Microsoft has released its long-awaited cloud-based bug detection tool, previously code-named “Project Springfield.” The Windows version became generally available, and a new Linux version became available as a preview last week.
The tool, Microsoft Security Risk Detection, uses artificial intelligence to hunt down security vulnerabilities in software that is about to be released.
Microsoft Security Risk Detection will help developers do fuzz testing, said David Molnar, the Microsoft researcher in charge of the group that developed the tool. Fuzz testing normally is done using outside consultants to test new software. Its purpose is to make sure vulnerabilities can be weeded out before the product goes into wide release to avoid the necessity of patching them on the back end.
The service uses artificial intelligence to ask particular “what if” questions about new software, focusing on critical areas that might be vulnerable to attack by bad actors.
Microsoft first released a test version of the service last year. Docusign, a firm that specializes in automated electronic signatures, is one of the companies that volunteered to try it out.
The tool helped Docusign weed out bugs in its software and almost never returned false positives, according to John Heasman, senior director of software security at the company.
The low rate of false positives is very important, he said, because companies typically have to spend a lot of time tracking down false positives, which uses time that otherwise could be devoted to investigating legitimate threats.
Microsoft has been using Sage, a key component of the service, since the mid-2000s to test versions of Windows, Office and other products. Several product teams at the company use the service as part of the Microsoft Security Development Lifecycle.
Microsoft plans to offer the tool for sale later this summer through Microsoft Services.
The release is meaningful, according to Dustin Childs, communications director for the zero day initiative at Trend Micro, who noted that the service gives developers access to security testing they otherwise might not use.
“Bugs are much easier to detect during software development,” he told LinuxInsider, “so enhanced testing prior to release could prevent security problems down the road.”
Whether companies embrace the service depends largely on how many false positives they get, Childs said. Another important issue will be the trust issue between developers and Microsoft, which could depend on how much information is shared with the developers and how much is retained by Microsoft.
From Microsoft’s perspective, the gain is twofold, said Childs. The service will help Microsoft create a safer ecosystem running a series of Windows applications, and allow the company to show off its cloud computing and AI capabilities. The service also will introduce Azure to a large community of potential customers.
Security is something that everyone wants, but few are willing to shell out the money for it, observed Jim McGregor, principal analyst at Tirias Research.
“IT managers often stick with the security solutions they are familiar with and upgrade with budgetary cycles,” he told LinuxInsider.
The industry rarely works together to resolve security issues, McGregor said.
True IT security requires hardware and software to be effective, he pointed out.
However, Microsoft’s solution takes security to a new level by combining AI and cloud resources, said McGregor. It continuously leverages a wide range of information and reacts to new threats faster than traditional solutions.
“It’s not clear how much success Microsoft will have with this new service,” he said, “but every IT manager should be looking to AI for improved security.”