informa
Quick Hits

Microsoft Offers Another Free SDL Tool

Attack Surface Analyzer now in beta, and Microsoft adds new SDL consulting service
ARLINGTON, VA -- Black Hat DC -- Microsoft here today released another free Security Development Lifecycle (SDL) tool -- one that helps detect how newly developed or installed applications affect the attack surface in a Windows environment.

The new Attack Surface Analyzer is now in beta and available for download from Microsoft's SDL tools Web page. "It helps you discover changes in installed application that might lead to an increased attack surface," say Jeremy Dallman, senior security program manager at Microsoft.

The tool looks at what file changes within the application could do to the overall system security. "An IT professional in a corporate environment could take applications deployed in their shop and scan them ... the Attack Surface Analyzer would extract and determine what security issues might be there," he says. It does not, however, look at vulnerabilities, but instead at weaknesses introduced by applications running on Windows.

In a recent Forrester Research study commissioned by Microsoft, nearly half of enterprises say they don't vet third-party code they bring in-house. And, overall, application security remains in its infancy within organizations, the report found.

Microsoft also announced a new consulting service for SDL, which will officially launch next month. This consulting service is aimed at organizations looking for Microsoft-specific SDL assistance, Dallman says. Microsoft's SDL Pro Network, comprised of third-party partners that offer SDL services and training, could also team up with Microsoft consulting for clients, he notes.

Meanwhile, the company also rolled out updates to existing SDL tools Threat Modeling and Binscope Binary Analyzer. The new beta version of the updated Threat Modeling Tool now supports Microsoft Visio 2010, and fixes bugs reported by security researchers. A new version of Binscope Binary Analyzer, 1.2, supports Visual Studio 2010 and is integrated with Microsoft Team Foundation Server 2008 and 2010.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: