There are a bunch of new SDL resources available on the Microsoft Security Development Lifecycle page. For every step in the software development process (Requirements, Design, Implementation, Verification, Release) there are tools and/or training videos available. For a video giving an overview of the SDL tools, click here.

 

Source

 

Requirements

Templates:

- SDL Process Template for Visual Studio Team System 2008

- MSF-Agile + SDL Process Template for Visual Studio Team System 2010

- MSF-Agile + SDL Process Template for Visual Studio Team System 2008

 

Videos:

 

• Introduction to the SDL Process Template for VSTS
• How to set up the SDL Process Template
• How to improve your check-in process
• How to change default work items
• How to use the SDL Process Template documentation and reporting

 

Design

 

SDL Threat Modeling Tool

 

For more information on the treat modeling tool, click here.

 

Implementation

 

FxCop 

 

FxCop analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements. For more information, click here. Watch the video here.

 

Anti-Cross Site Scripting Library

 

This is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in web-based applications. Watch the video here.

 

Microsoft Code Analysis Tool .NET

 

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection. Watch the video here.

 

 

Verification

BinScope Binary Analyzer

 

BinScope Binary Analyzer is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. Watch the video here.

 

SDL MiniFuzz File Fuzzer

 

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. Watch the video here.

 

AppVerifier

 

Application Verifier is a runtime verification tool for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing. For more information, click here.

 

SDL Regex Fuzzer

 

SDL Regex Fuzzer is a verification tool to help test regular expressions for potential denial of service vulnerabilities. Watch the video here.

 

Attack Surface Analyzer Beta

 

Attack Surface Analyzer is a tool that highlights the changes in system state, runtime parameters and securable objects on the Windows operating system.

 

 

Release

The release resources are the same templates and videos as the ones in the Requirements section.

When I was running unit tests on Visual Studio 2008, the entire test-run fails and in the “Test Run Errors and Warnings”-section I found the following error:

Code coverage instrumentation warning while processing file Project.exe: 
Code coverage collection error: The Visual Studio performance and coverage logging engine is already running on the computer. Therefore, the test run cannot continue. Close the pending performance or code coverage session and then rerun the tests.

Restarting Visual Studio didn’t help, so I checked the Task Manager. There I found VSPerfMon which is the tool used by Visual Studio to collect performance data for the application. Kill this process and the tests will run again.

For more information on using VSPerfMon separately from Visual Studio (using command line), click here.