Project Springfield is now generally available under the name Microsoft Security Risk Detection. The cloud-based tool lets developers search for vulnerabilities and bugs in their software via artificial intelligence.
The software is expected to augment the work developers already do and mitigate somewhat the need for fuzz testers. The company believes it will work well in fast-paced development environments and reduce false positives.
“We use AI to automate the same reasoning process that you or I would use to find a bug, and we scale it out with the power of the cloud,” explained David Molnar, lead researcher on the risk detection tool.
In essence, it uses ‘what if' questions to find the source of the crash and find out if it's a security concern. It can allegedly find bugs that other tools miss via a more intelligent approach.
Results so far seem to be promising, DocuSign's John Heasman noting that an early preview of the software let them find bugs that may have been missed otherwise.
“It's rare that these solutions have such a low rate of false positives,” he said, noting that this saved a lot of time when searching through errors.
However, components of Security Risk Detection have actually been in use since the mid-2000s, inside Microsoft. The software company has been using it to root out bugs in Windows, Office, and more for over a decade.
The service bundles SAGE with other fuzzing tools and overlays a dashboard in the Azure cloud. It's currently available through the Microsoft Security Development Lifecycle, and will go on sale in late summer via Microsoft Services.
Until then, developers can sign up for the preview via the Microsoft Security Risk Detection site.