Curphey here…..(follow me on Twitter @curphey if you want the breaking news!)

My wife keeps telling me I work too much. Maybe I do, maybe I don’t but if I do I am not alone. Some folks on my team have been doing some super-human stuff and we are ready to share some early preview releases with y’all. Let’s call this Anti-patch Tuesday  (assuming I get to post this before mid-night tonight)!

In this little package we have;

  • CAT.NET 2.0 CTP
  • WACA 1.0 CTP
  • WPL 1.0 CTP

Watch our recent video “Assessment and Protection Suite,” where RV and I discuss the future of these tools.

CAT.NET 2.0 CTP – CAT.NET is being re-written from the ground up. The original tainted data analysis algorithm has now been ported to the Phoenix compiler infrastructure, along with a shiny new configuration rules engine that look in the *.config for common security mis-configurations.  This CTP is a command line only single-pass data flow engine and configuration rules engine. Over the coming few month or so we will work to scale the core engine and fully integrate the tool into the Code Analysis menu of Visual Studio 2010. When Visual Studio 2010 ship the tool will be released as a power Tool free to licensed users of Visual Studio.

WACALaunchpadWACA 1.0 CTP – Web Application Configuration Analyzer – WACA is built on the Best Practice analyzers and shares the same configuration setting rules as CAT.NET 2.0.  WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It includes

    • Over 100 security rules in total (many more in the final release)
    • IIS Security Configuration
    • .NET Framework Security Configuration
    • SQL Server Security Configuration
    • Windows Permissions
    • Generate HTML based report, export results to Excel and export findings as work items to TFS (“Curpheys Favorite Feature tm” )
    • Scan a machine remotely (Requires WMI and Remote Registry)

If you think of rules you would like to see you can always let us know via the Connect site. No promises but we will promise to consider them all.

WPL 1.0 CTP – Web Protection Library – For a while we have been building and shipping the Anti-XSS library and have been working on broader mitigations for common web application security issues beyond XSS. The WPL will act as an umbrella for several libraries and runtime modules including Anti-XSS that provide coverage for issues such as SQL Injection and CSRF as well as enforcing security settings such as SSL and HTTP_ONLY cookies. We have worked hard to make the developer experience similar to that of EntLib with a configuration utility that runs inside of Visual Studio. We expect a first release of WPL early in 2010. This CTP includes the SQL Injection protection module. Using the Security Runtime Engine you can now install the technology on your IIS servers and provide reasonable runtime protection against XSS and SQLi without any code changes. We know that it won’t catch everything but testing and experience has shown it provides a solid level of coverage against many scenarios found in the real world. Get more details on WPL in a recent video, “Enhanced Web Protection Library” where RV talks about the expansion of what used to be the Anti-XSS Library.

To download these tools for free you will need to register on our Connect site. This helps us track the number of downloads and Connect provides a way for you to submit CR’s and bugs directly to the development team.

 https://connect.microsoft.com/site/sitehome.aspx?SiteID=734

When you are registered for our program at Connect you can download the tools directly

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=734&DownloadID=23328 – CAT.NET 2.0 CTP

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=734&DownloadID=23329 – WPL 1.0 CTP

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=734&DownloadID=23330 – WACA 1.0 CTP

We hope you enjoy the tools as much as we enjoy creating them. If you use them please let us know. Buy us beer at conferences (indeed invite us to speak at your security conferences and then buy us beer), send us “cube toys” and trinkets to put in our offices or just tell us how much you like our work in the comments section ;-)

- Curphey

PS – To my super-human team - Just cause I am sometimes grumpy doesn’t mean I am not in awe of your amazing work. I just get beaten too often on the foos-ball table to be happy all day! You all know who you are, I am super proud and honored to work with y’all. Now go get some sleep before the next sprints start!