Vulnerabilities / Threats

7/21/2017
02:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Rolls Out AI-based Security Risk Detection Tool

Microsoft Security Risk Detection leverages artificial intelligence to root out bugs in software before it's released.

Microsoft is rolling out Security Risk Detection (SRD), a cloud-based tool built to catch software vulnerabilities before companies release or use it. A preview version is available for Linux users.

SRD, announced last September, aims to eliminate the headache of handling bugs, crashes, and attack response by automating fuzz testing. Businesses traditionally hire security experts to conduct fuzz testing, if they do it at all. Many lack expertise to properly test software, which is a problem as more programs are created and security is increasingly important.

Fuzzing seeks out vulnerabilities that could potentially enable threat actors to launch cyberattacks or crash systems. Based on results, developers can use other tools to fix the bugs.

How SRD works: Users log into a secure web portal and install the software's binaries into a virtual machine, along with a "test driver" program that runs the scenario to be tested, and sample input files, or "seed files," to use as a starting point for fuzzing.

From there, the tool will use several methods to continuously fuzz the software. SRD uses artificial intelligence to ask a series of "what if" questions to figure out what might cause a crash and prompt a security concern. As they go through the wizard, users are asked questions a developer should be able to answer without having extensive security expertise.

Each time it runs, SRD zeroes in on critical areas to look for flaws, which are shared through the web portal. Users can download test cases to reproduce problems and learn where/when they occurred so they know how to prioritize and fix issues then re-test to ensure the flaws are gone.

The service was designed for organizations that build their own software, modify off-the-shelf software, or license open-source offerings. SRD doesn't require source code, says David Molnar, senior researcher and project leader at Microsoft. Users can input anything open-source.

SRD is powered by two "big breakthroughs," says Molnar. One is time-travel debugging, which lets users go back through their software to see where and when flaws occurred. The other is constraint-solving technology, which informs the direction of the probe hunting vulnerabilities.

"We think this will help us address the shortage of security pros by making it easier for developers without security experience," Molnar explains, noting how this could help bridge the security skills gap.

SRD augments the work developers already do by using AI to automate the same reasoning process that people use to find bugs, and scale it through the cloud. It's for teams that don't have security talent, and those that may not have security talent to scale out.

While they may not need security expertise to use SRD, developers will need some security know-how to address the bugs it finds, notes John Heasman, senior director of software security at DocuSign, one of the tool's early testers.

DocuSign, which lets users sign documents virtually instead of by hand, used SRD to look for bugs in software it bought or licensed and wanted to incorporate into its platform. In particular, it wanted to vet software used to handle potentially malicious documents uploaded by users.

"We had already done internal fuzzing, so we recognized the value of testing," says Heasman, noting that DocuSign's internal program did not have the scalability of SRD or constraint-solving technology.

"At the end of the day, the tool will find bugs and give you test cases," he continues. "But then it's the responsibility of someone on the security team to go off and triage the bugs."

Microsoft is also launching a preview of SRD for Linux after users said they needed to write code on multiple different platforms. Molnar anticipates the tool will continue to expand.

"My personal vision is we'll eventually test every piece of software on every device," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/31/2017 | 1:51:22 PM
Re: Microsoft and bugs
Personally, I hate it.  The illusion of business success needs to be weighed more realistically.  You spend 250 million dollars to develop and roll out a product, "time to market" a key factor.  You make 2 billion dollars.  Your customers spend almost as much as you made paying off ransom ware that got in through your exploitable software, and your company spends again millions of dollars trying to fix the problems that could have been fixed during development; your customers move to the competition when you can't provide good service, but somehow you stay on top with other small successes that overshadow the huge failures.  I think its business practices like this that bring the whole industry down.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/29/2017 | 3:04:26 PM
Re: Microsoft and bugs
> A terrible way to do business given that the majority of the business world uses the Microsft Windows operating systems.

To be fair, that's probably a big part of the reason why Microsoft/Windows has such market domination. We can like the idea or hate it, but time to market is a critical factor in market success.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/29/2017 | 3:02:17 PM
Re: Testing & Murphy's Law
@Dr.T: Well, it was a closed Coke can... ;)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:29:24 PM
Re: Testing & Murphy's Law
"roll a Coke can across the keyboard"

Monkey tests. I think they will end up replacing the keyboard before cleaning all the bugs in the software.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:27:40 PM
Re: Testing & Murphy's Law
"... inevitably missing many of them ..."

I hear you. Sometime the only solution to make it generally available and see what other problems they face.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:25:55 PM
Re: Microsoft and bugs
"majority of the business world uses the Microsft Windows operating systems"

I hear you, this has changed since the mobile revolution.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:24:47 PM
Re: Microsoft and bugs
"bugs have been in Microsoft's DNA"

That is mainly true. It is also part of software development process I guess, not everting can be chough in the first go.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:22:57 PM
SRD
Anything that can check the code and let us know the vulnerabilities is a good tool we can utilize. I am wondering if it is open source or free of license to use?
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
7/22/2017 | 3:07:54 PM
Testing & Murphy's Law
This may be the way to go, considering that testing often involves anticipating all the things that can go wrong -- and inevitably missing many of them.

I'm aware of one tester whose very first test was to roll a Coke can across the keyboard. If anything locked up with that input, the developer would get their code back right then and there.
PrivateFreedoms
50%
50%
PrivateFreedoms,
User Rank: Apprentice
7/21/2017 | 5:17:47 PM
Microsoft and bugs
For decades bugs have been in Microsoft's DNA. Microsoft will spend 'x' amount of time on a project -- then it's forced to market as long as there are no show stopper bugs and the remaining bugs are less than 'Y %' per one thousand lines of code. A terrible way to do business given that the majority of the business world uses the Microsft Windows operating systems. Some half ass AI is only a band aid. And I suspect it will be buggy too.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.