Attack Surface Analyzer Verifies Your Application for Security Issues

  • Article

imageMicrosoft has released Attack Surface Analyzer. It is a Software Development Lifecycle verification tool for developers and IT professionals to identify whether newly developed or installed applications inadvertently change the attack surface of a Microsoft operating system.

Attack Surface Analyzer is the same tool used by Microsoft's internal product teams to catalogue changes made to the operating system by the installation of new software.

Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.

This allows:

  • Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  • IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
  • IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
  • IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

The free tool is downloadable from Attack Surface Analyzer – Beta Download.

About Security Development Lifecycle

Security Development Lifecycle (or SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push." Before software subject to the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. See The Trustworthy Computing Security Development Lifecycle.

  • The SDL helps developers build more secure software and protect end-users. Learn more.
  • The SDL helps reduce the total cost of development. Learn more.

Threat Modeling and BinScope Binary Analyzer, tools to enhance developer usability, are also being updated. These tools also are free and are accessible at Sottware Development Lifecycle. The threat modeling tool offers guidance on building and analyzing threat models, while the binary analyzer checks binaries to ensure they were built based on SDL requirements and recommendations.

A Microsoft consulting services option pertaining to SDL is being offered beginning in February 11. The goal is to improve software security and reduce both customer risk and costs of development. Services are being offered by the Microsoft Services group.