Hi! This is Hassan Khan. As promissed, here the FAQs on XSSDetect: Q. What is XSSDetect? A. XSSDetect is stripped down version of the Code Analysis Tool for .NET used by the ACE team to help find security vulnerabilities in software applications. It has been made available for free on Microsoft downloads...

XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users can sometimes run into the “out of memory exception...

Just a brief update, Hassan Khan one of the lead developers of XSSDetect and part of our ACE Engineering team has posted up some technical details on how XSSDetect uses data flow analysis to do its magic. You can read more about it here . Feel free to leave additional questions and I'm sure he'll follow...

One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team...

Hey Folks, part II and III of the Channel 9 interviews are up! You can check out part II here and part III here . Ahmad Mahdi Security Technologist Microsoft – ACE Team ahmad.mahdi

The ACE Team is going to be doing a Channel 9 video with Robert Scoble! (Thanks Robert! :) We’ll get a chance to discuss what we do and how we do it. We’ll also be spending time talking about our threat modeling process and tool (more info as always on our threat modeling blog ). But the real reason...

Ever wondered how strong your crypto keys are and whether they are secure against the ever growing threat of being compromised? The threat continues to grow daily in a world where hackers are mounting more sophisticated and complex attacks against a constantly increasing attack surface. The attacks vectors...

Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at http://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92...

Update [3/16/06, 4:56PM] There has been some confusion between what IOSEC does and what the Microsoft Anti-Cross Site Scripting Library does (linked to below). The Anti-XSS library currently has a subset of the functionality of IOSEC. Over the coming weeks and months, we will be porting over additional...

Over the past several years, the ACE Team has developed and matured a threat modeling methodology for the implementation of software. We've recently started a separate blog for threat modeling & I'd like to invite you to check it out and keep watching it for more details as we get ready to launch...