14 DAY TRIAL // After it successfully bulletproofed its own software with the help of the Security Development Lifecycle process, Microsoft started sharing its SDL resources with third-parties in 2008, free of charge.
Three years later SDL tools and methodology have been downloaded nearly 700,000 times, a Microsoft representative revealed for Softpedia.
But just as the threat landscape is ever changing, Microsoft’s SDL resources need to evolve continually, and the latest releases of the MiniFuzz, RegExFuzz and Threat Modeling tools are illustrative examples of the Redmond company’s commitment to increasing the level of protection for users, by securing its own technologies, and helping third-party developers built more secure software as well.
Threat Modeling Tool v3.1.8, MiniFuzz Tool v1.5.5 and RegExFuzz Tool v1.1.0 are now available through the Microsoft Download Center. All downloads continue to be offered free of charge.
“The Threat Modeling Tool is used in the SDL Design Phase to find security problems before coding begins,” revealed Monty LaRue, from the SDL Team.
“Through beta testing we obtained valuable input on what changes could be made to improve the tool. In this new version, we focused on stabilization of the Visio 2010 and Team Foundation Server (TFS) 2010 support that was provided as part of the beta release, and fixed bugs that were discovered.”
Support for Team Foundation Server (TFS) 2010 was also included in the latest release of the MiniFuzz Tool.
As the name implies, this utility sports a set of basic file fuzzing capabilities, and while security experts dealing with advanced fuzzing techniques might require something better equipped, the resource is aimed for those with limited experience with fuzz testing. As of version 1.5.5, the MiniFuzz Tool is more reliable and better at dealing with target application shutdown.
“The RegExFuzz Tool provides regular expression fuzzing capabilities that can be applied during the SDL Verification phase to check that regular expression evaluation times are not exponential,” LaRue added.
“Regular expressions with very long evaluation times can lead to DoS attacks. In this new version, we focused on bug fixes requested from field use of the tool. A readme document has been added to the download which documents the fixes, remaining known issues, and planned future enhancements.”
SDL Threat Modeling Tool 3.1.8 is available for download here.
MiniFuzz basic file fuzzing tool 1.5.5 is available for download here.
Regular expression fuzzing tool 1.1.0 is available for download here.