Home Fuzzing Tools Added – On Purpose – to Microsoft SDL Toolkit

Fuzzing Tools Added – On Purpose – to Microsoft SDL Toolkit

For large software development teams, Microsoft Visual Studio has one feature whose functionality actually resembles that of Outlook in one regard: The addition of workflow templates gives team members manageable lists of tasks to be done. The Security Development Lifecycle (SDL) is a set of best practices originally developed by Microsoft for Microsoft, to compel its own engineers to start incorporating better security practices as far back as the architecture stage.

On Wednesday, the company initiated public support of its SDL template in the tool that most Windows developers use today (at least, those who aren’t using the VS2012 beta): Visual Studio 2010. Along with that support comes the latest revision to the company’s threat modeling tool, and some new “things to do” for the list: two fuzzing tools designed to take down insecure apps. These tools help developers spot potential vulnerabilities in their code.

Anybody who’s watched a demo from one of Microsoft’s security developers has probably seen MiniFuzz, an automated tool designed to do a little mischief with applications you’re building. Whenever your application uses a type of file, MiniFuzz attempts various contortions of that file to see if it can trigger a stack overflow, or some kind of vulnerability that can be exploited. It’s not new at all, and in fact, developers have been using it with Visual Studio 2010… but apparently not all that well, particularly with respect to Team Foundation Server 2010. MiniFuzz did support TFS 2007, and developers have jerry-rigged it to use TFS 2010.

Today, Microsoft confirmed to RWW that they no longer have to jerry-rig it; support for TFS 2010 is built in. RegEgFuzz was also updated; it’s a tool that “fuzzes” regular expressions that a program may parse, to see if it can trigger a vulnerability there.

The actual Security Development Lifecycle itself is a seven-stage process, the middle five of which (shown above in green) can be automated through best practices agendas. These agendas are represented by the new set of templates available for Team Foundation Server 2010.

In Microsoft’s annual progress report for the SDL produced last March, the company cited reports submitted to the National Vulnerability Database in 2010 as an indicator of the platform’s success. Surprisingly (though Microsoft didn’t exactly spotlight this), reported vulnerabilities in Microsoft-branded products rose slightly last year, after several declines.

The incline looks a little better when paired on the same chart with the ongoing decline in vulnerability reports for non-Windows apps (on the left), which has declined significantly. The chart on the right shows operating system-related vulnerabilities are more to blame this year than in years past, which is a slight step backwards for Windows 7.

The report also reads, “In January of 2011, Forrester published the results of a Microsoft-sponsored survey of top software development influencers across North America. Forrester found that, though application security was not a mature practice for many, those employing a coordinated, prescriptive approach experienced a stronger return on investment.”

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.