Microsoft Releases Attack Surface Analyzer Tool 40
wiredmikey writes "Microsoft has released the public version of Attack Surface Analyzer, a tool designed to help software developers and independent software vendors assess the attack surface of an application or software platform. The tool was pushed out of beta with Version 1.0 released on Thursday. Since ASA doesn't require the original source code, managers and executives can also use the tool to determine how a new application or software being considered would affect the organization's overall security before deploying it. The tool takes snapshots of the system before and after an application was installed, and compares them to identify changes made when new applications were installed. A stand-alone wizard guides users through the scanning and analysis process and a command-line version is available for use with automated tools. Attack Surface Analyzer 1.0 can be downloaded from Microsoft here."
Re:For Windows (Score:5, Informative)
This is for Windows only and it does not test applications for security problems, it looks at the entire system and how it is affected by the installation.
Hence, attack surface analyzer.
The tool looks at the surface of a system (not an application) and analyzes how observable changes to that surface could impact security. For instance it will report that a new port is listening after an application has been installed, or it reports that a certain application phones home, or that the application relies on configuration files/installation/registry keys which may not have proper permissions set.