Hi, Todd Kutzke here… I’m the Sr. Director of Microsoft’s Information Security team whose mission is to enable secure and reliable business for Microsoft and its customers. Our team resides inside of Microsoft IT (MSIT) and is focused on managing information security risk around our operational practices and tools that are used to support Microsoft business. Over the past 6+ years, one such area that we’ve been heavily involved in is the security of line-of-business applications through our Assessment, Consulting & Engineering (ACE) team, a team that is an integral part of Information Security. This work has taken the form of processes we’ve developed (derived from SDL with a focus on LOB) as well as specific tools to help in the development and maintenance of a secure enterprise application portfolio.
As various forms of data become more readily available through online applications, managing the security of these applications is becoming more critical. And, as something that has been discussed on this blog and in other forums, security has to be considered throughout the entire lifecycle of the application as just another attribute of the application alongside scalability, usability, performance, accessibility and others. This is very much the goal of SDL and to help with the adoption of the process, we’re very committed to providing tools to our customers to help with the adoption of SDL, and ultimately, a more secure application portfolio.
Today, we’re very excited to announce the availability of our next version of the Anti-Cross Site Scripting Library (Anti-XSS) v3 BETA as well as Code Analysis Tool .NET (CAT.NET) v1 CTP. Anti-XSS v3 BETA includes performance improvements, localization enhancement as well as a Security Runtime Engine (SRE) that uses an HTTP module to provide a level of protection against XSS for your application without the need to rebuild your code. CAT.NET v1 CTP is a binary analysis tool that can be used by developers to identify some common vulnerabilities that can lead to attack vectors such as XSS, SQL Injection and XPath Injection in your code.
These tools are examples of technologies we’ve develop and are using internally as a part of our larger SDL initiative in helping to build and maintain secure code and we’re excited to share these tools with our customers. We’re definitely looking at releasing more tools from our portfolio and are very much looking forward to your feedback.