Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Jeremy Dallman here to announce the release of two new security tools that will help you test and verify the security of your software – and meet some of the most critical requirements of the SDL. In addition, we are responding to customer requests and providing a basic 7-step guide for manually integrating key elements of the SDL Process Template into your existing Visual Studio Team System project.
As secure coding becomes an increasingly important piece of software development across the industry, we realize that security tools become a critical piece of your “security tool belt” and help ease adoption of security development best practices in your organization. In today’s economy, the tools that will get deployed are the inexpensive (or free) tools that effectively identify security issues, work seamlessly with your existing development environment and help teams implement the basics of the SDL.
Today we are making available BinScope Binary Analyzer and MiniFuzz File Fuzzer as no cost downloads.
We put together a couple of demo videos also. You can find them here: BinScope video & MiniFuzz video.
Let me briefly introduce you to each of these tools and explain why we think they are ideal tools to download and immediately include in your development lifecycle to verify the security of your code.
The BinScope Binary Analyzer is an SDL-required security tool that has been used by Microsoft teams since the early days of the SDL. It analyzes your binaries for a wide variety of security protections with a very straightforward and easy-to-use interface. At Microsoft, developers and testers are required to use this tool in the Verification Phase of the SDL to ensure that they have built their code using the compiler/linker protections required by the Microsoft SDL.
The analyzer performs a diverse set of security checks. These checks include:
The BinScope Binary Analyzer can be downloaded as a standalone tool or as a tool that can be integrated into Visual Studio 2008. By offering these two options, this tool can easily and quickly help you build your code to meet the SDL compiler/linker protections.
(Figure above: stand-alone BinScope)
(Figure above: BinScope integrated in Visual Studio)
With an integrated installation of the BinScope Binary Analyzer for Visual Studio, validation is readily available in the development environment. In addition, BinScope integrates with Microsoft Team Foundation Server (TFS) to output results into work items. Finally, if your project is using the Microsoft SDL Process Template for VSTS, BinScope will seamlessly integrate with the template’s security work items and SDL Final Security Review reporting.
(Figure above: Easy output to TFS to create bugs and speed triage)
(Figure above: Seamless integration with the SDL Process Template reporting)
The MiniFuzz File Fuzzer is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their software development processes. A less capable and non-graphical version of this tool was originally published on the CD that came with the book The Security Development Lifecycle by Steve Lipner and Michael Howard. Since that tool was effective at finding quality bugs, we wanted to offer it more widely along with our other SDL tools, improve the user experience, and provide integration with Visual Studio and Team foundation Server.
Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of the MiniFuzz File Fuzzer, we have made a simple file fuzzer available to assist developer efforts to find and address more security bugs in code before it ships to customers. Simply provide the tool with a set of correctly formed files to serve as templates, and it will generate corrupted versions for testing. The effectiveness of fuzz testing can be increased by providing more variation in the template files.
When you install the MiniFuzz File Fuzzer, it is provided as a stand-alone fuzzing tool that can be launched from your Start Menu. However, if you are using Visual Studio 2008, you can easily include the tool in Visual Studio as an Add-in Tool and launch it from there. In addition, the tool can also output to Team Foundation Server and integrate with the Microsoft SDL Process Template for Visual Studio Team System similar to the BinScope Binary Analyzer.
The whitepaper can be downloaded here
After a successful release of the SDL Process Template for VSTS, we heard from some customers that they would like to include the key elements of the SDL into their existing team project. So, we figured out how to do that in 7 easy steps and wrote a whitepaper! This paper outlines the steps for manually extracting the key elements of the SDL Process Template and integrating them into an existing Visual Studio 2008 team project. By completing each of these manual steps, you can include the key elements of the SDL into your project without waiting until you start or build your next team project.
That’s a lot of news for one day, but I hope you are as excited as we are to be releasing these tools and making it possible for more development teams to write secure code and adopt the SDL. We welcome your comments and questions as you download and begin using these tools!
[edited: 9/16/09 11AM - added links to videos]
Hi, can someone explain why binScope reports "ATLVersionCheck (Fail)" message? It is a very simple MFC based application. The message only happens with release executable. I am using MSDEVStuido2008 with SP1. Here are the ATLVersinCheck details with release version fail and debug version pass. Both are using same ATL header files. Should I ignore the release version check failure message?
M:\proj\src\test\mfctest\Release\mfctest.exe - ATLVersionCheck ( FAIL )
c:\program files\microsoft visual studio 9.0\vc\atlmfc\include\atlcomcli.h - IGNORING (No hash, part of pre-compiled headers in stdafx.obj)
c:\program files\microsoft visual studio 9.0\vc\atlmfc\include\atlcomcli.h - KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomcli.h - KNOWN GOOD (Hash 43-EA-75-74-62-13-38-DD-22-C9-DD-F6-23-76-43-7B)
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcom.h - KNOWN GOOD (Hash CF-5C-48-69-8E-40-F1-E0-76-8D-9E-C5-BD-83-14-3A)
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomcli.h - UNKNOWN (Hash not available)
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcom.h - UNKNOWN (Hash not available)
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomcli.h - IGNORING (No hash, part of pre-compiled headers in stdafx.obj)
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcom.h - IGNORING (No hash, part of pre-compiled headers in stdafx.obj)
M:\proj\src\test\mfctest\Debug\mfctest.exe - ATLVersionCheck ( PASS )