Microsoft’s Attack Surface Analyzer is an SDL verification tool for developers and IT professionals to identify whether newly developed or installed applications inadvertently change the attack surface of a Microsoft Operating System. The free tool is downloadable from Microsoft’s website and is the same tool used by internal Microsoft product development teams.
Can’t wait to get home and download this tool, and see what it can do. Microsoft will offer consulting services pertaining to SDL beginning in February. The goal is to improve software security and reduce both customer risk and costs of development. Other free tools (SDL Binscope Binary Analyzer, SDL Threat Modeling Tool) were also updated.
Microsoft is also releasing a report it commissioned from Forrester Consulting, entitled “State of Application Security,” studying the current state of application development practices and investigating the potential return on investment by incorporating holistic security methodologies into product development life cycles. The findings in the report validate the notion that addressing security early makes good business sense. You can find a copy of the report on the Microsoft Download Center.