Microsoft has announced two new Security Development Lifecycle (SDL) tools here:
MiniFuzz File Fuzzer
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.
Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of MiniFuzz, we have made a simple file fuzzer available to assist developer efforts to find and address more bugs in code before it ships to customers.
BinScope Binary Analyzer
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.
BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers). For a more detailed enumeration of the checks performed by BinScope, please see the BinScope documentation. BinScope is available in two forms: as a standalone executable and as a Visual Studio add-on.
Jeremy Dallman, of Microsoft, explains both tools in this post.
I have spent a great deal of time over the last year and a half on a couple of projects architecting solutions using NHibernate and Fluent NHibernate as the preferred ORM (object relational mapper). It has really matured into a great set of products with the release of NHibernate 2.1 (especially with System.Transaction support) and Fluent NHibernate 1.0. I have also used LINQ to NHibernate 1.0 and like how that works as well, but it could be tweaked some more.
I have decided to turn that experience into training classes offered through my independent consulting company. Please check out my Training page on my company web site if you are interested.