Requirements Tools
View descriptions to determine the expertise needed to appropriately use the tools in the Requirements phase. Members of the
SDL Pro Network offer security tools and associated services to help you perform SDL security activities.
SDL Process Template
The SDL Process Template for Visual Studio Team System (VSTS) 2008 is a downloadable template that automatically integrates the policy, process, and tools associated with the Microsoft SDL Process Guidance version 4.1 directly into your VSTS software development environment. It eases adoption of the SDL, enables auditable security requirements and status, and demonstrates security return on investment in a framework that is familiar to developers, testers, and program managers. For more information,
click here.
MSF-Agile + SDL Process Template for Visual Studio Team System
The MSF-Agile+SDL Process Template is a downloadable template that integrates the policy, process, and tools of the
SDL for Agile Development guidance into the familiar Microsoft Solution Framework (MSF) for Agile Software Development (MSF-Agile) Process Template that ships with Visual Studio Team System (VSTS). The MSF-Agile+SDL Process Template is similar to the SDL Process Template, but is more suitable for projects following an Agile development methodology. The MSF-Agile+SDL Process Template can be used either with VSTS (or Team Foundation Server) 2008 or 2010. For more information,
click here.
Design Tools
View descriptions to determine the expertise needed to appropriately use the tools in the Design phase. Members of the
SDL Pro Network offer security tools and associated services to help you perform SDL security activities.
SDL Threat Modeling Tool version 3.1.8
The SDL Threat Modeling Tool enables non-security subject matter experts to create and analyze threat models by communicating about the security design of their systems, analyzing those designs for potential security issues using a proven methodology, and suggesting and managing mitigations for security issues. For more information,
click here.
Version 3.1.8 provides support for Visio 2010 and fixes bugs reported during the beta feedback period.
Implementation Tools
View descriptions to determine the expertise needed to appropriately use the tools in the Implementation phase. Members of the
SDL Pro Network offer security tools and associated services to help you perform SDL security activities.
banned.h
The banned.h header file is a sanitizing resource that supports the SDL requirement to remove banned functions from code. It lists all banned APIs and allows any developer to locate them in code.
Code Analysis for C/C++
Code Analysis for C/C++ is a static analyzer that is provided with the installation of Visual Studio Team System Development Edition or Visual Studio Team Suite and helps detect and correct code defects. It plows through source code one function at a time, and looks for C/C++ coding patterns and incorrect code usage that may indicate a programming error.
SiteLock ATL Template
The SiteLock Active Template Library (ATL) template enables ActiveX control developers to restrict the use of an ActiveX control to a predetermined list of domain names or security zones. This limits the ability of other Web pages to reuse the control. For example, you can use the SiteLock template to ensure that an ActiveX control developed for use within your Local Intranet cannot be used by pages in the Internet zone. This helps reduce the attack surface presented by your control -- even if it contains a security vulnerability, that vulnerability cannot be exploited by pages on the Internet because your control will refuse to run outside of your Local Intranet.
Anti-Cross Site Scripting (Anti-XSS) Library
Anti-XSS library is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in web-based applications. This version also includes the Security Runtime Engine (SRE) that runs as an HTTP module to provide a level of protection against XSS without the need to recompile the application.
FxCop
FxCop is a static analyzer. It analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements. FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit.
Click here for more information.
Microsoft Code Analysis Tool .NET (CAT.NET)
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection. The tool can function as a plug-in for Visual Studio 2005/2008, FxCop custom rule, MSBuild custom task or through the command line prompt and analyzes compiled .NET binaries.
Verification Tools
View descriptions to determine the expertise needed to appropriately use the tools during the Verification phase. Members of the
SDL Pro Network offer security tools and associated services to help you perform SDL security activities.
BinScope Binary Analyzer
BinScope Binary Analyzer is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place. BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (for example, read/write shared sections and global function pointers). BinScope is available as a standalone executable or as a Visual Studio add-on.
SDL Regex Fuzzer
SDL Regex Fuzzer is a verification tool to help test regular expressions for potential denial of service vulnerabilities. Regular expression patterns containing certain clauses that execute in exponential time (for example, grouping clauses containing repetition that are themselves repeated) can be exploited by attackers to cause a denial-of-service (DoS) condition. SDL Regex Fuzzer integrates with the SDL Process Template and the MSF-Agile+SDL Process Template to help users track and eliminate any detected regex vulnerabilities in their projects.
SDL MiniFuzz File Fuzzer
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.
Attack Surface Analyzer
Attack Surface Analyzer is a tool that highlights the changes in system state, runtime parameters and securable objects on the Windows operating system. It allows you to take snapshots of your system and compare them, enabling you to detect changes such as additional files, registry keys, services, ActiveX controls, listening ports, access control lists, and other parameters that affect a computer’s attack surface. For more information see
Improving Security Using Attack Surface Analyzer.
Application Verifier
Application Verifier is a runtime verification tool for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing. For more information,
click here.
Release Tools
View descriptions to determine the expertise needed to appropriately use the tools in the Release phase. Members of the
SDL Pro Network offer security tools and associated services to help you perform SDL security activities.
SDL Process Template
The SDL Process Template for Visual Studio Team System (VSTS) 2008 is a downloadable template that automatically integrates the policy, process, and tools associated with Microsoft SDL Process Guidance version 4.1 directly into your VSTS software development environment. It eases adoption of the SDL, enables auditable security requirements and status, and demonstrates security return on investment in a framework that is familiar to developers, testers, and program managers. For more information,
click here.
MSF-Agile + SDL Process Template for Visual Studio Team System
The MSF-Agile+SDL Process Template is a downloadable template that integrates the policy, process, and tools of the
SDL for Agile Development guidance into the familiar Microsoft Solution Framework (MSF) for Agile Software Development (MSF-Agile) Process Template that ships with Visual Studio Team System (VSTS). The MSF-Agile+SDL Process Template is similar to the SDL Process Template, but is more suitable for projects following an Agile development methodology. The MSF-Agile+SDL Process Template can be used either with VSTS (or Team Foundation Server) 2008 or 2010. For more information,
click here.