0
Microsoft has unveiled a new bug hunting tool, dubbed Microsoft Security Risk Detection, that is built to help customers find and eliminate bugs before attackers can seize on them.
The tool, which enables so-called fuzz testing, has been under development for over a decade at Microsoft Research under the “Project Springfield” monicker. Fuzz-testing an application relies on throwing numerous types of data to destabilize a program and surface potentially exploitable bugs. Microsoft has used the technology to find critical bugs in Windows and Office before releasing updates.
These days though all organizations are to varying degrees software makers and Microsoft Security Risk Detection is designed to extend the same capabilities to its customers that build Windows-based applications.
Previously the technology was available to select customers and partners, but last year Microsoft flagged its intent to make Springfield a product and gave the Azure-hosted app wider exposure under a preview program.
The Azure service will be available for purchase through Microsoft Services this summer, however Microsoft hasn’t revealed pricing.
“The tool is designed to catch the vulnerabilities before the software goes out the door, saving companies the heartache of having to patch a bug, deal with crashes or respond to an attack after it has been released,” Microsoft said in a blogpost.
The company has also launched a preview program for fuzz-testing Linux applications.
Google, a major advocate for fuzz-testing, recently released a fuzz-testing tool called OSS-Fuzz to help discover flaws in open source software. In May it boasted the tool had discovered over 1,000 bugs in just five months. It’s helped weed out a variety of memory and other bugs from projects like LibreOffice, SQLite, and OpenSSL.
Microsoft claims its paid-for Azure fuzzing service uniquely uses artificial intelligence to identify bugs by posing “what if” scenarios to narrow down likely culprits for a critical security bug. It can be used to probe a customer’s in-house developed software, modified off-the-shelf software, or open source software.
To use the service customers would install their app on a Azure-hosted virtual machine. Microsoft provides different fuzzers to test the customer’s code and identify bugs, which the customer would then set about fixing. Microsoft notes the service can be used to test website security, however the fuzzers aren’t designed to identify common web application flaws such as cross-site scripting.
0