The Hogg Blog

Envisaging the Future by Reflecting on the Past

Microsoft Research Security Policy Analyser - Now integrated into VS2005

Microsoft Research Security Policy Analyser - Now integrated into VS2005

  • Comments 2

If you haven't already played with the Security Policy Analyser that shipped with WSE 3.0 - take a look. It rocks! Amongst other things it performs static validations to catch vulnerabilities such as:

  • Use of test root certificates
  • Leaving “detailed errors” configuration turned on
  • Dictionary attack is possible where signature is not encrypted
  • Credit-taking attacks are possible
  • etc

And if you have played with it but got frustrated that you had to run it from the command line then we have great news. Pablo Galiano has implemented a version that uses GAT (guidance automation toolkit) to integrate this capability directly into Visual Studio!

For more information or to download a version of the tool join our workspace at http://practices.gotdotnet.com/projects/sopatterns

For more information on the actual basis for the tooling take a look at the Microsoft Research Samoa project at - http://research.microsoft.com/projects/samoa/. The analyser is one result of a lengthy investigation into establishing formal methods for specifying and verifying security goals of applications...

 

Leave a Comment
  • Please add 4 and 4 and type the answer here:
  • Post
Page 1 of 1 (2 items)