14 DAY TRIAL // A testing development milestone for the next iteration of Microsoft’s managed code security source code scanning tool is currently available for download. Developers can now access the Beta build of the second version of Microsoft Code Analysis Tool for Net and test drive the release before it is generally available in just a few months. Testers can grab the latest build of CAT.NET v2.0 by joining the Beta program for the project on Microsoft Connect, revealed Syed Aslam Basha, Microsoft Information Security Tools (IST) Test Lead. However, developers looking to get a feeling of what CAT.NET v2.0 brings to the table will need to hurry, as the Beta program will last only a single month.
“The final released version is scheduled to release shortly after Visual Studio 2010 RTM. The goal of this beta program is to garner feedback from the user community,” Basha said, indicating that feedback should be sent to ist-cat at microsoft.com.
CAT.NET v2.0 brings to the table a consistent volume of code changes which have impacted user experience and core analysis. Basha provided a list of the changes which has been included at the bottom of this article. According to Microsoft, CAT.NET v2.0 now features UX integration with both Visual Studio 2010 and FxCop command prompt. At the same time, the tool will make available to developers 46 new configuration and 9 data flow rules. Devs will be able to leverage various aspects of CAT.NET v2.0’s evolution such as tainted data flow analysis and a configuration analysis engine.
Here are the changes highlighted by Basha:
“User Experience: - Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules. - Easy analysis using FxCop command line or UI interface or VSTS Team Build. - Currently beta includes FxCop UI and Command prompt.
Core Analysis:
- Total of 55 rules have been added. There are 9 data flow rules and 46 configuration rules are included in this version. - Updated tainted data flow analysis engine to track both tainted operands and source symbols. - Reduced false positives and false negatives. - Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow. - New Data flow rule to detect XML Injection attacks - Updated configuration rules engine detecting clear text connection strings and credentials. - Rules to detect insecure defaults. - Example minRequiredPasswordLength attribute of membership providers add element. - Configuration rules updated to detect @page directive configuration overrides. “