Tools

category icon Code Security plugins for Visual Studio and more Download icon Credential Scanner (CredScan)—tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files.
Download icon Microsoft Threat Modeling Tool—tool to create and analyze threat models by communicating about the security design of their systems, analyzing those designs for potential security issues using a proven methodology, and suggesting and managing mitigations for security issues. No Data Available BinSkim—verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations.
Download icon Roslyn Analyzers—analyzers to analyze code at build time, like static code analysis if it's enabled, but also live as you type. Roslyn analyzers can also provide design-time analysis of code files that aren't open in the editor if you enable full solution analysis. No Data Available Code Analysis for C/C++—static analyzer that is provided with the installation of Visual Studio Team System Development Edition or Azure DevOps and helps to detect and correct code defects.
No Data Available Microsoft DevSkim—framework of IDE extensions and language analyzers that provide inline security analysis in the dev environment as the developer writes code. No Data Available Secure DevOps Kit for Azure—collection of scripts, tools, extensions, and automations that supports the end-to-end Azure subscription and resource security needs for dev ops teams.
category icon Microsoft Security Risk Detection—Microsoft's unique fuzz testing service for finding security-critical bugs in software. Security Risk Detection helps customers quickly adopt practices and technology battle-tested over the last 15 years at Microsoft. No Data Available TSLint + tslint-microsoft-contrib—additional Microsoft authored security rules for the popular free TSLint TypeScript linter.

Third-party tools

category icon List of tools for static code analysis (Wikipedia)

Legacy archive

Download icon Simplified Implementation of the Microsoft SDL—the core concepts and activities of the Microsoft SDL recommended for any development organization. Download icon SDL Quick Security References (QSRs)—a basic reference series designed to address common vulnerabilities from the perspective of multiple business roles: business decision maker, architect, developer, and tester/QA.
Download icon Microsoft SDL Process Guidance Version 5.2—SDL requirements and recommendations used at Microsoft. Download icon The SDL Progress Report—paper detailing progress reducing software vulnerabilities and developing threat mitigations at Microsoft (2004—2010).
Download icon Essential Software Security Training for the Microsoft SDL—paper outlining why software security training is a key tenet of the Microsoft Security Development Lifecycle (SDL). No Data Available Microsoft SDL Process Guidance—documentation providing an in-depth description of the Microsoft SDL methodology and requirements used at Microsoft.
No Data Available SDL Banned Function Calls—compiled library of known potentially dangerous functions that should be removed to reduce vulnerabilities as part of your SDL practices. No Data Available FxCop—static analyzer that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
No Data Available Securing Applications with the .NET Framework—guidance on securing applications for the common language runtime and the .NET Framework. Download icon Attack Surface Analyzer—tool that highlights the changes in the system state, runtime parameters, and securable objects on the Windows operating system.
Download icon SiteLock 1.15 Template for ActiveX Controls—template that enables ActiveX control developers to restrict the use of an ActiveX control to a predetermined list of domain names or security zones. No Data Available Microsoft Application Verifier—runtime verification tool (works with clients up to Windows 7) for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing.