ra2 studio - Fotolia


How Microsoft SRD uses AI to help developers with security

Microsoft SRD is a new cloud service that aims to detect vulnerabilities in software using artificial intelligence. Expert Dave Shackleford explains what that means.

Microsoft is releasing a cloud service called Microsoft Security Risk Detection, or SRD, that it claims uses artificial intelligence to find vulnerabilities and bugs in software.

Artificial intelligence is the latest buzzword for security vendors, and this latest offering of Microsoft's claims to use automated logic routines to assess running software binaries, making intelligent selections about where and how to probe the application to find the most critical flaws as the program executes.

Whether it really uses AI or not, the service apparently offers developers a cloud-based means of assessing applications by fuzzing them. In other words, it sends unexpected input to the application -- or requests that it take actions that are not typical in its normal execution flow -- looking for how it responds. This can be an extremely effective means of looking for bugs in applications without having the original source code.

The Microsoft SRD offering works as a cloud service, as developers can simply upload binaries into a Microsoft sandbox environment, and then run them using any number of runtime environments. Right now, the offering is focused on Microsoft platforms, but Microsoft states that Linux support is going to be offered soon.

How Microsoft SRD helps developers

Developers can take advantage of this in many ways. First, the program can help those who do not already have binary analysis and security fuzzing capabilities to get started in a relatively painless way --simply upload, run the binary and get the report. While it's not likely to really be this simple, it is likely to be easier and less painful than configuring on-premises software to do the same thing.

Second, if Microsoft has strong analytics capabilities built in to the service, this tool may help developers find issues they had never thought of before, creating new and valuable use cases for security control implementations in their development lifecycles. The impact of this could be significant -- applications are under attack more than ever, and development teams need all the help they can get to harden applications from code and logic flaws. Microsoft SRD could possibly make this easier by offering a simple-to-use platform that fuzzes applications more intelligently and with less security knowledge required than most fuzzing tools need.

Another advantage of a tool like Microsoft SRD is the background in security testing that Microsoft brings to the table, with many years of development and security experience testing their own platforms and applications built in to the system's intelligence.

In addition, the wizard-driven system prompts developers to walk through test cases and scenarios, which may help identify crash conditions and security issues more readily than developers trying to come up with them on their own. These test cases can then be downloaded and used to reproduce issues in-house, too, making hybrid testing models more viable and enabling developers and security teams to share knowledge about potential flaws and fixes.

According to Microsoft, the AI comes into play by recognizing patterns and specific scenarios associated with bugs and application workflows, and then builds on these to find the best possible tests to run, improving this over time as the application changes.

Tools like Microsoft SRD are likely to get more traction in cloud-based implementations for several reasons. First, you don't need to build and maintain any internal infrastructure to perform this testing. Second, companies like Microsoft can easily update and enhance the intelligence powering the fuzzing logic automatically, with no need to download updates or upgrade the platform. Finally, the cloud offers much more scalability than on-premises solutions, and large development teams can test multiple versions and different applications simultaneously without having to wait.

Time will tell if Microsoft SRD takes off, but this kind of security service makes a lot of sense. 

Next Steps

Find out how to protect against hidden security threats in software stacks

Check out how to safeguard against threats with third-party Windows 10 security software

Discover why DevSecOps is the key ingredient to secure new software

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus