Microsoft is definitely the leading software developer today. With the inclusion of windows machines for various high budget purposes, the need for security is inevitable. The faster the technologies are developing. The downside of technology and Software are developing in the form of virus’, malwares etc. Each day, new virus’ are created. The security system needs to be up to the task to survive that attacks. Microsoft has released a new software tool to help developers write secure applications by highlighting the system changes created when their wares are installed on Windows machines. The Attack Surface Analyzer, released on Tuesday, is a free verification tool that analyzes the changes in system state, run time parameters and securable objects in the Windows operating system. The tool, which was released as part of Microsoft’s Secure Development Lifecycle, takes snapshots of a system and compares the results before and after an application is installed. It then identifies resulting classes of security weaknesses.
Microsoft’s principal security program manager David Ladd mentioned that, the tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. Among the checks performed are analysis of changed or newly added files, registry keys, services, ActiveX controls, listening ports, and access control lists. It’s available for free, for now as a beta so that Microsoft can collect feedback from users.
Attack Surface Analyzer was one of several security tools Microsoft released at this week’s Black Hat Security Conference in Washington, DC. Redmond also published the next version of its SDL Threat Modeling Tool that’s used to assess whether applications under development meets security and privacy guidelines. It now works with Microsoft Visio 2010. The software company also released version 1.2 of the SDL Binscope Binary Analyzer, a verification tool that analyzes binaries on a project – wide level to insure they comply with SDL requirements.
The new offerings add to a growing roster of free security apps Microsoft makes available for free to developers. Other tools include version 2 of EMET, short for Enhanced Mitigation Experience Toolkit. It is used to add security measures such a Data Execution Prevention and Address Space Layout Randomization to older applications and operating systems, such as Internet Explorer 6 and Windows XP. Other apps include the Microsoft Solutions Framework, exploitable Crash Analyzer, and the Microsoft MiniFuzz fuzzer tool. Tuesday’s additions come as vulnerability tracking service Secunia reported that failure to apply third-party patches – as opposed to updates from Microsoft – is almost exclusively responsible for the growing exposure of Windows machines to security threats.
Protecting the system from harmful programs are a must. Solutions for better security definitely lie in the design of the software. Most commercial systems fall in a ‘low security’ category because they rely on features not supported by secure operating systems. In commercial environments, the majority of software subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection. It is to be immediately noted that all of the foregoing are specific instances of a general class of attacks, where situations in which putative ‘data’ actually contains implicit or explicit, executable instructions are cleverly exploited. With the current technology and Operating System feature, implementing a secured system is not farfetched.