Microsoft is rolling out Security Risk Detection (SRD), a cloud-based tool built to catch software vulnerabilities before companies release or use it. A preview version is available for Linux users.
SRD, announced last September, aims to eliminate the headache of handling bugs, crashes, and attack response by automating fuzz testing. Businesses traditionally hire security experts to conduct fuzz testing, if they do it at all. Many lack expertise to properly test software, which is a problem as more programs are created and security is increasingly important.
Fuzzing seeks out vulnerabilities that could potentially enable threat actors to launch cyberattacks or crash systems. Based on results, developers can use other tools to fix the bugs.
How SRD works: Users log into a secure web portal and install the software's binaries into a virtual machine, along with a "test driver" program that runs the scenario to be tested, and sample input files, or "seed files," to use as a starting point for fuzzing.
From there, the tool will use several methods to continuously fuzz the software. SRD uses artificial intelligence to ask a series of "what if" questions to figure out what might cause a crash and prompt a security concern. As they go through the wizard, users are asked questions a developer should be able to answer without having extensive security expertise.
Each time it runs, SRD zeroes in on critical areas to look for flaws, which are shared through the web portal. Users can download test cases to reproduce problems and learn where/when they occurred so they know how to prioritize and fix issues then re-test to ensure the flaws are gone.
The service was designed for organizations that build their own software, modify off-the-shelf software, or license open-source offerings. SRD doesn't require source code, says David Molnar, senior researcher and project leader at Microsoft. Users can input anything open-source.
SRD is powered by two "big breakthroughs," says Molnar. One is time-travel debugging, which lets users go back through their software to see where and when flaws occurred. The other is constraint-solving technology, which informs the direction of the probe hunting vulnerabilities.
"We think this will help us address the shortage of security pros by making it easier for developers without security experience," Molnar explains, noting how this could help bridge the security skills gap.
SRD augments the work developers already do by using AI to automate the same reasoning process that people use to find bugs, and scale it through the cloud. It's for teams that don't have security talent, and those that may not have security talent to scale out.
While they may not need security expertise to use SRD, developers will need some security know-how to address the bugs it finds, notes John Heasman, senior director of software security at DocuSign, one of the tool's early testers.
DocuSign, which lets users sign documents virtually instead of by hand, used SRD to look for bugs in software it bought or licensed and wanted to incorporate into its platform. In particular, it wanted to vet software used to handle potentially malicious documents uploaded by users.
"We had already done internal fuzzing, so we recognized the value of testing," says Heasman, noting that DocuSign's internal program did not have the scalability of SRD or constraint-solving technology.
"At the end of the day, the tool will find bugs and give you test cases," he continues. "But then it's the responsibility of someone on the security team to go off and triage the bugs."
Microsoft is also launching a preview of SRD for Linux after users said they needed to write code on multiple different platforms. Molnar anticipates the tool will continue to expand.
"My personal vision is we'll eventually test every piece of software on every device," he says.