BALTIMORE -- No matter what your trade, you have tools to help you with your job. They may be essential tools or items that make your work a little easier. For IT professionals, the hard part is determining what ones should be in your toolbox.
Joe Stagner, Microsoft technical evangelist and developer community champion, opened up his bag of tricks at the recent Software Security Summit and shared with conference attendees tools he's found over the years that help secure applications.
"Tools always save more money than their cost," Stagner said. "The biggest problem is convincing management to buy them."
At Microsoft, however, management ordered the revamp of the software development life cycle and security tools were very much a part of that, he said.
"Microsoft has implemented tools in their software development life cycle and has reduced vulnerabilities by two-thirds," Stagner said. "We've done a bad job of advertising it, but we are having success."
But tools aren't a cure-all. They can't replace people and training, Stagner said. For example, developers at Microsoft all have to read Michael Howard's book Writing Secure Code (2nd edition), they all get training, and they all get annual updates to that training, he said.
The most important thing, Stagner said, is developers have to think like a bad guy. If you can do that, then you can think of the many ways a hacker will attack your software.
That said, Stagner laid out the tools and resources developers may want to consider adding to their toolboxes.
- Digital Blackbelt
- Microsoft Security Development Center
- Sun Java and Web services development courses
- Training from SPI Dynamics
- SANS Institute
- Software Security Summit
- AppDev Training
- Services from Cigital
- Microsoft's free threat-modeling tool: The tool has a guided wizard and helps you get started with the threat-modeling process.
Requirements analysis tools
Regular expression editors
Runtime testing tools
Code evaluation and analysis tools
- Security tools inside Visual Studio 2005: FX Cop, unit testing
- DevInspect from SPI Dynamics
- DevPartner Security Checker from Compuware
- Web Application Stress Tool from Microsoft
Authentication diagnostics tool