Microsoft has released new versions of several of its software security tools, including its Threat Modeling Tool and a pair of fuzzers. All of the tools are part of the company’s Security Development Lifecycle program, which it has been sharing with external organizations for a few years now.
Microsoft’s internal teams developed a number of tools that they use in writing and assessing software and the company has making some of them available publicly. One of the key tools in the SDL arsenal is the company’s Threat Modeling Tool, which is used by developers and engineers at the beginning of a project to help find potential threats before they start writing code. The new version of the tool includes more stable support for Visio 2010 and Team Foundation Server.
Microsoft also released new versions of two specialized fuzzers: RegExFuzz and MiniFuzz. Both fuzzers are meant to be used in the Verification Phase of the SDL program. MiniFuzz is a basic fuzzer and the RegExFuzz tool is designed specifically for finding problems with regular expressions in software.
“The RegExFuzz Tool provides regular expression fuzzing capabilities that can be applied during the SDL Verification phase to check that regular expression evaluation times are not exponential. Regular expressions with very long evaluation times can lead to DoS attacks. In this new version, we focused on bug fixes requested from field use of the tool,” Microsoft said in its blog post on the new tool releases.
All of the tools can be downloaded through the SDL blog page.
