Security Development Lifecycle Tools by Sunil Yadav @ null Mumbai Meet, March, 2011

1. Security Development
Lifecycle Tools
Presentation By : Sunil Yadav

2. Security Development Lifecycle
 SDL process used by Microsoft to develop software, that
defines security requirements and minimizes security related
issues.
 Software development security assurance process
 SD3+C – Secure by Design, Secure by Default, Secure in
Deployment, and Communications

3. A Security Framework
SD3+C

4. SDL Phases

5. SDL Tools
 Binscope Binary Analyzer
 SDL Regex Fuzzer
 Code Analysis Tool (CAT.NET)
 Minifuzz File Fuzzer

6. Binscope Binary Analyzer
 Binscope is a binary analyzer security tool to ensure that the
assemblies comply with SDL requirements and
recommendations.
 Binscope performs the following security checks to test the
weaknesses like buffer overflow, data execution etc.
Check/Flag Description
/GS Prevent buffer overflow
/SafeSEH Ensures safe exception handling
/NXCOMPAT Ensure compatibility with Data
Execution Prevention(DEP)
/SNCHECK Ensures unique key pairs and
strong integrity check.

7. Demo

9. References
 Download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID
=90e6181c-5905-4799-826a-772eafd4440a
 Links
http://www.microsoft.com/security/sdl/adopt/tools.aspx
http://technet.microsoft.com/en-us/library/ee672187.aspx
http://www.sunilyadav.net/2011/03/binscope-binary-analyzer/

10. SDL Regex Fuzzer
 SDL Regex Fuzzer is a tool to help test regular expressions
for potential denial of service vulnerabilities
 SDL Regex Fuzzer testing must be performed during
Microsoft security development lifecycle (SDL) Verification
Phase.
Evil Regular Expressions
([a-zA-Z]+)*
(a|aa)+
(.*a){x} | for x > 10
(a|aa)+

11. Demo

12. References
 Download:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c52d3-4291-
9034-caa71855451f
 Download SDL Tools:
http://www.microsoft.com/security/sdl/getstarted/tools.aspx
 Links:
http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regexfuzzer.aspx
http://msdn.microsoft.com/en-us/magazine/ff646973.aspx
http://www.owasp.org/index.php/Regular_expression_Denial_of_Service__ReDoS
http://www.sunilyadav.net/2011/02/sdl-regex-fuzzer/

13. Code Analysis Tool (CAT.NET)
 Code Analysis Tool (CAT.NET) is a binary source code
analysis tool that helps in identifying common security flaws
in managed code
Vulnerability
Cross Site Scripting(XSS)
SQL Injection
Process Command Injection
File Canonicalization
Exception Information
LDAP Injection
XPATH Injection
Redirection to User Controlled Site

14. Demo

16. References
 Download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0178E2EF-
9DA8-445E-9348-C93F24CC9F9D
http://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-
2d50-4214-b65b-37e5ef44f146
 Links :
http://www.dotnetspark.com/kb/3824-code-analysis-tool-catnet.aspx

17. Minifuzz File Fuzzer
 Minifuzz tool helps in detecting security flaws that may
expose application vulnerabilities in file handling code
 The Minifuzz tool accepts the file content and creates a
multiple variations of the same file to identify the application
behavior for handling different file formats
 Minifuzz testing must be performed during Microsoft security
development lifecycle (SDL) Verification Phase.

18. Demo

21. References
 Download
http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&
FamilyID=b2307ca4-638f-4641-9946-dc0a5abe8513
 Links:
http://www.microsoft.com/security/sdl/default.aspx
http://www.owasp.org/index.php/Fuzzing
http://www.sunilyadav.net/2011/02/minifuzz-file-fuzzer/

22. Questions?