Patrick Lambert gives an overview of the Microsoft Attack Surface Analyzer, which helps IT pros assess the risks of new applications and deployments on their systems.
As IT pros or managers, we often have to deal with the deployment of new software solutions on a large number of systems. If you download and install a new application on your desktop, you always want to make sure it doesn't contain any malware and won't open any potential security hole, even if it's by accident. But if you deploy that application to hundreds or thousands of computers, then that new security issue becomes much more dangerous. It's important to know what the impact will be on your system of any new installation or patch. This is why Microsoft is offering a new tool called the Attack Surface Analyzer.
Microsoft started working on this new product last year, and recently it came out of beta. Now, anyone can download version 1.0 for free. The way the company describes it, its primary aim is to help software developers discover any vulnerabilities in their applications before they are deployed in an environment and prevent any negative consequences. But it's a great tool for IT pros to use as well, to assess the risks of any new application. First, you run the tool on a known good system, which ends up being your baseline scan. It will create a CAB file which contains all kinds of information, from which ports are open, to how many registry keys are on the system, to whether the Windows firewall is on. Then, you can install the product you want to test, and run another scan, which will be your product scan. The tool will create another CAB file, and you'll be able to generate a report that tells you exactly what changed.
Checking system data
Even if you get software from trusted sources, you never know exactly what the impact of a new product will be on your system. With the Microsoft Attack Surface Analyzer, you can make sure you know exactly how your attack surface is going to be impacted by a new installation. The tool itself is easy to use and the on-screen instructions are clear.
Security Development Lifecycle
In addition to the Attack Surface Analyzer, Microsoft's Security Development Lifecycle initiative also aims to help developers create more secure products by following more rigorous security practices in seven areas: training, requirements, design, implementation, verification, release, and response. It starts with proper training, where new developers should not only be trained on how to write code, but how to think about security every step of the way, instead of leaving that as an afterthought for QA to worry about. The next step is establishing proper security requirements and what assessment will be in place to find potential issues, then the design step where an attack surface is processed and a threat model established. The implementation phase includes several things like avoiding unsafe functions, using known secure tools and doing constant analysis. Verification includes fuzz testing and dynamic analysis, and finally the release phase has to include an incident response plan and a final security review.
On SQL Server for example, Microsoft has had a 91% reduction in vulnerabilities disclosed one year after the release of a new version, after they started using the SDL model.