Some New Software Security Tools for Web Developers – (CTP Releases)

Curphey here…..(follow me on Twitter @curphey if you want the breaking news!)

My wife keeps telling me I work too much. Maybe I do, maybe I don’t but if I do I am not alone. Some folks on my team have been doing some super-human stuff and we are ready to share some early preview releases with y’all. Let’s call this Anti-patch Tuesday  (assuming I get to post this before mid-night tonight)!

In this little package we have;

  • CAT.NET 2.0 CTP
  • WACA 1.0 CTP
  • WPL 1.0 CTP

Watch our recent video “Assessment and Protection Suite,” where RV and I discuss the future of these tools.

CAT.NET 2.0 CTP – CAT.NET is being re-written from the ground up. The original tainted data analysis algorithm has now been ported to the Phoenix compiler infrastructure, along with a shiny new configuration rules engine that look in the *.config for common security mis-configurations.  This CTP is a command line only single-pass data flow engine and configuration rules engine. Over the coming few month or so we will work to scale the core engine and fully integrate the tool into the Code Analysis menu of Visual Studio 2010. When Visual Studio 2010 ship the tool will be released as a power Tool free to licensed users of Visual Studio.

WACALaunchpadWACA 1.0 CTP – Web Application Configuration Analyzer – WACA is built on the Best Practice analyzers and shares the same configuration setting rules as CAT.NET 2.0.  WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It includes

    • Over 100 security rules in total (many more in the final release)
    • IIS Security Configuration
    • .NET Framework Security Configuration
    • SQL Server Security Configuration
    • Windows Permissions
    • Generate HTML based report, export results to Excel and export findings as work items to TFS (“Curpheys Favorite Feature tm” )
    • Scan a machine remotely (Requires WMI and Remote Registry)

If you think of rules you would like to see you can always let us know via the Connect site. No promises but we will promise to consider them all.

WPL 1.0 CTP – Web Protection Library – For a while we have been building and shipping the Anti-XSS library and have been working on broader mitigations for common web application security issues beyond XSS. The WPL will act as an umbrella for several libraries and runtime modules including Anti-XSS that provide coverage for issues such as SQL Injection and CSRF as well as enforcing security settings such as SSL and HTTP_ONLY cookies. We have worked hard to make the developer experience similar to that of EntLib with a configuration utility that runs inside of Visual Studio. We expect a first release of WPL early in 2010. This CTP includes the SQL Injection protection module. Using the Security Runtime Engine you can now install the technology on your IIS servers and provide reasonable runtime protection against XSS and SQLi without any code changes. We know that it won’t catch everything but testing and experience has shown it provides a solid level of coverage against many scenarios found in the real world. Get more details on WPL in a recent video, “Enhanced Web Protection Library” where RV talks about the expansion of what used to be the Anti-XSS Library.

To download these tools for free you will need to register on our Connect site. This helps us track the number of downloads and Connect provides a way for you to submit CR’s and bugs directly to the development team.

When you are registered for our program at Connect you can download the tools directly – CAT.NET 2.0 CTP – WPL 1.0 CTP – WACA 1.0 CTP

We hope you enjoy the tools as much as we enjoy creating them. If you use them please let us know. Buy us beer at conferences (indeed invite us to speak at your security conferences and then buy us beer), send us “cube toys” and trinkets to put in our offices or just tell us how much you like our work in the comments section 😉

- Curphey

PS – To my super-human team - Just cause I am sometimes grumpy doesn’t mean I am not in awe of your amazing work. I just get beaten too often on the foos-ball table to be happy all day! You all know who you are, I am super proud and honored to work with y’all. Now go get some sleep before the next sprints start!

Comments (6)
  1. SFiorito says:

    The download gets return 404s.

    I’m registered for the InfoSec Tools connection, but not info is up on the site yet.

  2. Anil Revuru says:

    Please make sure you have subscribed to the CAT.NET or WPL or WACA program to download the appropriate build. We have also opened it up to registered users now. But in order to submit feedback you have to be part of the program.



  3. mdekleine says:

    Great news! You guys really make a great effort of providing us with these tools in a very short time.

    I am really interested to get my hands on the new tool so see if this performs better than the 1.0 version. I applied but my status is still pending so I can’t download the software. Is this because it is still not available?

  4. dcuthbert says:

    Fantastic job all, about time this was nicely wrapped up rather than being a bunch of separate projects.

    I’d love more info on how certain aspects like the ‘New SQL Injection detection module to detect SQL Queries in input’ function works.

    Also the CSRF function, again how does it do what it does?

  5. dcuthbert says:

    Call me old fashioned but isn’t requiring a beta version of .net for CAT.NET limiting who will have a chance to use it.

    In most scenarios, developers will not have access to install beta frameworks. I know it’s a CTP, but surely some backward compatibility is needed?

  6. Anil Revuru says:

    Hi dcuthbert,

    I have approved everybody whose status was pending, Please let me know if you still not able to download.

    Due to technical reasons, we are using the beta version of .NET Framework v4.0. Also, we are utilizing some of the new features of the framework.


    Anil Revuru

    Information Security Tools

Comments are closed.

Skip to main content