I wanted to write a quick post to let you know of an interesting new tool that Microsoft is releasing at Blackhat DC.
Microsoft has required attack surface validation of applications prior to release for years – however assessing the attack surface of an application or software platform can be an intimidating process at first glance.
To help ease the process, we are releasing a tool called Attack Surface Analyzer to assist both testers and IT Pros in assessing the security of an application. The Attack Surface Analyzer is being released as a beta – to allow us time to gather feedback and real world usage data from our customers.
We have a number of folks from our team at Blackhat, including Jeremy Dallman, Solomon Lukie and Meng Li who will be in the Microsoft booth talking with customers about the SDL and demoing the tool. Solomon will follow up with detailed blog posts about Attack Surface Analyzer at a later date, but in the meantime, here is a brief description of the tool and its intended use:
The Attack Surface Analyzer beta is a Microsoft verification tool now available for ISVs and IT professionals to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify increases in the attack surface caused by installing applications on a machine.
The tool takes snapshots of an organization’s system and compares (“diffing”) these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.
The tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product’s default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Additional information can be found in the Measuring Relative Attack Surface paper.
Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer’s attack surface.
The Attack Surface Analyzer beta will be released for download Jan. 18, 2011, in conjunction with a number of updates to other Microsoft SDL tools, at Black Hat DC. The tool is available at no cost. More information on Attack Surface Analyzer beta by Microsoft and other tools supporting the Microsoft SDL is available at http://www.microsoft.com/security/sdl/getstarted/tools.aspx.
I’d encourage people to download the tool, and if you happen to be at Blackhat DC, swing by the Microsoft booth and take a look for yourself.