Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!

  • Article

Mark Curphey here.....

I am delighted to say that we have released two new free tools.

CAT.NET - Community Technology Preview

CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a wealth of real world knowledge and experience to the tool over the years. We will be posting several deep dive blogs this week on the inner workings of call graph and flow graph analysis and the algorithms behind CAT.NET from MSR. It is a technology preview; we appreciate that there are some performance and functionality limitations that we will be working on over time but we are already deep in discussion about the future design of CAT.NET and it's looking potentially very compelling!

You can download the current CTP builds from MSDN (32 bit here and 64 bit here) submit bugs and feedback to our Connect site (see post later this week for details).

Anti-XSS 3.0 - Beta

Cross Site Scripting (XSS) continues to plague web sites and among others things has become known as a common attack vector for Phishing attacks to distribute payloads to unsuspecting users.

With this release we have taken a fresh look at how to provide protection to ASP.NET applications. As well as significantly better coverage for internationalisation in the core library and significantly improved performance, we are now are now shipping with the Security Runtime Engine (SRE), a .NET CLR plug-in that overrides default encoding's to render sites safe from XSS with zero code changes. While the SRE can not be used in every circumstance and cannot prevent every type of XSS, we believe it will provide great coverage in a wide variety of situations and forms another important layer in a defence in depth strategy. In testing on our own applications in Microsoft IT we have typically seen the ability to fix between 50% and 90% of XSS issues in an application out of the box with no code changes needed.  We are experimenting with preventing other attacks beyond XSS and expect to extend coverage in future releases.

With this release we are also shipping with a performance test harness so you can test your own applications in pre-production and a copy of our own performance results conducted by the ACE Team as well as a sample application that you can use to demonstrate the attack and how to fix it to your development teams. Another significant change is that Anti-XSS 3.0 is now being released as an open source tool using the MS-PL license at Codeplex.

You can download the current beta binaries from MSDN here and source code from CodePlex here. For Anti-XSS you can submit bugs and feedback directly to our CodePlex site here.

Look for detailed posts about both Anti-XSS and CAT.NET on this blog this week and updates about these and related technologies on this blog.

Subscribe via RSS here.

Happy Holidays!

 

Mark