MS CAT.NET v2.0 Beta - Code Analysis Tool .NET

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

This beta includes an integrated user experience with Visual Studio 2010 and FxCop command prompt. Version 2.0 beta contains tainted data flow analysis and a configuration analysis engine, that identifies insecure configuration files. In all there are 46 new configuration and 9 data flow rules.

The goal of this beta program is to garner feedback from the user community. Please send all feedback to:

ist-cat ---@--- microsoft.com

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added. There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives.
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults.
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET v2.0 Beta guide document.

More information: here

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2

  • Code Auditing :

    PCI/DSS 6.3.6, 6.3.7, 6.6, SOX A12.8, GLBA 16CFR Part 314.4(b) and (2);FISMA RA-5, SC-18, SA-11 SI-2, and ISO 27001/27002 (12.4.1, 12.4.3, 12.5)


Comments

Related Articles

Application Scanner
CAT.NET
Code Auditing