View descriptions below to determine the expertise needed to use the tools appropriately. Members of the SDL Pro Network offer security tools and associated services to help you perform SDL security activities.
Microsoft Threat Modeling Tool 2016
The Threat Modeling Tool enables non -security subject matter experts to create and analyze threat models by communicating about the security design of their systems, analyzing those designs for potential security issues using a proven methodology, and suggesting and managing mitigations for security issues. For more information, click here.
BinSkim Binary Analyzer
Microsoft BinSkim is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. Microsoft BinSkim was designed in order to detect potential vulnerabilities that can be introduced into Binary files. The tests implemented in BinSkim examine application binary files to identify coding and building practices that can potentially render the application vulnerable to attack or to being used as an attack vector.
FxCop is a static analyzer. It analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements. FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit. click here.
Attack Surface Analyzer
Attack Surface Analyzer is a tool that highlights the changes in the system state, runtime parameters and securable objects on the Windows operating system. It allows you to take the snapshots of your system and compare them , enabling you to detect changes such as additional files ,registry keys, services, ActiveX controls, listening ports, access control lists, and other parameters that affect a computer's attack surface. For more information see Improving Security Using Attack Surface Analyzer.
Code Analysis for C/C++
Code Analysis for C/C++ is a static analyzer that is provided with the installation of Visual Studio Team System Development Edition or Visual Studio Team Suite and helps to detect and correct code defects. It plows through source code one function at a time, and looks for C/C++ coding patterns and incorrect code usage that may indicate a programming error.
Application Verifier is a runtime verification tool for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing.
SiteLock ATL Template
The SiteLock Active Template Library(ATL) template enables ActiveX control developers to restrict the use of an ActiveX control to a predetermined list of domain names or security zones. This limits the abilty of other Web pages to reuse the control. For example, you can use the SiteLock template to ensure that an ActiveX control developed for use within your Local Intranet cannot be used by pages in the Internet zone. This helps reduce the attack surface presented by your control-- even if it contains a security vulnerability, that vulnerability cannot be exploited by pages on the Internet because your control will refuse to run outside of your Local Intranet.