Writing Windows or Linux apps? Microsoft just launched a cloud-powered bug hunter to find the flaws in your code

Microsoft's enterprise customers can soon use its Azure-hosted fuzzing service to ferret out bugs in their own Windows and Linux applications.
Written by Liam Tung, Contributing Writer

Microsoft has unveiled a new bug hunting tool, named Microsoft Security Risk Detection, that's built to help customers find and eliminate bugs before attackers can seize on them.

The tool, which enables so-called fuzz-testing, has been under development for over a decade at Microsoft Research under the 'Project Springfield' moniker. Fuzz-testing an application relies on throwing numerous types of data at a program to destabilize it and turn up potentially exploitable bugs. Microsoft has used the technology to find critical bugs in Windows and Office before releasing updates for them.

These days though all organizations are to varying degrees software makers, and Microsoft Security Risk Detection is designed to extend the same capabilities to customers that build Windows-based applications.

Previously the technology was available to select customers and partners, but last year Microsoft flagged its intent to make Springfield a product and gave the Azure-hosted app wider exposure under a preview program.

The Azure service will be available for purchase through Microsoft Services this summer; however, Microsoft hasn't revealed pricing.

"The tool is designed to catch the vulnerabilities before the software goes out the door, saving companies the heartache of having to patch a bug, deal with crashes or respond to an attack after it has been released," Microsoft said in a blogpost.

The company has also launched a preview program for fuzz-testing Linux applications.

Google, a major advocate for fuzz-testing, recently released a fuzz-testing tool called OSS-Fuzz to help discover flaws in open source software. In May it boasted the tool had discovered over 1,000 bugs in just five months. It's helped weed out a variety of memory and other bugs from projects like LibreOffice, SQLite, and OpenSSL.

Microsoft claims its paid-for Azure fuzzing service uniquely uses artificial intelligence to identify bugs by posing 'what if' scenarios to narrow down likely culprits for a critical security bug. It can be used to probe a customer's inhouse developed software, modified off-the-shelf software, or open source software.

To use the service, customers install their app on an Azure-hosted virtual machine. Microsoft provides different fuzzers to test the customer's code and identify bugs, which the customer then sets about fixing. Microsoft notes the service can be used to test website security, however, the fuzzers aren't designed to identify common web application flaws such as cross-site scripting.

Read more on Windows security

Editorial standards