Microsoft offers tools for secure app development

Microsoft is introducing on Wednesday two testing tools to help Windows programmers build better security into their C and C++ applications, but an industry analyst was dismissive of how useful the tools would be for enterprise developers.

Offered at no cost, the tools enable implementation of Microsoft’s SDL (Security Development Lifecycle) process, for injecting security and privacy provisions into the development lifecycle as opposed to testing during pre- and post-deployment of an application.

[ Last week, Microsoft revealed some features planned for its upcoming Silverlight 4 application technology. ]

One of the tools, BinScope Binary Analyzer, analyzes binary code to validate adherence to SDL requirements for compilers and linkers. It also verifies use of strong-named assemblies and up-to-date build tools. “Essentially, what it does is it checks for a variety of SDL requirements like GS flag, which is used to prevent buffer overflows,” said David Ladd, principal security program manager for the security development lifecycle team at Microsoft.

Buffer overflows enable hackers to take control of an application, Ladd said. “To the extent that you can prevent those at compile time, that’s a good thing from a security standpoint,” he said. The tool requires symbol files, providing security against hackers potentially using the tool to analyze software on the Web for weaknesses.

The second tool, Microsoft MiniFuzz File Fuzzer implements the fuzz testing technique. Testers check application behavior by parsing files that have been deliberately corrupted. Security tests are applied to take code through different flow patterns and identify whether resulting crashes should be investigated as potential application security risks.

“If you find a file failure and it has security ramifications, you want to go out and fix that problem,” Ladd said.

An analyst, however, doubted that enterprise developers would have much use for the tools. These developers are more likely to be using Java and .Net-managed code technologies with Visual Basic.Net and C# rather than C or C++, said Michael Gualtieri, senior analyst at Forrester Research. Corporate developers also do not generally develop applications for open files, which is what the fuzz-testing tool is used for, he said.

“There isn’t much of a story for enterprises for these tools themselves,” Gualtieri said.

“These tools are more helpful for systems and software vendors than they are for most enterprise IT shops,” he said. By releasing the tools, though, Microsoft continues to demonstrate its commitment to making the SDL process real for developers, said Gualtieri.

A Microsoft representative said many of the checks featured in BinScope Binary Analyzer are inherently built into .Net coding. Microsoft previously has released a threat management tool and process management template based on SDL.

Microsoft on Wednesday also is releasing a paper entitled “Manual Integration of the SDL Process Template,” to guide Microsoft Visual Studio Team System users through a manual process to incorporate elements of the SDL process template into Team System projects.

The tools and paper can be accessed through Microsoft’s Web site.