Microsoft released the latest beta versions of its code analysis tool and anti-cross site scripting (anti-XSS) library for developers.
The Anti-XSS tool is in version 3 of its beta. Microsoft said the encoding library uses a white-listing technique to protect against XSS attacks. The latest version contains some performance improvements, an expanded white list and support for additional languages.
The software giant also released a binary analysis tool called CAT.NET v1 CTP. The binary analysis tool can be used to identify vulnerabilities that leave applications vulnerable to XSS, SQL injection and XPath injection attacks.
identifies tools to address SQL injection attacks: On the heels of a tidal wave of SQL
injection attacks in recent months, Microsoft issued an advisory to identify tools that could help
stave off the attacks.
Microsoft tools won't be quick fix for SQL injection attacks: Microsoft's security advisory will help raise awareness about secure software coding, but it won't stop the onslaught of SQL injection attacks, experts say.
New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.
Writing on Microsoft's Security Development Lifecycle blog, Todd Kutzke, senior director of Microsoft's Application Consulting & Engineering (ACE) Team, explained that the group has been working to design specific tools to help in the development and maintenance of business applications. Kutzke said his team plans to release additional tools in 2009.
"These tools are examples of technologies we've develop and are using internally as a part of our larger SDL initiative in helping to build and maintain secure code and we're excited to share these tools with our customers," Kutzke said. "As various forms of data become more readily available through online applications, managing the security of these applications is becoming more critical."
In June, Microsoft recognized the need to protect its customers from SQL injection attacks. It issued a security advisory identifying several tools that could be used to bolster Web application development and scan websites for security holes.
The tools were released because security researchers were tracking a surge in SQL injection attacks. Part of the surge was tied to the Asprox Trojan. The automated attacks seek out vulnerable websites and insert code to infect visitors' PCs with malware.
Among the tools it identified was the Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks. The tool addresses ASP code written in VBScript.
Microsoft also identified UrlScan version 3.0 Beta, which blocks HTTP requests. Microsoft said the tool will stop harmful requests from reaching the Web application on the server. The tool is designed to read the configuration from the urlscan.ini file. Multiple instances of the tool can be installed to serve as URL filters. It can be tweaked by an administrator to restrict the types of requests processed by the Internet Information Services (ISS).