I’m Frank Brisse, the Program Manager on the Information Security Tools Team.   A little background on me: I’ve been at Microsoft for 13 plus years in many different groups.  I started my journey at Microsoft in 1996 working in MSN.  After working on the Ad rendering system in MSN I moved on to Visual Studio team where I worked on Team Foundation Server.  After that tenure, I went into the Information Technology group building different tools.  It’s in this role where I clearly identified my passion for building tools.  It’s an odd passion but I’ll explain why. 

 

To start with, working for Microsoft has been a life-changing experience.  I’m not just saying this because I drank some type of elixir.  I love the fact I was able to work in multiple groups without moving my family or changing companies.  The opportunities available for me to learn, focus and teach have made me grow as a person.  My passion around tools came into focus a few years ago when I joined the Information Technology world.  Instead of having specific feature responsibilities; I had responsibility for delivering a product.  Yes they’re smaller scale projects and don’t have the same exposure as big products, but seeing projects from beginning to end is refreshing.  You get to follow from inception to delivery, and this brings a sense of great satisfaction.  Out of necessity, I trained to be a Scrum Master, and Team Software Process Coach/instructor, and then went on to implement these processes. 

 

So what’s the focus of this blog?  Well, it’s two fold.  First because I’m the tools PM, I’ll discuss Security Tools we’ve developed.  I’ll also discuss processes (agile/Scrum) used to deliver these tools.  This will be a transparent web log in that none of this will be perfect and we’ll share good with bad. 

 

The tools I’ll be focusing on:

 

·        Code Analysis Tool for .Net – code name CAT.NET - CAT.NET is a static code analysis tool that helps identify the some of the most common security flaws found within Web applications--SQL injection, cross-site scripting and other data injection bugs. It is able to scan compiled managed assemblies (C#, Visual Basic ..NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths.

 

·        Web Application Configuration Analyzer – code name WACA – Web Application Configuration Analyzer (WACA) analyzes application configuration for security best practices  related to General Application, IIS , ASP.NET Application and SQL Server settings. Machine can be scanned remotely to identify any insecure configuration. It provides detailed report on multiple instances of checks for further analysis. Violations in the report can be exported to Excel or Visual Studio Team Foundation Server ©.Web Application Configuration Analyzer tool automates the checking of host configuration checklist.

 

·        Web Protection Library – code name WPL – Pronounced as “Wipple”.  Web Protection Library provides protection from common security vulnerabilities. It includes the library formerly known as the Anti-XSS library.  WPL now includes encoding methods to provide mitigations around LDAP Injection and CSS Injections (Cascading Style Sheets) with several additional encoding formats planned in the final release.  The runtime protection module includes a new HTTP Module that detects and protects from SQL Injection attempts using a specialized SQL Parser to detect any valid SQL queries in the input.