We have previously written about Microsoft CAT.NET here. Now, the Microsoft Security Tools team has released another one month beta program of CAT.NET – the CAT.NET 2.0 – Beta!
“CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.”
It sure does include some good improvements. The changes are:
User Experience:
* Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
* Easy analysis using FxCop command line or UI interface or VSTS Team Build.
* Currently beta includes FxCop UI and Command prompt.
Core Analysis:
* Total of 55 rules have been added. There are 9 data flow rules and 46 configuration rules are included in this version.
* Updated tainted data flow analysis engine to track both tainted operands and source symbols.
* Reduced false positives and false negatives.
* Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
* New Data flow rule to detect XML Injection attacks
* Updated configuration rules engine detecting clear text connection strings and credentials.
* Rules to detect insecure defaults.
* Example minRequiredPasswordLength attribute of membership providers add element.
* Configuration rules updated to detect @page directive configuration overrides.
Download span style=”text-decoration: underline;”>Microsoft CAT.NET version 2.0 Beta here.
Searches leading to this post:cat net 2 0 beta, cat net 2 0, cat net beta 2 0, CAT NET v2 0, data flow rules cat net
You must log in to post a comment.