2. Security Development Lifecycle
SDL process used by Microsoft to develop software, that
defines security requirements and minimizes security related
issues.
Software development security assurance process
SD3+C – Secure by Design, Secure by Default, Secure in
Deployment, and Communications
6. Binscope Binary Analyzer
Binscope is a binary analyzer security tool to ensure that the
assemblies comply with SDL requirements and
recommendations.
Binscope performs the following security checks to test the
weaknesses like buffer overflow, data execution etc.
Check/Flag Description
/GS Prevent buffer overflow
/SafeSEH Ensures safe exception handling
/NXCOMPAT Ensure compatibility with Data
Execution Prevention(DEP)
/SNCHECK Ensures unique key pairs and
strong integrity check.
10. SDL Regex Fuzzer
SDL Regex Fuzzer is a tool to help test regular expressions
for potential denial of service vulnerabilities
SDL Regex Fuzzer testing must be performed during
Microsoft security development lifecycle (SDL) Verification
Phase.
Evil Regular Expressions
([a-zA-Z]+)*
(a|aa)+
(.*a){x} | for x > 10
(a|aa)+
13. Code Analysis Tool (CAT.NET)
Code Analysis Tool (CAT.NET) is a binary source code
analysis tool that helps in identifying common security flaws
in managed code
Vulnerability
Cross Site Scripting(XSS)
SQL Injection
Process Command Injection
File Canonicalization
Exception Information
LDAP Injection
XPATH Injection
Redirection to User Controlled Site
17. Minifuzz File Fuzzer
Minifuzz tool helps in detecting security flaws that may
expose application vulnerabilities in file handling code
The Minifuzz tool accepts the file content and creates a
multiple variations of the same file to identify the application
behavior for handling different file formats
Minifuzz testing must be performed during Microsoft security
development lifecycle (SDL) Verification Phase.