Microsoft Research Security Policy Analyser - Now integrated into VS2005

If you haven't already played with the Security Policy Analyser that shipped with WSE 3.0 - take a look. It rocks! Amongst other things it performs static validations to catch vulnerabilities such as:

• Use of test root certificates
• Leaving “detailed errors” configuration turned on
• Dictionary attack is possible where signature is not encrypted
• Credit-taking attacks are possible
• etc

And if you have played with it but got frustrated that you had to run it from the command line then we have great news. Pablo Galiano has implemented a version that uses GAT (guidance automation toolkit) to integrate this capability directly into Visual Studio!

For more information or to download a version of the tool join our workspace at https://practices.gotdotnet.com/projects/sopatterns

For more information on the actual basis for the tooling take a look at the Microsoft Research Samoa project at - https://research.microsoft.com/projects/samoa/. The analyser is one result of a lengthy investigation into establishing formal methods for specifying and verifying security goals of applications...