{"id":36481,"date":"2019-05-10T12:59:42","date_gmt":"2019-05-10T19:59:42","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/premier-developer\/?p=36481"},"modified":"2019-05-06T12:27:35","modified_gmt":"2019-05-06T19:27:35","slug":"msrd-whatsnew","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/msrd-whatsnew\/","title":{"rendered":"Microsoft Security Risk Detection – What’s New"},"content":{"rendered":"

App Dev Managers\u00a0Syed Mehdi<\/a>,\u00a0Sanjeev Gogna<\/a>, Charles Ofori<\/a>, and Rob Smith<\/a>\u00a0come together to spotlight powerful new offerings with Microsoft’s Security Risk Detection services.<\/p>\n

\n

As part of our focus in Microsoft Developer Support, helping customers build and deploy applications faster with less risk by leveraging the Cloud and DevOps practices, we have found that integrating application security practices and tools into the software development process is critical for customers to successfully release a modern, cloud ready application. With that in mind, we are updating our offerings portfolio with new application security engagements along with releases to existing engagements that span Assessment, Education, Remediation, and Implementation. One of the practice areas and associated tooling where we see customers asking for assistance is around security testing automation and integrating that with their DevOps practices. We\u2019ll touch on some more of these offerings in future posts, but to start with security testing, we are excited to share the updated release of Microsoft Security Risk Detection (MSRD)!<\/p>\n

MSRD is a self-service, AI-powered Dynamic Application Security Testing service that optimizes your web development cycle to identify and remediate bugs and security risks as they\u2019re introduced into the codebase \u2013 not after they are already in production.<\/p>\n

In today\u2019s challenging environment where we hear about a breach every day, you need to have more powerful tools that adapt with time and help you remediate bugs and reduce security risk during development and testing instead of when you are releasing to production. This cloud-based service is powered by the same technology that Microsoft has been using for years to test our own applications, websites, and services. MSRD allows you to easily scan Windows, Linux, and Web applications & services for security vulnerabilities.<\/p>\n

Since our last blog<\/a> on MSRD in May 2017, there have been new features added along with updates to existing features:<\/p>\n

    \n
  1. New: Web Vulnerability Scanning<\/a><\/li>\n
  2. New: Subscription-based pricing<\/a><\/li>\n
  3. New: DevOps integration for Fuzzing<\/a><\/li>\n
  4. Updated: Self-Service Portal<\/a><\/li>\n<\/ol>\n

    Web Vulnerability Scanning<\/h3>\n

    Web vulnerability scanning is a form of Dynamic Application Security Testing (DAST) that assesses whether a web application or service is vulnerable to attack. MSRD Web Scanning covers most of the OWASP Top 10<\/a>, plus dozens of other security, privacy, and reliability issues that can adversely impact the confidentiality, integrity, or availability of your web properties. MSRD was built to identify security vulnerabilities and other issues in traditional websites, as well as newer architectures like single-page applications, back-end REST APIs, and microservices, etc. MSRD Web Scanning is platform agnostic. It provides coverage for everything from Ruby on Rails and PHP on Linux to ASP.NET on Windows to Angular and React in the browser.<\/p>\n

    When coupled with other security best practices like threat modeling and static analysis, web vulnerability scanning can increase confidence that your applications and data are resilient to attack.\u00a0Following these security best practices implies that a hypothetical attacker would need to invest more time and resources to identify weaknesses or vulnerabilities in your code \u2013 there won\u2019t be any easy, low-hanging fruit \u2013 thus decreasing their return on investment and encouraging them to look elsewhere.<\/p>\n

    Web scanning is easy to set up. All that is required is access to the target site from our cloud-based scanning engines and the credentials necessary to access it. We support both public and private URLs (via VPN connectivity).<\/p>\n

    Web scanning configuration in the Self-Service Portal:<\/p>\n

    <\/p>\n

    Example of Web Vulnerability Scan results in the Site Structure View, available in the Self-service Portal:<\/p>\n

    <\/p>\n

    New Pricing Model<\/h3>\n