security tools for software development ivan medvedev security development lead microsoft...
TRANSCRIPT
![Page 1: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/1.jpg)
Security Tools ForSecurity Tools ForSoftware DevelopmentSoftware DevelopmentSecurity Tools ForSecurity Tools ForSoftware DevelopmentSoftware Development
Ivan MedvedevIvan MedvedevSecurity Development LeadSecurity Development LeadMicrosoft CorporationMicrosoft Corporation
![Page 2: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/2.jpg)
OverviewOverview
Introduction to our teamIntroduction to our team
Security Development LifecycleSecurity Development Lifecycle
Tools available to developersTools available to developersThreat Modeling ToolThreat Modeling Tool
Visual Studio Compiler SwitchesVisual Studio Compiler Switches
FxCopFxCop
AppVerifierAppVerifier
Upcoming new tools!Upcoming new tools!
Fuzz testingFuzz testing
![Page 3: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/3.jpg)
Security Engineering And Security Engineering And CommunicationsCommunications
Microsoft Security Response Center (MSRC)Microsoft Security Response Center (MSRC)Primary interface with security research communityPrimary interface with security research communitySoftware Security Incident Response Process (SSIRP)Software Security Incident Response Process (SSIRP)
Secure Windows Initiative (company-wide)Secure Windows Initiative (company-wide)Training for developers and partnersTraining for developers and partnersSecurity Milestones in the development processSecurity Milestones in the development processAttack and Penetration teamsAttack and Penetration teamsFinal Security ReviewsFinal Security Reviews
Strategy and Policy Strategy and Policy Security Development LifecycleSecurity Development LifecycleCouncils, Buddy programs, etc.Councils, Buddy programs, etc.CERT, CSIRT interface, other government initiatives, CERT, CSIRT interface, other government initiatives, including common criteriaincluding common criteriaWindows Privacy (Phishing, spam, etc)Windows Privacy (Phishing, spam, etc)
![Page 4: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/4.jpg)
The Security Development The Security Development Lifecycle (SDL)Lifecycle (SDL)
Security best practices in MicrosoftSecurity best practices in Microsoft
Provides guidance within established Provides guidance within established development processesdevelopment processes
Design considerationsDesign considerations
Creating effective security plans Creating effective security plans
Leveraging tools across the Leveraging tools across the development cycledevelopment cycle
Better then simply hunting for bugsBetter then simply hunting for bugs
Requirements Design Implementation Verification Release Response
![Page 5: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/5.jpg)
The Threat Modeling ToolThe Threat Modeling ToolThe Threat Modeling ToolThe Threat Modeling Tool
![Page 6: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/6.jpg)
What is Threat Modeling?What is Threat Modeling?
A process to understand and A process to understand and document security threats to a document security threats to a system that:system that:
Closely simulates an adversary’s Closely simulates an adversary’s thought processthought process
Will describe the system’s threat profileWill describe the system’s threat profile
Allows the security of the system to Allows the security of the system to be characterizedbe characterized
May find vulnerabilitiesMay find vulnerabilities
![Page 7: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/7.jpg)
Key ConceptsKey Concepts
The threat profile is an enumeration The threat profile is an enumeration of adversary goalsof adversary goals
A threat is not a vulnerability, and A threat is not a vulnerability, and the point of a threat model is more the point of a threat model is more than just finding vulnerabilitiesthan just finding vulnerabilities
Threats justify security features and Threats justify security features and secure coding guidelinessecure coding guidelines
![Page 8: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/8.jpg)
Key ConceptsKey Concepts
A system is anything that exposes A system is anything that exposes functionality to an end user:functionality to an end user:
Single featureSingle feature
Shipping productShipping product
Web application and its supporting Web application and its supporting infrastructureinfrastructure
Etc.Etc.
![Page 9: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/9.jpg)
Threat Modeling ToolThreat Modeling Tool
Provides structure to a threat model Provides structure to a threat model document document
Lists all of the key areas for Lists all of the key areas for considerationconsideration
Links assets, threats, and vulnerabilities Links assets, threats, and vulnerabilities for easier prioritizationfor easier prioritization
Saves as XML for portabilitySaves as XML for portability
![Page 10: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/10.jpg)
Visual Studio Visual Studio Compiler OptionsCompiler OptionsVisual Studio Visual Studio Compiler OptionsCompiler Options
![Page 11: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/11.jpg)
What Is A Buffer Overrun?What Is A Buffer Overrun?
Buffers are blocks of memory, usually Buffers are blocks of memory, usually in the form of an arrayin the form of an array
When the size of an array is not When the size of an array is not verified, it is possible to write outside verified, it is possible to write outside the allocated bufferthe allocated buffer
If such an action takes place in If such an action takes place in memory addresses higher than the memory addresses higher than the buffer, it is called a buffer overrunbuffer, it is called a buffer overrun
A buffer overrun that injects code A buffer overrun that injects code into a running process is referred to into a running process is referred to as an exploitable buffer overrunas an exploitable buffer overrun
![Page 12: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/12.jpg)
What Is A Buffer Overrun?What Is A Buffer Overrun?
The ability to arbitrarily corrupt The ability to arbitrarily corrupt memorymemory
Overflows lead to arbitrary codeOverflows lead to arbitrary code
Underflows lead to denial of serviceUnderflows lead to denial of service
Problem is usually isolated to C and Problem is usually isolated to C and C++C++
00 00 00 00
00 00 00 00
2A 00 00 00int x = 42;int x = 42;char zip[6];char zip[6];strcpy(zip, userinput);strcpy(zip, userinput);printf("x = %i\n", x);printf("x = %i\n", x);
![Page 13: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/13.jpg)
Types Of ExploitsTypes Of Exploits
Stack smashingStack smashing
Register hijackingRegister hijacking
Local pointer subterfugeLocal pointer subterfuge
V-Table hijackingV-Table hijacking
C++ EH clobberingC++ EH clobbering
SEH clobberingSEH clobbering
Multistage attacksMultistage attacks
Parameter pointer subterfugeParameter pointer subterfuge
Previous function’sPrevious function’sstack framestack frame
Return addressReturn address
EH frameEH frame
Callee saveCallee saveregistersregisters
GarbageGarbage
Local variables andLocal variables andlocally declaredlocally declaredbuffersbuffers
Frame pointerFrame pointer
Function argumentsFunction arguments
![Page 14: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/14.jpg)
Visual Studio Security Visual Studio Security OptionsOptions
/GS /GS A "speed bump," or cookie, between the A "speed bump," or cookie, between the buffer and the return address. When buffer and the return address. When function exits, the cookie is checkedfunction exits, the cookie is checked
Helped lower Blaster impact on Win Helped lower Blaster impact on Win 20032003
/SAFESEH/SAFESEHCreated in response to CodeRedCreated in response to CodeRed
Verifies the exception handlerVerifies the exception handler
![Page 15: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/15.jpg)
Stack Layout In VC++ Stack Layout In VC++ 20032003
Function prolog:Function prolog: Previous function’sPrevious function’sstack framestack frame
Return addressReturn address
EH frameEH frame
Callee saveCallee saveregistersregisters
GarbageGarbage
Frame pointerFrame pointer
Function argumentsFunction arguments
CookieCookie
sub esp,24hsub esp,24h
mov eax,dword ptrmov eax,dword ptr
[___security_cookie (408040h)][___security_cookie (408040h)]
mov dword ptr [esp+20h],eaxmov dword ptr [esp+20h],eax
mov ecx,dword ptr [esp+20h]mov ecx,dword ptr [esp+20h]
add esp,24hadd esp,24h
jmp __security_check_cookiejmp __security_check_cookie
4010B2h) 4010B2h)
Function epilog:Function epilog: Locally declaredLocally declaredbuffersbuffers
Local variablesLocal variables
![Page 16: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/16.jpg)
FxCopFxCopFxCopFxCop
![Page 17: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/17.jpg)
FxCopFxCop
A static code analysis tool that A static code analysis tool that examines managed assemblies for examines managed assemblies for design and code correctness issuesdesign and code correctness issues
Console and graphical applications Console and graphical applications that manage:that manage:
Targets (items for analysis)Targets (items for analysis)
Rules (checks to execute)Rules (checks to execute)
Messages (feedback from rules)Messages (feedback from rules)
A general infrastructure for writing A general infrastructure for writing checks against managed codechecks against managed code
![Page 18: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/18.jpg)
BenefitsBenefits
FxCop helps create:FxCop helps create:More consistent API, easily discoverable More consistent API, easily discoverable via help, IntelliSense, etc.via help, IntelliSense, etc.
Better performance in codeBetter performance in code
More secure applicationsMore secure applications
Fewer globalization and COM/cross-Fewer globalization and COM/cross-language interoperability issueslanguage interoperability issues
Increased understanding of .NET Increased understanding of .NET FrameworkFramework
Extends compiler-provided checksExtends compiler-provided checks
![Page 19: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/19.jpg)
FxCop and SecurityFxCop and Security
Current version (1.30) has 21 Current version (1.30) has 21 security rulessecurity rules
Examples of security rulesExamples of security rulesFields that are arrays should not be Fields that are arrays should not be read-onlyread-only
Link demand security checks on types Link demand security checks on types do not prevent access to the type’s do not prevent access to the type’s fieldsfields
Security checks on value-type Security checks on value-type constructors do not prevent the value-constructors do not prevent the value-type from being instantiatedtype from being instantiated
![Page 20: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/20.jpg)
FxCop Security RulesFxCop Security Rules
![Page 21: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/21.jpg)
The Windows The Windows Application VerifierApplication VerifierThe Windows The Windows Application VerifierApplication Verifier
![Page 22: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/22.jpg)
Windows Application Windows Application Verifier (AppVerifier)Verifier (AppVerifier)
Provide developers with Provide developers with Tools and knowledge used in Windows Tools and knowledge used in Windows developmentdevelopment
A testing infrastructure to detect run A testing infrastructure to detect run time issues in Win32 applicationstime issues in Win32 applications
Targeted towards developers and QA Targeted towards developers and QA teams with debugging knowledgeteams with debugging knowledge
![Page 23: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/23.jpg)
BenefitsBenefits
Significantly reduces debugging time Significantly reduces debugging time detectingdetecting
Memory corruptionsMemory corruptions
HangsHangs
Security issuesSecurity issues
Reduces crashesReduces crashes67.8% of 3rd party user mode crashes could 67.8% of 3rd party user mode crashes could have been detected using the AppVerifierhave been detected using the AppVerifier
Aids in Logo/Certification testingAids in Logo/Certification testingNon-administrator scenariosNon-administrator scenarios
Resource managementResource management
Version checkingVersion checking
![Page 24: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/24.jpg)
Security And The Security And The AppVerifierAppVerifier
Enable the SecurityChecks TestEnable the SecurityChecks TestInsecure API usageInsecure API usage
Misuses of CreateProcessMisuses of CreateProcess
Interactive servicesInteractive servicesMany server applications are vulnerable to “Shatter” Many server applications are vulnerable to “Shatter” attacksattacks
Potentially allows an interactive user to get the Potentially allows an interactive user to get the privileges of a service running as LOCAL_SYSTEMprivileges of a service running as LOCAL_SYSTEM
Removed from Longhorn completelyRemoved from Longhorn completely
Weak security descriptor usageWeak security descriptor usageGranting EVERYONE_WRITE access to a file or registry Granting EVERYONE_WRITE access to a file or registry key is an opportunity for elevation of privilegekey is an opportunity for elevation of privilege
Creating an object with a NULL DACL at anytime is a Creating an object with a NULL DACL at anytime is a security issuesecurity issue
![Page 25: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/25.jpg)
The Application VerifierThe Application Verifier
![Page 26: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/26.jpg)
Advanced Technique: Advanced Technique: FuzzingFuzzingAdvanced Technique: Advanced Technique: FuzzingFuzzing
![Page 27: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/27.jpg)
What Is Fuzzing?What Is Fuzzing?
Fuzz testing is a method of finding Fuzz testing is a method of finding software security holes by feeding software security holes by feeding purposely invalid and ill-formed data as purposely invalid and ill-formed data as input to program interfaces input to program interfaces Inputs include:Inputs include:
FilesFiles
Network portsNetwork ports
APIsAPIs
Based on the analysis of a number of Based on the analysis of a number of software security vulnerabilities uncovered software security vulnerabilities uncovered in the past the belief is that a large in the past the belief is that a large percentage of them could have been found percentage of them could have been found by doing fuzz testingby doing fuzz testing
![Page 28: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/28.jpg)
What Is Fuzzing?What Is Fuzzing?
Fuzzing is a variation of negative Fuzzing is a variation of negative testingtesting
Specific characteristics:Specific characteristics:High volume of testing (using multiple High volume of testing (using multiple variations and test passes)variations and test passes)
Fuzz testing is generally automatedFuzz testing is generally automated
Finds many problems related to Finds many problems related to reliability; many of which are potential reliability; many of which are potential security holessecurity holes
Fuzz testing does not typically validate Fuzz testing does not typically validate proper reaction to invalid dataproper reaction to invalid data
![Page 29: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/29.jpg)
BenefitsBenefits
Easily automatedEasily automated
Doubles as robustness testingDoubles as robustness testing
Exercise more failure cases in codeExercise more failure cases in code
Finds LOTS of bugsFinds LOTS of bugs
![Page 30: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/30.jpg)
MethodologyMethodology
Dumb vs. SmartDumb vs. SmartDumb fuzzing generates data with no Dumb fuzzing generates data with no regard to the formatregard to the formatSmart fuzzing requires knowledge of the Smart fuzzing requires knowledge of the data format or how the data is data format or how the data is consumedconsumed
Generation vs. MutationGeneration vs. MutationThe generation technique creates new The generation technique creates new files from scratchfiles from scratchThe mutation technique transforms a The mutation technique transforms a sample input file to create a new onesample input file to create a new one
Most fuzzing tools are a mix of each Most fuzzing tools are a mix of each approachapproach
![Page 31: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/31.jpg)
Measuring And TriagingMeasuring And Triaging
MeasuringMeasuringReliability metrics MTTF (Mean Time To Reliability metrics MTTF (Mean Time To Failure), MTBF, failures per 1K variationsFailure), MTBF, failures per 1K variations
Code Coverage deltaCode Coverage delta
TriagingTriagingCrash means input can divert program Crash means input can divert program flowflow
Figuring out exploitability is expensiveFiguring out exploitability is expensive
Just fix it!Just fix it!
![Page 32: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/32.jpg)
Upcoming New ToolsUpcoming New Tools
In .NET Framework 2.0 / VS 2005In .NET Framework 2.0 / VS 2005PreFastPreFast
Source code static analysisSource code static analysis
Has security checks, such as buffer overrun Has security checks, such as buffer overrun detection, etc.detection, etc.
PermCalcPermCalcStatic binary analysis for managed codeStatic binary analysis for managed code
Calculates .NET permissions needed for .NET Calculates .NET permissions needed for .NET assemblies to runassemblies to run
Integrated into Visual StudioIntegrated into Visual Studio
![Page 33: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/33.jpg)
Call To ActionCall To Action
Raise the bar for security in your own Raise the bar for security in your own applicationsapplications
Adopt these tools in your developmentAdopt these tools in your development
Consider adding additional security best Consider adding additional security best practices from “Writing Secure Code”practices from “Writing Secure Code”
Provide feedback on the tools Provide feedback on the tools Bug reportsBug reports
Feature requestsFeature requests
![Page 34: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/34.jpg)
General Security General Security ResourcesResources
General General http://www.microsoft.com/securityhttp://www.microsoft.com/security
XP SP2 Resources for the IT Professional XP SP2 Resources for the IT Professional http://www.microsoft.com/technet/winxpsp2http://www.microsoft.com/technet/winxpsp2
Security Guidance Center Security Guidance Center http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
Tools Tools http://www.microsoft.com/technet/Security/toolshttp://www.microsoft.com/technet/Security/tools
How Microsoft IT Secures Microsoft How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msithttp://www.microsoft.com/technet/itsolutions/msit
E-Learning Clinics E-Learning Clinics https://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security
Events and Webcasts Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx http://www.microsoft.com/seminar/events/security.mspx
![Page 35: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/35.jpg)
Additional DocumentationAdditional Documentation
Writing Secure Code:Writing Secure Code:http://www.microsoft.com/MSPress/books/5957.asp http://www.microsoft.com/MSPress/books/5957.asp
Thread Modeling:Thread Modeling:http://www.microsoft.com/MSPress/books/6892.asphttp://www.microsoft.com/MSPress/books/6892.asp
Threat Modeling OnlineThreat Modeling Onlinehttp://msdn.microsoft.com/security/securecode/http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx threatmodeling/default.aspx
Compiler Security Checks In DepthCompiler Security Checks In Depthhttp://msdn.microsoft.com/library/default.asp?url=/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/library/en-us/dv_vstechart/html/vctchcompilersecuritychecksindepth.aspvctchcompilersecuritychecksindepth.asp
![Page 36: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/36.jpg)
FxCop ResourcesFxCop Resources
http://www.gotdotnet.com/team/http://www.gotdotnet.com/team/fxcop/fxcop/
FxCop download site/bulletin boardFxCop download site/bulletin board
FxCop docs and rule topicsFxCop docs and rule topics
SupportSupport
[email protected]@Microsoft.com
![Page 37: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/37.jpg)
AppVerifier ResourcesAppVerifier Resources
Download Site: Download Site: http://www.microsoft.com/windows/ahttp://www.microsoft.com/windows/appexperienceppexperience
Newsgroup:Newsgroup:microsoft.public.win32.programmer.tools microsoft.public.win32.programmer.tools
http://msdn.microsoft.com/newsgroups/http://msdn.microsoft.com/newsgroups/managed managed
![Page 38: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/38.jpg)
Questions?Questions?
We want your feedback!We want your feedback!
![Page 39: Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649d8c5503460f94a73637/html5/thumbnails/39.jpg)
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.