Things have been quite on the blog for while. There is a LOT of code being cranked out at the moment as we work towards some deadlines in the summer on various projects. Our team name has also changed from the Connected Information Security Group (CISG...

Mainly small bug fixes and a new feature to export the findings into an Excel spreadsheet. Download link is - http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en   We recommend all users...

We now have a discussion forum for users of CAT.NET. There is no official support for these tools but you can ask questions and we will try to help wherever we can! CAT.NET - http://social.msdn.microsoft.com/Forums/en-US/catnet/threads/ Anti-XSS - http...

Event Overview In this webcast, we provide an overview of what static code analysis is and typical coding errors that static analysis can and cannot detect. We also look at the recently released CAT.NET tool and how it helps with the detection of security...

Hi, Anil Chintala here… In this post I wanted to talk about the new Test Harness application which was released as part of the AntiXSS V3.0 Beta and is available as a free download on MSDN with source code available for download on CodePlex . Test...

Hi, Andreas Fuchsberger here..... It is important to understand what happens CAT.NET builds its Call Flow Super Graphs. We use a CCI object called CciControlGraph to build a Control Flow Graph for each method and each method call we find in the Common...

Language(s): English. Product(s): Security. Audience(s): Developer. Duration: 60 Minutes Start Date: Friday, January 09, 2009 12:00 PM Pacific Time (US & Canada) Register Here

Guest post by Ben Livshits of Microsoft Research here.... In the last several years we have seen a proliferation of static (and sometimes runtime) analysis tools for finding web application vulnerabilities. Companies such as Fortify, Ouncelabs, Klockwork...

Hi Andreas Fuchsberger here again...... How does CAT.NET work? As I mentioned in Part 1 here , CAT.NET is an information-flow type static analysis tool using an implementation of tainted-variable analysis. Tainted-variable analysis is an integrity problem...

Hi Andreas Fuchsberger here … To coincide with the CTP release of CAT.NET and Anti-XSS , within the CSIG we have been taking a long hard look at static analysis tools for developers and Information Security professionals. Over the next series of...

Download CAT.NET CTP ( 32 bit here and 64 bit here ) Anti-XSS was not affected but for completeness Download Anti-XSS 3.0 Beta ( here and source code here ) Our sincere apologies.

12 pm PST 17th, December. We continue to face issues with the download links. We are doing everything we can to resolve this and expect it to be resolved within a few hours. We will update this blog with any further news. Our sincere apologies.

Hi Gaurav Sharma here with more information about SecureStrings. This time I'll cover following topics: SecureString internals Performance Let us start with our first topic, SECURE STRING INTERNALS BASICS Class Name: SecureString Assembly: mscorlib.dll...

We are continuing to experience problems with the 32 bit download link for CAT.NET. We now estimate a fix by mid-day PST tomorrow (17th December). The 64 bit download link is active again here . I will post here as soon as it is resolved. Our continued...

We are continuing to experience problem with the links to download CAT.NET. We estimate a fix by 5pm today (16th December). I will post here as soon as it is resolved. Our continued apologies.

RV again... Last time around we looked at SRE from a conceptual perspective , this time lets look at from a code perspective. Lets trace the program flow and understand in depth what SRE code does. SRE is a HttpModule, the main class file is AntiXssModule...

Mark Curphey here..... I am delighted to say that we have released two new free tools. Download CAT.NET CTP ( 32 bit here and 64 bit here ) Download Anti-XSS 3.0 Beta ( here and source code here ) CAT.NET - Community Technology Preview CAT.NET is a managed...

Mark Curphey here..... If the economy is getting you down here is some good news. We may have been quiet for the last few weeks but that's because we've been busy! Anti-XSS 3.0 is being released as an internal beta today. We are aiming for a public beta...

Vineet Batta here again.. In my last blog I discussed how to use role based access control (RBAC) and described how we can restrict access to the method based on the declarative method. In today's blog I will explain how to use Imperative role based...

Hi Vineet Batta here.. Consider a scenario where you want to write an assembly which contains methods that only certain type of users can call (domain\Administrators or a specific custom users account). So how can we control this within code and let...

Hi Andreas Fuchsberger here again.... Introduction The most recent ISO/IEC JTC1/SC 27 (Subcommittee) Working Group (WG) meetings took place from 6 th – 10 th October 2008 in Limassol, Cyprus. As is set out by SC27’s charter all 5 Working Group...

Hi Andreas Fuchsberger here..... In order to better understand a report I am about to post next on a recent ISO security meeting I thought I would include some additional information about the language used in SC 27 and how SC 27 standards are created...

RV here again... Traditionally security fixes are applied to specific pieces of code where a vulnerability exists which usually involves some development and testing effort. Imagine a system where an application is instantly secured by simple configuration...

Mark Curphey here..... A few months back I challenged some of my team to build a "Proof of Concept" (POC) that would; demonstrate how we could apply some of the ideas and concept we had been talking about such as BPM and BI show how Microsoft...

Hi Gaurav Sharma here....... I am a developer on the CISG India team based in Hyderabad and I joined Microsoft four months ago. I love playing computer games and recently finished Call of duty 4. For the last three years I've been working with .NET and...