"CAT.NET - Community Technology Preview
CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a wealth of real world knowledge and experience to the tool over the years. We will be posting several deep dive blogs this week on the inner workings of call graph and flow graph analysis and the algorithms behind CAT.NET from MSR. It is a technology preview; we appreciate that there are some performance and functionality limitations that we will be working on over time but we are already deep in discussion about the future design of CAT.NET and it's looking potentially very compelling!
Anti-XSS 3.0 - Beta
Cross Site Scripting (XSS) continues to plague web sites and among others things has become known as a common attack vector for Phishing attacks to distribute payloads to unsuspecting users.
With this release we have taken a fresh look at how to provide protection to ASP.NET applications. As well as significantly better coverage for internationalisation in the core library and significantly improved performance, we are now are now shipping with the Security Runtime Engine (SRE), a .NET CLR plug-in that overrides default encoding's to render sites safe from XSS with zero code changes. While the SRE can not be used in every circumstance and cannot prevent every type of XSS, we believe it will provide great coverage in a wide variety of situations and forms another important layer in a defence in depth strategy. In testing on our own applications in Microsoft IT we have typically seen the ability to fix between 50% and 90% of XSS issues in an application out of the box with no code changes needed. We are experimenting with preventing other attacks beyond XSS and expect to extend coverage in future releases."