security development lifecycle tools

Security Development Lifecycle Tools Presentation By : Sunil Yadav

Security Development Lifecycle

SDL process used by Microsoft to develop software, that

defines security requirements and minimizes security related issues. Software development security assurance process SD3+C – Secure by Design, Secure by Default, Secure in

Deployment, and Communications

A Security Framework SD3+C

SDL Phases

SDL Tools

Binscope Binary Analyzer SDL Regex Fuzzer Code Analysis Tool (CAT.NET) Minifuzz File Fuzzer

Binscope Binary Analyzer

Binscope is a binary analyzer security tool to ensure that the assemblies comply with SDL requirements and recommendations. Binscope performs the following security checks to test the

weaknesses like buffer overflow, data execution etc. Check/Flag Description

/GS Prevent buffer overflow

/SafeSEH Ensures safe exception handling

/NXCOMPAT Ensure compatibility with Data Execution Prevention(DEP)

/SNCHECK Ensures unique key pairs and strong integrity check.

Demo

References

Download http://www.microsoft.com/downloads/en/details.aspx?FamilyID=90e6181c-5905-4799-826a-772eafd4440a Links http://www.microsoft.com/security/sdl/adopt/tools.aspx http://technet.microsoft.com/en-us/library/ee672187.aspx http://www.sunilyadav.net/2011/03/binscope-binary-analyzer/

SDL Regex Fuzzer

SDL Regex Fuzzer is a tool to help test regular expressions for potential denial of service vulnerabilities SDL Regex Fuzzer testing must be performed during

Microsoft security development lifecycle (SDL) Verification Phase.

Evil Regular Expressions

([a-zA-Z]+)*

(a|aa)+

(.*a){x} | for x > 10

(a|aa)+

Demo

References Download: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c52d3-4291-9034-caa71855451f

Download SDL Tools: http://www.microsoft.com/security/sdl/getstarted/tools.aspx

Links:

http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regexfuzzer.aspx http://msdn.microsoft.com/en-us/magazine/ff646973.aspx http://www.owasp.org/index.php/Regular_expression_Denial_of_Service__ReDoS http://www.sunilyadav.net/2011/02/sdl-regex-fuzzer/

Code Analysis Tool (CAT.NET) Code Analysis Tool (CAT.NET) is a binary source code

analysis tool that helps in identifying common security flaws in managed code

Vulnerability

Cross Site Scripting(XSS)

SQL Injection

Process Command Injection

File Canonicalization

Exception Information

LDAP Injection

XPATH Injection

Redirection to User Controlled Site

Demo

References

Download http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0178E2EF-9DA8-445E-9348-C93F24CC9F9D http://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146

Links : http://www.dotnetspark.com/kb/3824-code-analysis-tool-catnet.aspx

Minifuzz File Fuzzer

Minifuzz tool helps in detecting security flaws that may expose application vulnerabilities in file handling code The Minifuzz tool accepts the file content and creates a

multiple variations of the same file to identify the application behavior for handling different file formats Minifuzz testing must be performed during Microsoft security

development lifecycle (SDL) Verification Phase.

Demo

References Download http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=b2307ca4-638f-4641-9946-dc0a5abe8513

Links: http://www.microsoft.com/security/sdl/default.aspx http://www.owasp.org/index.php/Fuzzing http://www.sunilyadav.net/2011/02/minifuzz-file-fuzzer/

Questions?