security development lifecycle tools
DESCRIPTION
Security Development Lifecycle Tools by Sunil Yadav @ null Mumbai Meet, March, 2011TRANSCRIPT
Security Development Lifecycle Tools Presentation By : Sunil Yadav
Security Development Lifecycle
SDL process used by Microsoft to develop software, that
defines security requirements and minimizes security related issues. Software development security assurance process SD3+C – Secure by Design, Secure by Default, Secure in
Deployment, and Communications
A Security Framework SD3+C
SDL Phases
SDL Tools
Binscope Binary Analyzer SDL Regex Fuzzer Code Analysis Tool (CAT.NET) Minifuzz File Fuzzer
Binscope Binary Analyzer
Binscope is a binary analyzer security tool to ensure that the assemblies comply with SDL requirements and recommendations. Binscope performs the following security checks to test the
weaknesses like buffer overflow, data execution etc. Check/Flag Description
/GS Prevent buffer overflow
/SafeSEH Ensures safe exception handling
/NXCOMPAT Ensure compatibility with Data Execution Prevention(DEP)
/SNCHECK Ensures unique key pairs and strong integrity check.
Demo
References
Download http://www.microsoft.com/downloads/en/details.aspx?FamilyID=90e6181c-5905-4799-826a-772eafd4440a Links http://www.microsoft.com/security/sdl/adopt/tools.aspx http://technet.microsoft.com/en-us/library/ee672187.aspx http://www.sunilyadav.net/2011/03/binscope-binary-analyzer/
SDL Regex Fuzzer
SDL Regex Fuzzer is a tool to help test regular expressions for potential denial of service vulnerabilities SDL Regex Fuzzer testing must be performed during
Microsoft security development lifecycle (SDL) Verification Phase.
Evil Regular Expressions
([a-zA-Z]+)*
(a|aa)+
(.*a){x} | for x > 10
(a|aa)+
Demo
References Download: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c52d3-4291-9034-caa71855451f
Download SDL Tools: http://www.microsoft.com/security/sdl/getstarted/tools.aspx
Links:
http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regexfuzzer.aspx http://msdn.microsoft.com/en-us/magazine/ff646973.aspx http://www.owasp.org/index.php/Regular_expression_Denial_of_Service__ReDoS http://www.sunilyadav.net/2011/02/sdl-regex-fuzzer/
Code Analysis Tool (CAT.NET) Code Analysis Tool (CAT.NET) is a binary source code
analysis tool that helps in identifying common security flaws in managed code
Vulnerability
Cross Site Scripting(XSS)
SQL Injection
Process Command Injection
File Canonicalization
Exception Information
LDAP Injection
XPATH Injection
Redirection to User Controlled Site
Demo
References
Download http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0178E2EF-9DA8-445E-9348-C93F24CC9F9D http://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146
Links : http://www.dotnetspark.com/kb/3824-code-analysis-tool-catnet.aspx
Minifuzz File Fuzzer
Minifuzz tool helps in detecting security flaws that may expose application vulnerabilities in file handling code The Minifuzz tool accepts the file content and creates a
multiple variations of the same file to identify the application behavior for handling different file formats Minifuzz testing must be performed during Microsoft security
development lifecycle (SDL) Verification Phase.
Demo
References Download http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=b2307ca4-638f-4641-9946-dc0a5abe8513
Links: http://www.microsoft.com/security/sdl/default.aspx http://www.owasp.org/index.php/Fuzzing http://www.sunilyadav.net/2011/02/minifuzz-file-fuzzer/
Questions?