Security Development Lifecycle Tools

1,883
-1

Published on

Security Development Lifecycle Tools by Sunil Yadav @ null Mumbai Meet, March, 2011

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,883
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
50
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security Development Lifecycle Tools

  1. 1. Security DevelopmentLifecycle ToolsPresentation By : Sunil Yadav
  2. 2. Security Development Lifecycle SDL process used by Microsoft to develop software, that defines security requirements and minimizes security related issues. Software development security assurance process SD3+C – Secure by Design, Secure by Default, Secure in Deployment, and Communications
  3. 3. A Security FrameworkSD3+C
  4. 4. SDL Phases
  5. 5. SDL Tools Binscope Binary Analyzer SDL Regex Fuzzer Code Analysis Tool (CAT.NET) Minifuzz File Fuzzer
  6. 6. Binscope Binary Analyzer Binscope is a binary analyzer security tool to ensure that the assemblies comply with SDL requirements and recommendations. Binscope performs the following security checks to test the weaknesses like buffer overflow, data execution etc. Check/Flag Description /GS Prevent buffer overflow /SafeSEH Ensures safe exception handling /NXCOMPAT Ensure compatibility with Data Execution Prevention(DEP) /SNCHECK Ensures unique key pairs and strong integrity check.
  7. 7. Demo
  8. 8. References Download http://www.microsoft.com/downloads/en/details.aspx?FamilyID =90e6181c-5905-4799-826a-772eafd4440a Linkshttp://www.microsoft.com/security/sdl/adopt/tools.aspxhttp://technet.microsoft.com/en-us/library/ee672187.aspxhttp://www.sunilyadav.net/2011/03/binscope-binary-analyzer/
  9. 9. SDL Regex Fuzzer SDL Regex Fuzzer is a tool to help test regular expressions for potential denial of service vulnerabilities SDL Regex Fuzzer testing must be performed during Microsoft security development lifecycle (SDL) Verification Phase. Evil Regular Expressions ([a-zA-Z]+)* (a|aa)+ (.*a){x} | for x > 10 (a|aa)+
  10. 10. Demo
  11. 11. References Download:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c52d3-4291-9034-caa71855451f Download SDL Tools:http://www.microsoft.com/security/sdl/getstarted/tools.aspx Links:http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regexfuzzer.aspxhttp://msdn.microsoft.com/en-us/magazine/ff646973.aspxhttp://www.owasp.org/index.php/Regular_expression_Denial_of_Service__ReDoShttp://www.sunilyadav.net/2011/02/sdl-regex-fuzzer/
  12. 12. Code Analysis Tool (CAT.NET) Code Analysis Tool (CAT.NET) is a binary source code analysis tool that helps in identifying common security flaws in managed code VulnerabilityCross Site Scripting(XSS)SQL InjectionProcess Command InjectionFile CanonicalizationException InformationLDAP InjectionXPATH InjectionRedirection to User Controlled Site
  13. 13. Demo
  14. 14. References Downloadhttp://www.microsoft.com/downloads/en/details.aspx?FamilyID=0178E2EF-9DA8-445E-9348-C93F24CC9F9Dhttp://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146 Links :http://www.dotnetspark.com/kb/3824-code-analysis-tool-catnet.aspx
  15. 15. Minifuzz File Fuzzer Minifuzz tool helps in detecting security flaws that may expose application vulnerabilities in file handling code The Minifuzz tool accepts the file content and creates a multiple variations of the same file to identify the application behavior for handling different file formats Minifuzz testing must be performed during Microsoft security development lifecycle (SDL) Verification Phase.
  16. 16. Demo
  17. 17. References Downloadhttp://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=b2307ca4-638f-4641-9946-dc0a5abe8513 Links:http://www.microsoft.com/security/sdl/default.aspxhttp://www.owasp.org/index.php/Fuzzinghttp://www.sunilyadav.net/2011/02/minifuzz-file-fuzzer/
  18. 18. Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×