"CAT.NET – Community Technology Preview
CAT.NET
is a managed code static analysis tool for finding security
vulnerabilities. It's exactly the same tool we use internally to scan
all of our Line of Business (LOB) applications; it runs as a Visual
Studio plug-in or as a stand-alone application. It was engineered by
this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team
do thousands of code reviews for the internal line of business
applications and for our external customers and have provided a wealth
of real world knowledge and experience to the tool over the years. We
will be posting several deep dive blogs this week on the inner workings
of call graph and flow graph analysis and the algorithms behind CAT.NET
from MSR. It is a technology preview; we appreciate that there are some
performance and functionality limitations that we will be working on
over time but we are already deep in discussion about the future design
of CAT.NET and it's looking potentially very compelling!
You can download the current CTP builds from MSDN (32 bit here and 64 bit here) submit bugs and feedback to our Connect site (see post later this week for details).
Anti-XSS 3.0 – Beta
Cross
Site Scripting (XSS) continues to plague web sites and among others
things has become known as a common attack vector for Phishing attacks
to distribute payloads to unsuspecting users.
With this
release we have taken a fresh look at how to provide protection to
ASP.NET applications. As well as significantly better coverage for
internationalisation in the core library and significantly improved
performance, we are now are now shipping with the Security Runtime
Engine (SRE), a .NET CLR plug-in that overrides default encoding's to
render sites safe from XSS with zero code changes. While the SRE can
not be used in every circumstance and cannot prevent every type of XSS,
we believe it will provide great coverage in a wide variety of
situations and forms another important layer in a defence in depth
strategy. In testing on our own applications in Microsoft IT we have
typically seen the ability to fix between 50% and 90% of XSS issues in
an application out of the box with no code changes needed. We are
experimenting with preventing other attacks beyond XSS and expect to
extend coverage in future releases."
More information: http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx
