In addition to the Attack Surface Analyzer release at Blackhat DC, we have a variety of other releases to announce.
First, we are releasing the next version of the Microsoft SDL Threat Modeling Tool, as a beta. Consistent with the previous release of the tool, version 3.1.6 allows for early and structured analysis and proactive mitigation of potential security and privacy issues in new and existing applications. The Microsoft SDL Threat Modeling Tool beta is enhanced to support Microsoft Visio 2010 for diagram design and also contains bug fixes reported to Microsoft by members of the security developer community. The beta period is in place to solicit community feedback on the tool. The final version will ship in fall 2011. The tool is available for download at no cost. More information about the Microsoft SDL Threat Modeling Tool beta and a video demo are available at http://www.microsoft.com/sdl.
Next, we are also releasing the next version of the SDL Binscope Binary Analyzer – BinScope Binary Analyzer 1.2 is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure they have been built in compliance with Microsoft Security Development Lifecycle (SDL) requirements and recommendations. Binscope Binary Analyzer now supports Visual Studio 2010, making validation tasks readily available in the development environment. In addition, it integrates with Microsoft Team Foundation Server 2008 and Microsoft Team Foundation Server 2010 to output results into work items. The BinScope tool is available in two forms: a stand-alone version and as noted above, an add-on that integrates fully with Visual Studio. Both versions of the tool will be made available for download on Jan. 18, 2011, on the SDL tools website and the Microsoft Download Center. The tool is available at no cost.
In addition to our tools releases, I am pleased to note that on Feb. 21, 2011, Microsoft Services will begin offering Security Development Lifecycle (SDL) consulting services for customers that want Microsoft involvement in their adoption of the Microsoft SDL. The services include a variety of training and guidance on the various aspects of the SDL. This is a paid consulting service and prices will vary according to the extent of Microsoft’s consulting involvement. You can learn more about Microsoft Services at: http://www.microsoft.com/microsoftservices
Finally, we have been working with Forrester Research on a research report that investigates the potential return on investment by incorporating holistic security methodologies into the product development life cycle. There are a lot of interesting findings in the report that help validate the notion that addressing security early makes good business sense. You can find a copy of the report on the Microsoft Download Center.
Again, there are a lot of folks from our team at the Blackhat DC event, if you’d like to know more about any or all of these releases, we’d be happy to chat.