The end of the past week brought with it a couple of new security tools from Microsoft, made available as free downloads. The Microsoft Code Analysis Tool .NET (CAT.NET) version 1 Community Technology Preview and the Microsoft Anti-Cross Site Scripting Library version 3.0 Beta went both live over the weekend, and are both focused on increasing the security of web applications, including attacks involving Cross-Site Scripting and SQL Injection.

Microsoft Code Analysis Tool .NET (CAT.NET) version 1 is available as a CTP release in 32-bit and 64-bit flavors. The binary code analysis tool is designed to help developers sniff out prevalent vulnerabilities, as well as variants of common security holes. In doing so, Microsoft is attempting to further help developers bulletproof web content against attack vectors including Cross-Site Scripting (XSS), SQL Injection, and XPath Injection.

“CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in, or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research,” Mark Curphey, the product unit manager for the Connected Information Security Group or CISG, revealed.

Version 3 of the Microsoft Anti-Cross Site Scripting Library is available as a Beta, and is set up to focus on delivering protection against cross-site scripting attacks, while securing legacy content against Security Runtime Engine. Curphey indicated that using AntiXSS 3.0 would resolve anywhere between 50% to 90% of the XSS issues with zero code changes involved.

“With this release we have taken a fresh look at how to provide protection to ASP.NET applications. As well as significantly better coverage for internationalization in the core library and significantly improved performance, we are now shipping with the Security Runtime Engine (SRE), a .NET CLR plug-in that overrides default encoding's to render sites safe from XSS with zero code changes. While the SRE cannot be used in every circumstance and cannot prevent every type of XSS, we believe it will provide great coverage in a wide variety of situations and form another important layer in a defence in depth strategy,” Curphey added.

The Microsoft Code Analysis Tool .NET (CAT.NET) version 1 Community Technology Preview is available for download here.

The Microsoft Anti-Cross Site Scripting Library version 3.0 Beta is available for download here.