The tools are available for download for free, and are designed to help developers extend Microsoft’s SDL (Security Development Lifecycle) process into their organizations. The first of the tools is BinScope Binary Analyzer, which examines binaries to see if they are in compliance with SDL requirements. For example, the tool checks that Microsoft SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.
The second program is Microsoft MiniFuzz File Fuzzer. MiniFuzz is designed to help detect code imperfections that may expose security vulnerabilities in file-handling code by creating random variations of file content and feeding it into the application. From there, the program exercises the code in an attempt to expose unexpected application behaviors.
“Code analysis and fuzzing are required parts of the SDL as malicious attackers use code analysis and test techniques such as fuzzing to find vulnerabilities,” said David Ladd, principal security program manager of Microsoft’s SDL team. “It is important for developers and testers to proactively employ similar techniques in an attempt to preemptively find and fix vulnerabilities that may otherwise not be caught.”
Both the MiniFuzz File Fuzzer and BinScope Binary Analyzer are available in two forms: a stand-alone executable tool and an integrated tool within Visual Studio. The tools are available for download from the SDL Tools Repository and the Microsoft Download Center.