From: InfoSec News (alertsinfosecnews.org)
Date: Thu Sep 17 2009 - 00:29:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220000750

By Kelly Jackson Higgins
DarkReading
Sept 16, 2009

Microsoft continued efforts to spread its own secure software
development program with today's release of a free fuzzer and tool for
analyzing binary code.

The software giant last year began opening up its Security Development
Lifecycle (SDL) for all third-party application developers and
enterprises as a way to write cleaner, more secure code. As part of its
SDL-sharing strategy, Microsoft has released several free tools for
developers, including the SDL Threat Modeling Tool, the !exploitable
(pronounced "bang exploitable") Crash Analyzer, an add-on to Microsoft's
Windows debugger fuzzing tool; and the SDL Process Template, which
integrates Microsoft's SDL directly into third-party and enterprise
development environments.

Microsoft's latest tools -- BinScope Binary Analyzer and Mini-Fuzz File
Fuzzer -- support the verification stage of the SDL process. "This is
the testing phase," says David Ladd, principal security program manager
for Microsoft's SDL team. Microsoft also released a white paper on how
to manually integrate the SDL Process Template into its existing Visual
Studio Team System development projects.

Along with iSEC Partners, the company also released a new report on how
to measure the ROI of an SDL program. The report, which includes data
from NIST studies and anecdotal data from iSEC, demonstrates how to use
metrics to calculate an ROI: "The earlier you can find bugs, the cheaper
it's going to be for development organizations," Ladd says.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]