Announcing CAT.NET CTP and AntiXSS v3 beta

Hi, Todd Kutzke here… I’m the Sr. Director of Microsoft’s Information Security team whose mission is to enable secure and reliable business for Microsoft and its customers. Our team resides inside of Microsoft IT (MSIT) and is focused on managing information security risk around our operational practices and tools that are used to support Microsoft business. Over the past 6+ years, one such area that we’ve been heavily involved in is the security of line-of-business applications through our Assessment, Consulting & Engineering (ACE) team, a team that is an integral part of Information Security. This work has taken the form of processes we’ve developed (derived from SDL with a focus on LOB) as well as specific tools to help in the development and maintenance of a secure enterprise application portfolio.

As various forms of data become more readily available through online applications, managing the security of these applications is becoming more critical. And, as something that has been discussed on this blog and in other forums, security has to be considered throughout the entire lifecycle of the application as just another attribute of the application alongside scalability, usability, performance, accessibility and others. This is very much the goal of SDL and to help with the adoption of the process, we’re very committed to providing tools to our customers to help with the adoption of SDL, and ultimately, a more secure application portfolio.

Today, we’re very excited to announce the availability of our next version of the Anti-Cross Site Scripting Library (Anti-XSS) v3 BETA as well as Code Analysis Tool .NET (CAT.NET) v1 CTP. Anti-XSS v3 BETA includes performance improvements, localization enhancement as well as a Security Runtime Engine (SRE) that uses an HTTP module to provide a level of protection against XSS for your application without the need to rebuild your code. CAT.NET v1 CTP is a binary analysis tool that can be used by developers to identify some common vulnerabilities that can lead to attack vectors such as XSS, SQL Injection and XPath Injection in your code.

These tools are examples of technologies we’ve develop and are using internally as a part of our larger SDL initiative in helping to build and maintain secure code and we’re excited to share these tools with our customers. We’re definitely looking at releasing more tools from our portfolio and are very much looking forward to your feedback.

About the Author
SDL Team

Trustworthy Computing, Microsoft

Join the conversation

  1. kolchak

    Is CAT.NET x64 only??? I know we are heading that way, but we’re not all on 64 bit yet 🙁

  2. axleyjc

    With any significant number of assemblies being analyzed in a single run, both the IDE integration plugin and the command-line tool eventually chew up all memory on the system and then crash Visual Studio or the command line tool.  It has been this way since its inception.  It wasn’t until I used the command-line version recently that I saw the OutOfMemoryException (on a computer with 2 gigs even) and then the crash.

    Is there a known safe limit on the number or size of assemblies to limit each run to so as to avoid running out of memory?  Is this a known bug that is being fixed so it doesn’t have this problem?  FxCop doesn’t seem to be as resource intensive.

  3. Philip.Agcaoili


    Great stuff! We’ve standardized on the AntiXSS library from some time now.

    What is the difference between the new CAT.NET tool and FxCop?


    Phil Agcaoili

Comments are closed.