Browse by Tags

Tagged Content List
  • Blog Post: Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

    Mark Curphey here….. It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles...
  • Blog Post: How To: Use CAT.NET 2.0 Beta

    Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET. You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0 * You must have Visual studio 2010...
  • Blog Post: How To: Use CAT.NET V2.0 Beta

    Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET. You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0 * You must have Visual studio 2010...
  • Blog Post: CAT.NET 2.0 - Beta

    Mark Curphey here… Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community...
  • Blog Post: Delay Between Actions Feature in CUIT

    Syed Aslam Basha here. I am a tester on  the Information Security Tools Team. The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions. We have playback API which helps to achieve this as shown below; Playback .PlaybackSettings...
  • Blog Post: How To: Data Drive CUIT Scripts

    Syed Aslam Basha here. I am a tester on  the Information Security Tools Team. One of the major feature for any automation tool is support for data driven test cases, CUIT too supports data driven testing. Let me show an example of data driving CUIT scripts. Suppose you want to validate login feature...
  • Blog Post: How To: Customize CUIT scripts

    Syed Aslam Basha here. I am a tester on  the Information Security Tools Team. In the previous blog posts I have shown how to automate functional test cases using CUIT and adding check points/ assertions to CUITs. Lets see with an example “how to customize the CUIT scripts”. Lets take a close look...
  • Blog Post: The CAT.NET 2.0 Configuration Analysis Engine

    Maqbool Malik here… One of the most significant update to CAT.NET in v2.0 is the addition of a configuration engine. The goal of the engine is to identify insecure configuration at all layers of the application (configuration files, code level configuration, etc.) which should be remediated prior to...
  • Blog Post: How to Configure WPL v1.0 SRE

    RV here... With the release of Web Protection Library v1.0 (WPL) Security Runtime Engine (SRE) has been significantly updated. It now includes a SQL Injection Detection module which can detect certain attack vectors. It also include re-designed configuration editor which enables you to easily configure...
  • Blog Post: How to Run CAT.NET 2.0 CTP

    RV here... With the new build of CAT.NET available on connect.microsoft.com you must have noticed that the new version includes only a command line tool. We we will be releasing the Visual Studio rules as part of Beta1 release. So lets look at how we can use the command line version to analyze binaries...
  • Blog Post: Web Application Configuration Analyzer – WACA CTP Release Coming Soon

    RV here... Last year we developed an internal tool to review servers for security configuration issues. Microsoft offers several enterprise options for doing this such as Systems Center Configuration Manager but the requirements were for a lightweight stand-alone tool focused towards developers and testers...
  • Blog Post: Double Hop Windows Authentication with IIS Hosted WCF Service

    Hello, Randy Evans here.  I am a principal developer on the Information Security Tools Team.  In a recent project, we had a intranet web site that called an IIS hosted WCF service.  The WCF service, in turn, called a SQL Server Reporting Services (SSRS) web service. We wanted to utilize...
  • Blog Post: Normal Service Will Resume Soon

    The coding fairies are been busy crafting code. Blogging (and maybe even Tweeting if there is a demand) will return soon and well have a few nice CTP’s for you to play with over the next few weeks. Look for news about; CAT.NET 2.0 CTP – Rebuilt from the ground up using Phoenix WPL 1.0 CTP – with XSS...
  • Blog Post: How To: Use VSTS Code Profiler

    Syed Aslam Basha here. I am a tester on the Information Security Tools team. This blog post is in continuation with website performance testing simplified blog post. The final step in performance testing is to narrow down the faulty code which is taking lot of time or memory or CPU usage. I will show...
  • Blog Post: Web Protection Library – CTP Release Coming Soon

    RV here... Over the last couple of months we have been actively developing the next version of Anti-XSS library and Security Runtime Engine (SRE). We have added new mitigations that go way beyond the original Cross Site Scripting (XSS) protections of the Anti-XSS Library hence the change in name to the...
  • Blog Post: SQL Server 2008 Security - Policy Example

    Hi, Gaurav Sharma here, I’m a developer with the Information Security Tools (IST) team. A few months ago I posted a blog, SQL Policy Based Management (PBM) and posted a follow up introductory “ How Do I” video on the same topic. Since then I’ve received a lot of feedback and questions regarding how to...
  • Blog Post: Anti-XSS Library v3.1 Released!

    The Microsoft Information Security Tools (IST) team has released the latest Microsoft Anti-Cross Site Scripting (Anti-XSS) Library version 3.1 .  Read more about Anti-XSS v3.1 on the Information Security blog and watch the video, “ Anti-XSS 3.0 Released ,” as Vineet Batta and Anil Revuru (RV), Senior...
  • Blog Post: Automating Windows Firewall settings with C# (part 2)

    Hi Vamsy here. I am an Operations Engineer in the Information Security  Team. In my previous post, I have described automating Windows Firewall Settings with C#. As promised in the previous post , I will describe the tool I call Windows Firewall Checker in this blog. The tools is written in C# and...
  • Blog Post: HTML Sanitization in Anti-XSS Library

    RV here... For a while now, I have been talking about various types of encodings and how they protect web applications from cross site scripting attacks. In most cases input is simply passed through AntiXss.HtmlEncode or similar methods to transform it into safely displayable HTML entities. In some cases...
  • Blog Post: Sharing Master Pages in Multiple Projects

    Hi Anil Chintala here. I am working on a requirement for a Portal, which is to share the look and feel of the portal by multiple web applications seamlessly and without any rework. I started doing some prototyping work and writing up some scenarios we would like to consider for the requirement. For the...
  • Blog Post: Application Health Monitoring (in ASP.NET 2.0 and above)

    Vineet Batta here, A little known but excellent features of ASP.NET is it’s ability to give support teams the ability to monitor the health of ASP.NET applications. In this article I will dwell on out of box features. No custom classes or code to be written. All the configuration setting for enabling...
  • Blog Post: Hash Functions in .NET – Right Tool for the Right Job

    Hi, Ch etan Bhat here. I’m a developer with the Security Tools Team. In this post I will talk about common mistakes developers make when when using hash functions. Any hash function is required to meet the following two requirements. It must be easy to calculate for any possible message. It must return...
  • Blog Post: Encoding Cascading Style Sheet Strings

    RV here... Cascading Style Sheets provide developers ways to change the UI theme of a website and this provides many opportunities for malicious users to change the UI if the application uses dynamic data inside style tags or in HTML style attributes. Additionally keywords like expression can be used...
  • Blog Post: LDAP Injection and Mitigation

    RV here... The Lightweight Directory Access Protocol (LDAP) API provides a mechanism for connecting to, searching, and modifying internet directories. A LDAP (Lightweight Directory Access Protocol) injection attack exploits vulnerabilities in input validation to run arbitrary LDAP statements against...
  • Blog Post: Automate Security Management for VSTF Source Control

    Kathy Shieh here. I am the dev lead for the Information Security Tools team in the US. Visual Studio Team Foundation server (VSTF)  provides a pretty good GUI interface for security management. Within the VSTF UI you can create custom roles, manage membership for each role and manage security for...
Page 1 of 3 (55 items) 123