Attack Surface Analyzer now in beta, and Microsoft adds new SDL consulting service
ARLINGTON, VA -- Black Hat DC -- Microsoft here today released another free Security Development Lifecycle (SDL) tool -- one that helps detect how newly developed or installed applications affect the attack surface in a Windows environment.
The new Attack Surface Analyzer is now in beta and available for download from Microsoft's SDL tools Web page. "It helps you discover changes in installed application that might lead to an increased attack surface," say Jeremy Dallman, senior security program manager at Microsoft.
The tool looks at what file changes within the application could do to the overall system security. "An IT professional in a corporate environment could take applications deployed in their shop and scan them ... the Attack Surface Analyzer would extract and determine what security issues might be there," he says. It does not, however, look at vulnerabilities, but instead at weaknesses introduced by applications running on Windows.
In a recent Forrester Research study commissioned by Microsoft, nearly half of enterprises say they don't vet third-party code they bring in-house. And, overall, application security remains in its infancy within organizations, the report found.
Microsoft also announced a new consulting service for SDL, which will officially launch next month. This consulting service is aimed at organizations looking for Microsoft-specific SDL assistance, Dallman says. Microsoft's SDL Pro Network, comprised of third-party partners that offer SDL services and training, could also team up with Microsoft consulting for clients, he notes.
Meanwhile, the company also rolled out updates to existing SDL tools Threat Modeling and Binscope Binary Analyzer. The new beta version of the updated Threat Modeling Tool now supports Microsoft Visio 2010, and fixes bugs reported by security researchers. A new version of Binscope Binary Analyzer, 1.2, supports Visual Studio 2010 and is integrated with Microsoft Team Foundation Server 2008 and 2010.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024