What’s Coming from the Information Security Tools Team

Mark Curphey here (Follow me using @curphey on Twitter).

June is a busy time of year around MSFT. For most teams you have a pretty good idea about your budget for the next year (July – July) and the end of year performance review cycle kicks in. You spend most of your time in retrospective of the last year with your team and your manager and in planning for the next year. I wanted to give you an insight into what to expect coming out of this team in the next year.

As you may have already read we are organized into what we call “development cells”. Each cell has a program manager, developers and test engineers and for the most part are based in the same physical location. This was a move we made a few months ago as we move further to a truly agile team. Well be getting the PM’s and dev leads to start sharing some of their secrets for dev team success on this blog in the future. We have five cells that are based in Redmond, Hyderabad (India) and Beijing.

  • Security Management – Redmond
  • Assessment & Protection – Mixed
  • Operations – Hyderabad
  • Identity & Access – Hyderabad
  • Sustained Engineering – Beijing

Security Management

We are feature complete on the first version of “Risk Tracker”, an application to track information security risks. This is built using the first version of our Connected Information Security Framework or CISF.  CISF is a set of API’s and components built on the MSFT tech stack from which you can rapidly assemble your own custom applications or restack existing ones. CISF will evolve significantly over the next two years as we build out and extend components and API’s to full fill our immediate requirements of applications that we are working on. Think Oxite for security! The initial release will be bare bones but will have a basic notification engine, an ASP.NET (AJAX) portal with a widget framework, a workflow engine, a BI layer including reporting (scheduling, distribution etc) and data analysis and various underlying technology such as an authorization API. It’s all architected on WCF. Over the year you can probably expect us to add a full data warehouse based on SQL Server Madison, an Enterprise Services Bus for integration based on WCF and token ID support using Geneva as well as threats and countermeasures web services and the backend to support those services. We plan to release the framework as an open source project under an MS-PL license in the August timeframe on CodePlex and then quarterly releases thereafter. The plan is to release the ‘Risk Tracker’ application also under an MS-PL license as a “Quick App” for you you customize and extend for your own needs. Some MSFT customers have expressed an interest in sharing their custom applications and porting existing ones or building new ones to run on the framework. We have heard about incident tracking and intelligence sharing apps and very much hope to build an eco-system around this. If you are interested in engaging with us on a pro-active basis (i.e you have apps you might be interested in sharing with the community as opposed to just consuming) please get in touch with me directly. [the above is all subject to final legal approvals etc]. You can think about “Risk Tracker” and CISF as a showcase of how we use the MSFT technology stack to build custom applications needed to power your people, process and technology information security program. We are releasing it so you can do the same and benefit from our efforts.

The security management cell will also be working on information security scorecards with both manual and automated data entry (built on the BI components of CISF) and planned to be released in the framework at some point as well as extending our business continuity management tool.

Assessment & Protection

CAT.NET 2.0  - July sees a six month project to create CAT.NET 2.0. We will be focused on Performance (porting it to CCI2 and dealing with the underlying architecture to enable it to really scale), Accuracy (including implementing the MSR Merlin project and general algorithm updates), UX (including tight integration into Visual Studio and a shiny new UI) and general features such as exposing an API for people to write their own custom rules. We have a new interim build of CAT.NET ready for release in a few weeks. This is minor fixes and updates.

Anti-XSS + – Well be moving Anti-XSS to a release in the Summer as well as a significantly extending the functionality to include SQL Injection protection (already built) and several other big ticket web vulnerabilities. It will probably move to be called the Web Protection Library to reflect the enhanced scope.

Threat Modeling – We have new version of the Threat Application Modeling tool 3.0 in test and slated to ship in July (just a few weeks away). It focuses on general usability improvements, minor features and bug fixes as well as a separation of threat information from the client tool. It’s a prototype of putting the threats and countermeasures into the cloud using Azure! We expect to work on some significant things in the threat modeling space but its too early to talk about them at this stage.

Identity & Access

The identity and access cell will continue to work on retiring our “Rube Goldberg” / “Heath Robinson” machine of identity tools we have in MS-IT today in favor of the ForeFront Identity Manager or FIM (was ILM 2). The team will be blogging about some work we have recently done building reporting on top of FIM using the FIM SDK. They have some great detailed knowledge to share. The team will also be re-building a custom tool that audits user access requests and provides SOX audit reporting information, something we expect to be built around FIM and leveraging various CISF components as well as some centralized BitLocker management tools we have developed for the helpdesk to centrally manage BitLocker key recovery across our global environment. 


The operations cell will continue to work on data leakage protect tools including tools to scan file stores, SharePoints and other network locations for sensitive data being inadvertently stored and some work in partnership with the ForeFront client team to customize the DLP capabilities for some specific needs we have. This cell also builds a remote vulnerability assessment tool that we have built to sweep the entire network (it’s big!) and well be blogging about how to assess specific things in Microsoft environments. We recently published a blog to interrogate certificates on IIS for instance.

So it should be an exciting year with a bunch of cool projects. Well share as much as we can and share code where possible.

We hope you enjoy!



Skip to main content