Last year, Microsoft revealed Project Springfield, an unique fuzz testing service that uses AI for finding security critical bugs in software. This is a tool which Microsoft uses internally for rooting out potential security vulnerabilities in software including Windows, Office and other products. It uses AI to ask a series of “what if” questions to try to root out what might trigger a crash and signal a security concern in the testing software product. Microsoft will be making this cloud service generally available to all developers in the name of Microsoft Security Risk Detection in late summer through Microsoft Services.
- “Million dollar” bugs: Security Risk Detection uses “Whitebox Fuzzing” technology which discovered 1/3rd of the “million dollar” security bugs during Windows 7 development.
- Battle tested tech: The same state-of-the-art tools and practices honed at Microsoft for the last decade and instrumental in hardening Windows and Office — with the results to prove it.
- Scalable fuzz lab in the cloud: One click scalable, automated, Intelligent Security testing lab in the cloud.
- Cross-platform support: Linux Fuzzing is now available. So, whether you’re building or deploying software for Windows or Linux or both, you can utilize our Service.
Here’s how it works:
- The customer logs into a secure web portal. Project Springfield provides a Virtual Machine (VM) for the customer on which to install the binaries of the software to be tested, along with a “test driver” program that runs the scenario to be tested, and a set of sample input files called “seed files” to use as a starting point for fuzzing.
- Project Springfield will continuously fuzz test using multiple methods, including Microsoft whitebox fuzzing technology.
- Project Springfield reports security vulnerabilities in real time on the secure web portal. Customers can download actionable test cases to reproduce the issue.
- Customer can prioritize and fix bugs. Then re-test to ensure the effectiveness of the fix.
Microsoft will also be offering a preview version of this tool for Linux users as well. Developers can sign up here for Windows version or Linux preview. You can learn more about Microsoft Security Risk Detection service here.