Microsoft Security Development Lifecycle Tools

SDL Tools Overview

SDL Tools Overview
Watch this short video on the Microsoft SDL Toolset overview. Doug Cavit, from the Microsoft SDL engineering team, explains why IT executives and managers should encourage their development teams to download the SDL Implementation guidance and SDL tools to see how they can implement a software security assurance process such as the Microsoft SDL.
Run Time:        2:41
Uploaded:        12/06/10
Presenter::        Security
Share it:          Linked InTwitterFacebookDiggEmail

Training
  • Core Security Training
Requirements
  • Establish Security Requirements
  • Create Quality Gates/Bug Bars
  • Perform Security and Privacy Risk Assessments
Design
  • Establish Design Requirements
  • Perform Attack Surface Analysis/ Reduction
  • Use Threat Modeling
Implementation
  • Use Approved Tools
  • Deprecate Unsafe Functions
  • Perform Static Analysis
Verification
  • Perform Dynamic Analysis
  • Perform Fuzz Testing
  • Conduct Attack Surface Review
Release
  • Create an Incident Response Plan
  • Conduct Final Security Review
  • Certify Release and Archive
Response
  • Execute Incident Response Plan

Requirements Tools

View descriptions to determine the expertise needed to appropriately use the tools in the Requirements phase. Members of the SDL Pro Network offer security tools and associated services to help you perform SDL security activities.

Microsoft Solutions Framework (MSF) for Capability Maturity Model Integration (CMMI) 2013 plus Security Development Lifecycle (SDL)

The SDL Process Template for Visual Studio 2013 and Visual Studio Team Foundation Server is a downloadable template that automatically integrates the policy, process, and tools associated with the Microsoft SDL Process Guidance version 5.2 directly into your software development environment. It eases adoption of the SDL, enables auditable security requirements and status, and demonstrates security return on investment in a framework that is familiar to developers, testers, and program managers. For more information, click here.

Microsoft Solutions Framework (MSF) for Agile 2013 plus Security Development Lifecycle (SDL)

The MSF-Agile+SDL Process Template is a downloadable template that integrates the policy, process, and tools of the SDL for Agile Development guidance into the familiar Microsoft Solution Framework (MSF) for Agile Software Development (MSF-Agile) Process Template that ships with Visual Studio Team Foundation Server. The MSF-Agile+SDL Process Template is similar to the SDL Process Template, but is more suitable for projects following an Agile development methodology. For more information, click here.

Design Tools

View descriptions to determine the expertise needed to appropriately use the tools in the Design phase. Members of the SDL Pro Network offer security tools and associated services to help you perform SDL security activities.

Microsoft Threat Modeling Tool 2014

The Threat Modeling Tool enables non-security subject matter experts to create and analyze threat models by communicating about the security design of their systems, analyzing those designs for potential security issues using a proven methodology, and suggesting and managing mitigations for security issues. For more information, click here.

Implementation Tools

View descriptions to determine the expertise needed to appropriately use the tools in the Implementation phase. Members of the SDL Pro Network offer security tools and associated services to help you perform SDL security activities.

banned.h

The banned.h header file is a sanitizing resource that supports the SDL requirement to remove banned functions from code. It lists all banned APIs and allows any developer to locate them in code.

Code Analysis for C/C++

Code Analysis for C/C++ is a static analyzer that is provided with the installation of Visual Studio Team System Development Edition or Visual Studio Team Suite and helps detect and correct code defects. It plows through source code one function at a time, and looks for C/C++ coding patterns and incorrect code usage that may indicate a programming error.

SiteLock ATL Template

The SiteLock Active Template Library (ATL) template enables ActiveX control developers to restrict the use of an ActiveX control to a predetermined list of domain names or security zones. This limits the ability of other Web pages to reuse the control. For example, you can use the SiteLock template to ensure that an ActiveX control developed for use within your Local Intranet cannot be used by pages in the Internet zone. This helps reduce the attack surface presented by your control -- even if it contains a security vulnerability, that vulnerability cannot be exploited by pages on the Internet because your control will refuse to run outside of your Local Intranet.

Anti-Cross Site Scripting (Anti-XSS) Library

Anti-XSS library is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in web-based applications. This version also includes the Security Runtime Engine (SRE) that runs as an HTTP module to provide a level of protection against XSS without the need to recompile the application.

FxCop

FxCop is a static analyzer. It analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements. FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit. click here.

Microsoft Code Analysis Tool .NET (CAT.NET)

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection. The tool can function as a plug-in for Visual Studio 2005/2008, FxCop custom rule, MSBuild custom task or through the command line prompt and analyzes compiled .NET binaries.

Verification Tools

View descriptions to determine the expertise needed to appropriately use the tools during the Verification phase. Members of the SDL Pro Network offer security tools and associated services to help you perform SDL security activities.

BinScope Binary Analyzer

Microsoft BinScope is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. Microsoft BinScope was designed in order to detect potential vulnerabilities that can be introduced into Binary files. The tests implemented in BinScope examine application binary files to identify coding and building practices that can potentially render the application vulnerable to attack or to being used as an attack vector.

SDL Regex Fuzzer

SDL Regex Fuzzer is a verification tool to help test regular expressions for potential denial of service vulnerabilities. Regular expression patterns containing certain clauses that execute in exponential time (for example, grouping clauses containing repetition that are themselves repeated) can be exploited by attackers to cause a denial-of-service (DoS) condition. SDL Regex Fuzzer integrates with the SDL Process Template and the MSF-Agile+SDL Process Template to help users track and eliminate any detected regex vulnerabilities in their projects.

SDL MiniFuzz File Fuzzer

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.

Attack Surface Analyzer

Attack Surface Analyzer is a tool that highlights the changes in system state, runtime parameters and securable objects on the Windows operating system. It allows you to take snapshots of your system and compare them, enabling you to detect changes such as additional files, registry keys, services, ActiveX controls, listening ports, access control lists, and other parameters that affect a computer’s attack surface. For more information see Improving Security Using Attack Surface Analyzer.

Application Verifier

Application Verifier is a runtime verification tool for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing. For more information, click here.

Release Tools

View descriptions to determine the expertise needed to appropriately use the tools in the Release phase. Members of the SDL Pro Network offer security tools and associated services to help you perform SDL security activities.

SDL Process Template

The SDL Process Template for Visual Studio Team System (VSTS) 2008 is a downloadable template that automatically integrates the policy, process, and tools associated with Microsoft SDL Process Guidance version 4.1 directly into your VSTS software development environment. It eases adoption of the SDL, enables auditable security requirements and status, and demonstrates security return on investment in a framework that is familiar to developers, testers, and program managers. For more information, click here.

MSF-Agile + SDL Process Template for Visual Studio Team System

The MSF-Agile+SDL Process Template is a downloadable template that integrates the policy, process, and tools of the SDL for Agile Development guidance into the familiar Microsoft Solution Framework (MSF) for Agile Software Development (MSF-Agile) Process Template that ships with Visual Studio Team System (VSTS). The MSF-Agile+SDL Process Template is similar to the SDL Process Template, but is more suitable for projects following an Agile development methodology. The MSF-Agile+SDL Process Template can be used either with VSTS (or Team Foundation Server) 2008 or 2010. For more information, click here.