Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Development Lifecycle Tools

2,677 views

Published on

Security Development Lifecycle Tools by Sunil Yadav @ null Mumbai Meet, March, 2011

Published in: Technology
  • Be the first to comment

Security Development Lifecycle Tools

  1. 1. Security DevelopmentLifecycle ToolsPresentation By : Sunil Yadav
  2. 2. Security Development Lifecycle SDL process used by Microsoft to develop software, that defines security requirements and minimizes security related issues. Software development security assurance process SD3+C – Secure by Design, Secure by Default, Secure in Deployment, and Communications
  3. 3. A Security FrameworkSD3+C
  4. 4. SDL Phases
  5. 5. SDL Tools Binscope Binary Analyzer SDL Regex Fuzzer Code Analysis Tool (CAT.NET) Minifuzz File Fuzzer
  6. 6. Binscope Binary Analyzer Binscope is a binary analyzer security tool to ensure that the assemblies comply with SDL requirements and recommendations. Binscope performs the following security checks to test the weaknesses like buffer overflow, data execution etc. Check/Flag Description /GS Prevent buffer overflow /SafeSEH Ensures safe exception handling /NXCOMPAT Ensure compatibility with Data Execution Prevention(DEP) /SNCHECK Ensures unique key pairs and strong integrity check.
  7. 7. Demo
  8. 8. References Download http://www.microsoft.com/downloads/en/details.aspx?FamilyID =90e6181c-5905-4799-826a-772eafd4440a Linkshttp://www.microsoft.com/security/sdl/adopt/tools.aspxhttp://technet.microsoft.com/en-us/library/ee672187.aspxhttp://www.sunilyadav.net/2011/03/binscope-binary-analyzer/
  9. 9. SDL Regex Fuzzer SDL Regex Fuzzer is a tool to help test regular expressions for potential denial of service vulnerabilities SDL Regex Fuzzer testing must be performed during Microsoft security development lifecycle (SDL) Verification Phase. Evil Regular Expressions ([a-zA-Z]+)* (a|aa)+ (.*a){x} | for x > 10 (a|aa)+
  10. 10. Demo
  11. 11. References Download:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c52d3-4291-9034-caa71855451f Download SDL Tools:http://www.microsoft.com/security/sdl/getstarted/tools.aspx Links:http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regexfuzzer.aspxhttp://msdn.microsoft.com/en-us/magazine/ff646973.aspxhttp://www.owasp.org/index.php/Regular_expression_Denial_of_Service__ReDoShttp://www.sunilyadav.net/2011/02/sdl-regex-fuzzer/
  12. 12. Code Analysis Tool (CAT.NET) Code Analysis Tool (CAT.NET) is a binary source code analysis tool that helps in identifying common security flaws in managed code VulnerabilityCross Site Scripting(XSS)SQL InjectionProcess Command InjectionFile CanonicalizationException InformationLDAP InjectionXPATH InjectionRedirection to User Controlled Site
  13. 13. Demo
  14. 14. References Downloadhttp://www.microsoft.com/downloads/en/details.aspx?FamilyID=0178E2EF-9DA8-445E-9348-C93F24CC9F9Dhttp://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146 Links :http://www.dotnetspark.com/kb/3824-code-analysis-tool-catnet.aspx
  15. 15. Minifuzz File Fuzzer Minifuzz tool helps in detecting security flaws that may expose application vulnerabilities in file handling code The Minifuzz tool accepts the file content and creates a multiple variations of the same file to identify the application behavior for handling different file formats Minifuzz testing must be performed during Microsoft security development lifecycle (SDL) Verification Phase.
  16. 16. Demo
  17. 17. References Downloadhttp://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=b2307ca4-638f-4641-9946-dc0a5abe8513 Links:http://www.microsoft.com/security/sdl/default.aspxhttp://www.owasp.org/index.php/Fuzzinghttp://www.sunilyadav.net/2011/02/minifuzz-file-fuzzer/
  18. 18. Questions?

×