Microsoft Research Security Policy Analyser – Now integrated into VS2005


If you haven’t already played with the Security Policy Analyser that shipped with WSE 3.0 – take a look. It rocks! Amongst other things it performs static validations to catch vulnerabilities such as:



  • Use of test root certificates

  • Leaving “detailed errors” configuration turned on

  • Dictionary attack is possible where signature is not encrypted

  • Credit-taking attacks are possible

  • etc

And if you have played with it but got frustrated that you had to run it from the command line then we have great news. Pablo Galiano has implemented a version that uses GAT (guidance automation toolkit) to integrate this capability directly into Visual Studio!


For more information or to download a version of the tool join our workspace at http://practices.gotdotnet.com/projects/sopatterns


For more information on the actual basis for the tooling take a look at the Microsoft Research Samoa project at – http://research.microsoft.com/projects/samoa/. The analyser is one result of a lengthy investigation into establishing formal methods for specifying and verifying security goals of applications…