can leverage the content to achieve broader, enhanced adoption of Microsoft SDL principles in your development organization.

Check it out here: MS Download Center - MS SDL - Starter Kit

New VSTS SDL Template

AJ Warnock — Wed, 01 Jul 2009 13:57:14 GMT

Using the SDL? if not, you should be considering it…

Having blurred the line between development and Test Engineering at our organization, I am finding out how little our development team(s) knows about secure development practices. Not a good thing. Recently, Microsoft released the SDL process template for VSTS and I think it’s going to help.

So, if you have not seen this it is a nice start at helping ensure secure development practices are used by your team. Hmmm, amazing what a little process, a little knowledge and a nice video can achieve?

So, check it out Here at the Microsoft Security Development Center.