What's in your security toolbox?

By Michelle Davidson, Site Editor 14 Jun 2006 | SearchAppSecurity.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

BALTIMORE -- No matter what your trade, you have tools to help you with your job. They may be essential tools or items that make your work a little easier. For IT professionals, the hard part is determining what ones should be in your toolbox.

Joe Stagner, Microsoft technical evangelist and developer community champion, opened up his bag of tricks at the recent Software Security Summit and shared with conference attendees tools he's found over the years that help secure applications.

Tools always save more money than their cost. The biggest problem is convincing management to buy them. Joe Stagner Microsoft

"Tools always save more money than their cost," Stagner said. "The biggest problem is convincing management to buy them."

At Microsoft, however, management ordered the revamp of the software development life cycle and security tools were very much a part of that, he said.

"Microsoft has implemented tools in their software development life cycle and has reduced vulnerabilities by two-thirds," Stagner said. "We've done a bad job of advertising it, but we are having success."

But tools aren't a cure-all. They can't replace people and training, Stagner said. For example, developers at Microsoft all have to read Michael Howard's book Writing Secure Code (2nd edition), they all get training, and they all get annual updates to that training, he said.

The most important thing, Stagner said, is developers have to think like a bad guy. If you can do that, then you can think of the many ways a hacker will attack your software.

That said, Stagner laid out the tools and resources developers may want to consider adding to their toolboxes.

Training

• Digital Blackbelt
• Microsoft Security Development Center
• Sun Java and Web services development courses
• Training from SPI Dynamics
• SANS Institute
• Software Security Summit
• AppDev Training
• Services from Cigital

Threat modeling

• Microsoft's free threat-modeling tool: The tool has a guided wizard and helps you get started with the threat-modeling process.

Code writing

Requirements analysis tools

• Borland CaliberRM
• SteelTrace
• Serena RTM
• Rally

Regular expression editors

• ASP.NET has one built in
• Expresso from Ultrapico
• RegexBuddy from JG Soft

Vulnerability tracking

• OnTime Bug Tracking Software from Axosoft

Reverse engineering

• Reflector for .NET from Lutz Roeder

Runtime testing tools

• IDA Pro from DataRescue
• Holodeck from Security Innovation

Obfuscators

• Dotfuscator from Preemptive

Code evaluation and analysis tools

• Security tools inside Visual Studio 2005: FX Cop, unit testing
• DevInspect from SPI Dynamics
• DevPartner Security Checker from Compuware
• Web Application Stress Tool from Microsoft

Authentication diagnostics tool

• Authentication & Access Control Diagnostics 1.0 from Microsoft

Tags: Software security testing and techniques,  Software testing tools and frameworks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing and techniques Web server weaknesses you don't want to overlook Using firewalls for software testing: Pros and cons Beating software's cross-site scripting, authentication problems Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Software testing tools and frameworks Performance testing tools - Commercial, less expensive and free Software Testing Ezines New IBM Rational, Tivoli integrated tools pair development with IT STPCon: Do reality checks on performance test products, panelists advise Demo: Using WebGoat, a free software testing tool Getting answers about OpenSTA script problems Defining core software regression tests Selecting the best tool for stress and load testing Required prerequisites for performance testing Surgient 7's self-provisioning promises software testers quick IT resource access

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary JUnit  (SearchSoftwareQuality.com) NUnit  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary