Friday 26 August 2011

SDL Tools TFS 2010 Update

Better, Late

Team Foundation Server 2010 takes credit for most of the just-released updates to Microsoft's SDL toolset:

Threat Modeling Tool v3.1.8

The main pre-coding system security analysis tool has been updated with a number of bug fixes, improving the stability of the product's Visio 2010 and TFS 2010 support. 6MB msi.

MiniFuzz Tool v1.5.5

This SDL verification phase helper has also benefited from several stability-related bug fixes, and improved control of target application shutdown. It too has had TFS 2010 support added. 2MB msi.

RegExFuzz Tool v1.1.0

H Beam Piper and John Scalzi's retro SF aside, this is my favourite little fuzzy. It allows checking against a specific class of DoS attack, via regular expression patterns with exponential evaluation times. The update again contains a number of bug fixes based on version 1 feedback. 2MB msi. Unfortunately there are still a couple of unresolved known issues, albeit fairly minor ones. From the supplied documentation (ReadMe.rtf):
  1. The tool does not handle nested anchors in a regular expression. A regular expression can be assumed to start with ‘^’ and ended with ‘$’. If these tags or their variants are included in a target regular expression, the tool will throw an unhandled exception. The work-around is to break up the nested regular expression and test the resulting regular expressions individually.

  2. The tool requires that hexadecimal (‘\x’ prefix) characters within the regular expression be 2 characters. Those with a 0-padding assumed single character description will cause the tool to throw an unhandled exception. The work-around is to make all hexadecimal character descriptions two characters ‘\xCC’.

No comments:

Post a Comment