I often mention that we try to give you all the tools we have as long as it makes sense form a risk perspective. The risk perspective is a simple one: If we give it to you as our customer, we give it as well to the criminals.
There are two new tools which just made the bar and which are now released by the Security Development Lifecycle (SDL) team:
- BinScope Binary Analyzer is a verification tool that confirms they the use of the correct compiler and linker protections required by the SDL. One of the things we learned is that the right compiler settings may change a lot (if the compiler and the linker are able to deliver accurate security)
- MiniFuzz File Fuzzer is a simple file fuzzer that is designed to ease your introduction into fuzz testing by supplying file formats that your application would otherwise not expect.
So, if you develop in-house, look at them and make use of them. If not, make sure your supplier uses them or something similar (we do…)
Additionally, you might remember that we released a Security Development Lifecycle Template for VisualStudio earlier this year (Security Development Lifecycle Template - Your next step to "Secure Development). Based on your feedback the SDL team has written a whitepaper on how to integrate their practices into your own process template: Whitepaper: Manually Integrating the SDL Process Template
Roger