Microsoft Introduces Quick Security References
Filed under: Security
Yesterday, Microsoft released two new Quick Security References (QSR’s) to help application development teams understand Security issues. These new guides are the first part of a continuing series to help multiple roles within the team understand common vulnerabilities. Not only do they provide great detail on the security issues, but they also help teams move toward SDL adoption.
The first two QSR’s focus on Cross Site Scripting and SQL Injection. I think it is good that they started with these two vulnerabilities because they are the two most common types of attacks. These two vulnerabilities take turns in the first and second position on the OWASP Top 10. I encourage anyone and everyone involved with applications, from the business personnel to the technical teams, to read over these guides. They are about 20 pages in length, but provide a really good description of the attacks.
The QSR’s can be downloaded from Microsoft here: http://www.microsoft.com/downloads/details.aspx?FamilyID=79042476-951f-48d0-8ebb-89f26cf8979d&displayLang=en
CAT.NET Microsoft’s Code Analysis Tool
Filed under: Security
Microsoft has introduced a new code analysis tool called CAT.NET to help analyze source code for security flaws within managed applications. This is a visual studio add-in that works directly within Visual Studio, so there is no need for separate programs. The tool will trace through all statements, methods, and assemblies referenced within the application. It is currently on Version One in CTP. Its rules look to identify the following flaws:
- Cross Site Scripting (XSS)
- SQL Injection
- Process Command Injection
- File Canonicalization
- Exception Information (a form of Information Leakage)
- LDAP Injection
- XPATH Injection
- Redirection to User Controlled Site
I executed the tool against a web application with the following code snippet:
The results of the scan are provided below:
As you can see from the above samples, the tool does a good job of distinguishing between threats. By default, asp:textbox will encode its text value, whereas the label control will not. The information provided by the tool is very helpful as well. It shows what file and what line of code is the offender. It also recommends a resolution to help protect against this. For developers new to focusing on security, it would be nice if the tool gave the link to the Anti-XSS library or a sample code snippet to show how to implement the fix. That information is pretty easy to find and for a free tool it provides some good general protection for your code.
The tool can be downloaded at http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en.
I have tried this tool on a few different projects and it has worked pretty well. I have found that on very large solutions I ran into out of memory exceptions. This is a limitation for all add-ins because Visual Studio is limited to 2GB of space. The larger projects use up more of that so the tool doesn’t have space to function properly. This can be managed by selecting specific projects to analyze.
Follow Us
