Microsoft Research Security Policy Analyser – Now integrated into VS2005

If you haven't already played with the Security Policy Analyser that shipped with WSE 3.0 - take a look. It rocks! Amongst other things it performs static validations to catch vulnerabilities such as:

  • Use of test root certificates

  • Leaving “detailed errors” configuration turned on

  • Dictionary attack is possible where signature is not encrypted

  • Credit-taking attacks are possible

  • etc

And if you have played with it but got frustrated that you had to run it from the command line then we have great news. Pablo Galiano has implemented a version that uses GAT (guidance automation toolkit) to integrate this capability directly into Visual Studio!

For more information or to download a version of the tool join our workspace at

For more information on the actual basis for the tooling take a look at the Microsoft Research Samoa project at - The analyser is one result of a lengthy investigation into establishing formal methods for specifying and verifying security goals of applications...


Skip to main content