OWASP O2 Platform/Microsoft/CAT.NET

current O2 support

 * Dedicated O2 Module O2_Scanner_MsCatNet with support for
 * finding target dlls (recursive search on local directories)
 * triggering scans
 * converting CAT.NET Results into O2's Findings schema

description
(from CAT.NET download page)

''"...Code Analysis Tool for .NET is a static analysis tool to detect common software security vulnerabilities. CAT.NET 2.0 has been re-written from the ground up implementing the original tainted analysis algorithm developed by Ben Livshits but using the Phoenix compiler infrastructure to provide a solid and scalable core data flow security analysis engine. CAT.NET 2.0 will initially ship around February as a Visual Studio 2010 Power Tool, only available to customers who have a licensed copy of Visual Studio 2010 and then as an integrated part of the Visual Studio product in late 2010. ..." ''

download

 * CAT.NET 2.0 CTP (current version) (requires registration with Microsoft), .NET Framework 4.0
 * CAT.NET v1 CTP - 32 bit (old version), .NET Framework 2.0
 * O2 Scanner - MsCatNet

other relevant links

 * Microsoft Information Security Tools team Connect site
 * Microsoft IT’s Information Security (InfoSec) group
 * OWASP .NET Project

related blog posts

 * InfoSec A&P Suite: How to Install & Configure
 * New Tool In My Pouch: CAT.NET And Anti-XSS 3.0
 * InfoSec Assessment & Protection (A&P) Suite Released
 * Security tools from Microsoft (Tobias had some issues running the latest version)
 * from main CAT.NET Blog
 * The CAT.NET 2.0 Configuration Analysis Engine
 * How to Run CAT.NET 2.0 CTP
 * Some New Software Security Tools for Web Developers – (CTP Releases
 * Implementation Ideas for the CAT.NET 2.0 Tainted Variable Analysis Algorithm
 * New Build of CAT.NET (Version - 1.1.1.9) – Please Upgrade
 * Running CAT.NET as a Custom MSBuild Task
 * CAT.NET – How Big Do Your Project Files Grow ?
 * FxCop
 * FxCop & StyleCop
 * VS2010
 * Code Analysis in Visual Studio 2010

videos

 * Architecture Behind CAT.NET
 * Assessment and Protection Suite -"... Anil Revuru (RV) and Mark Curphey, from Microsoft Information Security, introduce what would be in the future a suite of tools that will help you assess your code as well as protect it. This is called the Assessment & Protection (A&P) Suite and it includes the following tools: Web Protection Library (WPL) – which includes Anti-XSS, SRE, mitigation of SQL Injection, CSRF among others CAT.NET Web Application Configuration Analyzer (WACA) and room for more future add-ons ..."
 * MSDN Webcast: Managing Cross-Site Scripting Using CAT.NET and AntiXSS (Level 200)
 * WACA & WPL
 * Using Web Application Configuration Analyzer (WACA) - CTP Version
 * Web Application Configuration Analyzer (WACA)
 * Enhanced Web Protection Library
 * Using the Web Protection Library (WPL) - CTP Version