XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users...

Just a brief update, Hassan Khan one of the lead developers of XSSDetect and part of our ACE Engineering team has posted up some technical details on how XSSDetect uses data flow analysis to do its magic. You can read more about it here . Feel free to...

One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/19/asp-net-validaterequest-does-not-mitigate-xss-completely.aspx As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/19/is-microsoft-office-isolated-conversion-environment-moice-mocha-on-ice.aspx MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs-are-shallow-true-or-false.aspx "Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece of code, it would help...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/10/system-uri-absolutepath-vs-phishing-attack.aspx Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests...

From Eugene Siu's blog ( http://blogs.msdn.com/esiu/archive/2007/10/10/web-service-security-guidance.aspx ): I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains...

Mark joined ACE as of Oct. 1st and we're very glad to have him aboard! The following is a note from Mark: As is the tradition around these parts I wanted to introduce myself as the newest member of the ACE Team. My name is Mark Curphey and I’ll be...

From Eugene Siu's blog Microsoft will open up source code of .Net Framework to the public. It allows outsiders to review what is under the hood, and enables easier debugging of development projects around .Net Framework. .Net Framework code has been reviewed...