14 DAY TRIAL // A new release of the Microsoft Code Analysis Tool .NET version 1 is now available for download. The Community Technology Preview for CAT.NET version 1 went live at the end of the past week and is up for grabs via the Microsoft Download Center. The tool is a security solution designed for developers to integrate with Visual Studio. The Code Analysis Tool .NET CTP is available in both 32-bit and 64-bit flavors and comes with support for Windows Vista and Windows XP. According to Microsoft, only the 2005 and 2008 releases of Visual Studio are supported. The company said nothing about Visual Studio 2010.
“CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection,” reads the description of the tool.
But Code Analysis Tool .NET CAT.NET v1 CTP is not limited to Cross Site Scripting, SQL Injection and XPATH Injection. The software giant underlined that the latest version of the security solution brought to the table support for rules including Process Command Injection, File Canonicalization, Exception Information, LDAP Injection, and Redirection to User Controlled Site.
Since 2008 the number of attacks targeting vulnerabilities associated with poorly written code has been on the increase. The volume of SQL injections for example exploded, but focused not on security holes in the underlying infrastructure, such as Windows Server or IIS, but rather on the flaws of applications designed to run on top of them. In this sense, developers can leverage the Visual Studio IDE snap-in in order to highlight security flaws contained by managed code, whether it's C#, or Visual Basic .NET, or J# in the software they are building.
“It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application – module-by-module – and then analyzing all of the methods contained within each. It finally displays the issues it finds in a list that you can use to jump directly to the places in your application's source code where those issues were found,” Microsoft added.
Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP is available for download here.