Vulnerabilities / Threats
7/21/2017
02:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Rolls Out AI-based Security Risk Detection Tool

Microsoft Security Risk Detection leverages artificial intelligence to root out bugs in software before it's released.

Microsoft is rolling out Security Risk Detection (SRD), a cloud-based tool built to catch software vulnerabilities before companies release or use it. A preview version is available for Linux users.

SRD, announced last September, aims to eliminate the headache of handling bugs, crashes, and attack response by automating fuzz testing. Businesses traditionally hire security experts to conduct fuzz testing, if they do it at all. Many lack expertise to properly test software, which is a problem as more programs are created and security is increasingly important.

Fuzzing seeks out vulnerabilities that could potentially enable threat actors to launch cyberattacks or crash systems. Based on results, developers can use other tools to fix the bugs.

How SRD works: Users log into a secure web portal and install the software's binaries into a virtual machine, along with a "test driver" program that runs the scenario to be tested, and sample input files, or "seed files," to use as a starting point for fuzzing.

From there, the tool will use several methods to continuously fuzz the software. SRD uses artificial intelligence to ask a series of "what if" questions to figure out what might cause a crash and prompt a security concern. As they go through the wizard, users are asked questions a developer should be able to answer without having extensive security expertise.

Each time it runs, SRD zeroes in on critical areas to look for flaws, which are shared through the web portal. Users can download test cases to reproduce problems and learn where/when they occurred so they know how to prioritize and fix issues then re-test to ensure the flaws are gone.

The service was designed for organizations that build their own software, modify off-the-shelf software, or license open-source offerings. SRD doesn't require source code, says David Molnar, senior researcher and project leader at Microsoft. Users can input anything open-source.

SRD is powered by two "big breakthroughs," says Molnar. One is time-travel debugging, which lets users go back through their software to see where and when flaws occurred. The other is constraint-solving technology, which informs the direction of the probe hunting vulnerabilities.

"We think this will help us address the shortage of security pros by making it easier for developers without security experience," Molnar explains, noting how this could help bridge the security skills gap.

SRD augments the work developers already do by using AI to automate the same reasoning process that people use to find bugs, and scale it through the cloud. It's for teams that don't have security talent, and those that may not have security talent to scale out.

While they may not need security expertise to use SRD, developers will need some security know-how to address the bugs it finds, notes John Heasman, senior director of software security at DocuSign, one of the tool's early testers.

DocuSign, which lets users sign documents virtually instead of by hand, used SRD to look for bugs in software it bought or licensed and wanted to incorporate into its platform. In particular, it wanted to vet software used to handle potentially malicious documents uploaded by users.

"We had already done internal fuzzing, so we recognized the value of testing," says Heasman, noting that DocuSign's internal program did not have the scalability of SRD or constraint-solving technology.

"At the end of the day, the tool will find bugs and give you test cases," he continues. "But then it's the responsibility of someone on the security team to go off and triage the bugs."

Microsoft is also launching a preview of SRD for Linux after users said they needed to write code on multiple different platforms. Molnar anticipates the tool will continue to expand.

"My personal vision is we'll eventually test every piece of software on every device," he says.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
7/31/2017 | 1:51:22 PM
Re: Microsoft and bugs
Personally, I hate it.  The illusion of business success needs to be weighed more realistically.  You spend 250 million dollars to develop and roll out a product, "time to market" a key factor.  You make 2 billion dollars.  Your customers spend almost as much as you made paying off ransom ware that got in through your exploitable software, and your company spends again millions of dollars trying to fix the problems that could have been fixed during development; your customers move to the competition when you can't provide good service, but somehow you stay on top with other small successes that overshadow the huge failures.  I think its business practices like this that bring the whole industry down.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/29/2017 | 3:04:26 PM
Re: Microsoft and bugs
> A terrible way to do business given that the majority of the business world uses the Microsft Windows operating systems.

To be fair, that's probably a big part of the reason why Microsoft/Windows has such market domination. We can like the idea or hate it, but time to market is a critical factor in market success.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/29/2017 | 3:02:17 PM
Re: Testing & Murphy's Law
@Dr.T: Well, it was a closed Coke can... ;)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:29:24 PM
Re: Testing & Murphy's Law
"roll a Coke can across the keyboard"

Monkey tests. I think they will end up replacing the keyboard before cleaning all the bugs in the software.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:27:40 PM
Re: Testing & Murphy's Law
"... inevitably missing many of them ..."

I hear you. Sometime the only solution to make it generally available and see what other problems they face.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:25:55 PM
Re: Microsoft and bugs
"majority of the business world uses the Microsft Windows operating systems"

I hear you, this has changed since the mobile revolution.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:24:47 PM
Re: Microsoft and bugs
"bugs have been in Microsoft's DNA"

That is mainly true. It is also part of software development process I guess, not everting can be chough in the first go.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/24/2017 | 1:22:57 PM
SRD
Anything that can check the code and let us know the vulnerabilities is a good tool we can utilize. I am wondering if it is open source or free of license to use?
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
7/22/2017 | 3:07:54 PM
Testing & Murphy's Law
This may be the way to go, considering that testing often involves anticipating all the things that can go wrong -- and inevitably missing many of them.

I'm aware of one tester whose very first test was to roll a Coke can across the keyboard. If anything locked up with that input, the developer would get their code back right then and there.
PrivateFreedoms
50%
50%
PrivateFreedoms,
User Rank: Apprentice
7/21/2017 | 5:17:47 PM
Microsoft and bugs
For decades bugs have been in Microsoft's DNA. Microsoft will spend 'x' amount of time on a project -- then it's forced to market as long as there are no show stopper bugs and the remaining bugs are less than 'Y %' per one thousand lines of code. A terrible way to do business given that the majority of the business world uses the Microsft Windows operating systems. Some half ass AI is only a band aid. And I suspect it will be buggy too.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.