There are a bunch of new SDL resources available on the Microsoft Security Development Lifecycle page. For every step in the software development process (Requirements, Design, Implementation, Verification, Release) there are tools and/or training videos available. For a video giving an overview of the SDL tools, click here.

 

Source

 

Requirements

Templates:

- SDL Process Template for Visual Studio Team System 2008

- MSF-Agile + SDL Process Template for Visual Studio Team System 2010

- MSF-Agile + SDL Process Template for Visual Studio Team System 2008

 

Videos:

 

• Introduction to the SDL Process Template for VSTS
• How to set up the SDL Process Template
• How to improve your check-in process
• How to change default work items
• How to use the SDL Process Template documentation and reporting

 

Design

 

SDL Threat Modeling Tool

 

For more information on the treat modeling tool, click here.

 

Implementation

 

FxCop 

 

FxCop analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements. For more information, click here. Watch the video here.

 

Anti-Cross Site Scripting Library

 

This is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in web-based applications. Watch the video here.

 

Microsoft Code Analysis Tool .NET

 

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection. Watch the video here.

 

 

Verification

BinScope Binary Analyzer

 

BinScope Binary Analyzer is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. Watch the video here.

 

SDL MiniFuzz File Fuzzer

 

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. Watch the video here.

 

AppVerifier

 

Application Verifier is a runtime verification tool for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing. For more information, click here.

 

SDL Regex Fuzzer

 

SDL Regex Fuzzer is a verification tool to help test regular expressions for potential denial of service vulnerabilities. Watch the video here.

 

Attack Surface Analyzer Beta

 

Attack Surface Analyzer is a tool that highlights the changes in system state, runtime parameters and securable objects on the Windows operating system.

 

 

Release

The release resources are the same templates and videos as the ones in the Requirements section.

Recently I’ve been working on a project with a friend of mine. One of the things we were playing with was Team Foundation Server 2010. So we set it up and I connected to it using Visual Studio 2010 Ultimate. Collaborating was not an issue. Sharing documents, using source control,… everything worked fine. Now I wanted to work on some of my ideas. I wanted to start a new project in Visual Studio, but the only option that was available to me was the “Start new team project” issue:

 

 

When clicking here, I got the following error (which is ok since my rights on that TFS server have been revoked):

 

The weird thing here is that I have a fully working version of Visual Studio 2010 Ultimate installed, but I only get the Team Explorer functionality. You can verify this by checking the installed components of Visual Studio in the “About”-window (Help –> About Microsoft Visual Studio).

 

To get back to the “normal” mode in Visual Studio (meaning: being able to create new projects and working with VS2010 normally) you need to reset your preferences by doing Tools > Import/Export settings > Import. Here you can choose to reset everything or to import a certain configuration. I chose to import a predefined configuration without backing up my current configuration (wasn’t much use to me anyhow):

 

 

I selected the Visual C# Development Settings and pressed “Next”. There I chose to reset all settings and clicked the “Finish” button:

 

 

Now that my configuration settings have been restored, I have the regular view in my Visual Studio and I can create projects again!

 

Here are some resources that might be useful when working with (or learning) Team Foundation Server 2010.

 

Team Foundation Installation Guide for Visual Studio 2010

Description:
Team Foundation Installation Guide 2010 includes instruction for installing Team Foundation Server, Team Foundation Server Proxy and Team Foundation Build Services.

Note: After you download the installation guide, you cannot view its contents unless you right-click the .chm file, click Properties, and then click Unblock.

 

Download

 

Administration Guide for Microsoft Visual Studio 2010 Team Foundation Server

Description: Effective administration of Team Foundation Server is important to the success of your team projects. You can use this downloadable version of the administration content available on MSDN for local review of critical administration concepts, procedures, and walkthroughs.

Download

 

Visual Studio 2010 Team Foundation Server Monitoring Management Pack

Description: The Team Foundation Server 2010 Monitoring Management Pack provides both proactive and reactive monitoring of Microsoft Team Foundation Server 2010. It monitors TFS components such as application tier server instances, team project collections, build servers, and proxy servers.

Download

 

Team Foundation Server Integration Tools (March 2011 Release)

Description: The TFS Integration Tools is a project developed by the Team Foundation Server (TFS) product group and the Visual Studio ALM Rangers to integrate Team Foundation Server with third party systems for migration and synchronization of data.  Although the tools can be used for many purposes, planning, thorough testing and honest evaluation of extra resources and cost that will be required should precede any decision to use the Integration Tools.  The Integration Tools are not intended to replace a server upgrade as a path to TFS2010 and this scenario should be avoided if possible.

The March 2011 release includes the following features:

• Out of the box adapter to Team Foundation Server 2010
• Out of the box adapter to Team Foundation Server 2008
• Out of the box adapter to Rational ClearCase
• Out of the box adapter to Rational ClearQuest
• Out of the box adapter for File system based version control migrations
• Updated documentation, guidance and case studies (readiness package)
• Updated User Interface to configure and run integrations
• Synchronization monitoring tools and reports

Download

 

Visual Studio 2010 Team Foundation Branching guide

Description: The purpose of this project is to build some insightful and practical guidance around branching and merging with Visual Studio Team Foundation Server 2010. The new release focuses on Hands on Labs and includes lots of lessons learnt from the community Q&A.

Download

 

Visual Studio 2010 Team Foundation Server Requirements Management

Description: This Ranger solution addresses the People, Process, and Technology guidance for Requirements Engineering (RE) using Team Foundation Server. The goal of this guidance is to provide formalized Microsoft field experience in the form of recommended procedures and processes, Visual Studio Team System and Team Foundation Server configurations, and skill development references for the Requirements Engineering discipline of your application lifecycle.

Download

 

Microsoft Visual Studio Team Explorer Everywhere 2010

Description: Eclipse plug-in and cross-platform command-line client for Visual Studio 2010 Team Foundation Server.

Download

 

Team Foundation Server Power Tools (March 2011)

Description: A plug-in to Visual Studio, Alerts Explorer provides a graphical user interface that supports flexible subscription of alerts based on check-in, work item change, or build completion.

Download