Microsoft Secure Development Lifecycle Tools Repository
The Microsoft Security Development Lifecycle (SDL): Tools Repository- The following security-related tools are required or recommended for use as part of the SDL. For details on how these tools fit into the SDL, please refer to the SDL process guidance section of this Web site. The tools are available for free download from the Microsoft download center. The following table briefly describes each of the tools and provides a link to their location.
SDL Threat Modeling Tool v3
This tool allows non-security subject matter experts (SMEs) to enter already known information, including business requirements and application architecture which can then produce a feature-rich threat model.
Design
Threat Modeling
FxCop
FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements .
FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit.
Implementation
Static Analysis
SiteLock
SiteLock enables an ActiveX developer to restrict access to a control in a predetermined list of domains, or for a certain length of time. It includes a simple utility that displays the site list and expiration date of a site-locked control.
The SiteLock ATL template enables an ActiveX developer to restrict access so that a control is only deemed safe when used in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes.
Implementation
Best Practices
Code Analysis for C/C++ (/analyze in Visual Studio)
A static analysis tool that plows through source code one function at a time, and looks for C/C++ coding patterns and incorrect code usage that may indicate a programming error.
Implementation
Static Analysis
Anti-Cross Site Scripting (Anti-XSS) v3 BETA
Anti-XSS v3 BETA package contains the Anti-XSS .NET library which is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in Web-based applications. This latest version of Anti-XSS, v3, also includes the Security Runtime Engine (SRE) that runs as an HTTP module to provide a level of protection against XSS without the need to recompile the application.
Implementation
Security Libraries
Code Analysis Tool .NET (CAT.NET) v1 CTP
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection. The tool can function as a plug-in for Visual Studio 2005/2008, FxCop custom rule, MSBuild custom task or through the command line prompt and analyzes compiled .NET binaries.
CAT.NET 32-bit
CAT.NET 64-bit
Implementation
Binary Analysis
Banned.h
The banned.h header file is a sanitizing resource which supports the SDL requirement to remove banned functions from a code. It lists all banned APIs and allows any developer to locate them in a code.
Implementation
Code sample / Best Practices
Microsoft Application Verifier
Application Verifier is a runtime verification tool for unmanaged code that assists in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Application Verifier is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities.
Verification
Dynamic Runtime
SDL Threat Modeling Tool v3
This tool allows non-security subject matter experts (SMEs) to enter already known information, including business requirements and application architecture which can then produce a feature-rich threat model.
Design
Threat Modeling
FxCop
FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements .
FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit.
Implementation
Static Analysis
SiteLock
SiteLock enables an ActiveX developer to restrict access to a control in a predetermined list of domains, or for a certain length of time. It includes a simple utility that displays the site list and expiration date of a site-locked control.
The SiteLock ATL template enables an ActiveX developer to restrict access so that a control is only deemed safe when used in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes.
Implementation
Best Practices
Code Analysis for C/C++ (/analyze in Visual Studio)
A static analysis tool that plows through source code one function at a time, and looks for C/C++ coding patterns and incorrect code usage that may indicate a programming error.
Implementation
Static Analysis
Anti-Cross Site Scripting (Anti-XSS) v3 BETA
Anti-XSS v3 BETA package contains the Anti-XSS .NET library which is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in Web-based applications. This latest version of Anti-XSS, v3, also includes the Security Runtime Engine (SRE) that runs as an HTTP module to provide a level of protection against XSS without the need to recompile the application.
Implementation
Security Libraries
Code Analysis Tool .NET (CAT.NET) v1 CTP
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection. The tool can function as a plug-in for Visual Studio 2005/2008, FxCop custom rule, MSBuild custom task or through the command line prompt and analyzes compiled .NET binaries.
CAT.NET 32-bit
CAT.NET 64-bit
Implementation
Binary Analysis
Banned.h
The banned.h header file is a sanitizing resource which supports the SDL requirement to remove banned functions from a code. It lists all banned APIs and allows any developer to locate them in a code.
Implementation
Code sample / Best Practices
Microsoft Application Verifier
Application Verifier is a runtime verification tool for unmanaged code that assists in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Application Verifier is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities.
Verification
Dynamic Runtime