Microsoft updates code analysis tool, SQL injection XSS library

By Robert Westervelt, News Editor 16 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft released the latest beta versions of its code analysis tool and anti-cross site scripting (anti-XSS) library for developers.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Anti-XSS tool is in version 3 of its beta. Microsoft said the encoding library uses a white-listing technique to protect against XSS attacks. The latest version contains some performance improvements, an expanded white list and support for additional languages.

The software giant also released a binary analysis tool called CAT.NET v1 CTP. The binary analysis tool can be used to identify vulnerabilities that leave applications vulnerable to XSS, SQL injection and XPath injection attacks.

Related information: Microsoft identifies tools to address SQL injection attacks: On the heels of a tidal wave of SQL injection attacks in recent months, Microsoft issued an advisory to identify tools that could help stave off the attacks. Microsoft tools won't be quick fix for SQL injection attacks: Microsoft's security advisory will help raise awareness about secure software coding, but it won't stop the onslaught of SQL injection attacks, experts say. New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.

Writing on Microsoft's Security Development Lifecycle blog, Todd Kutzke, senior director of Microsoft's Application Consulting & Engineering (ACE) Team, explained that the group has been working to design specific tools to help in the development and maintenance of business applications. Kutzke said his team plans to release additional tools in 2009.

"These tools are examples of technologies we've develop and are using internally as a part of our larger SDL initiative in helping to build and maintain secure code and we're excited to share these tools with our customers," Kutzke said. "As various forms of data become more readily available through online applications, managing the security of these applications is becoming more critical."

In June, Microsoft recognized the need to protect its customers from SQL injection attacks. It issued a security advisory identifying several tools that could be used to bolster Web application development and scan websites for security holes.

SearchSecurity radio:

The tools were released because security researchers were tracking a surge in SQL injection attacks. Part of the surge was tied to the Asprox Trojan. The automated attacks seek out vulnerable websites and insert code to infect visitors' PCs with malware.

Among the tools it identified was the Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks. The tool addresses ASP code written in VBScript.

Microsoft also identified UrlScan version 3.0 Beta, which blocks HTTP requests. Microsoft said the tool will stop harmful requests from reaching the Web application on the server. The tool is designed to read the configuration from the urlscan.ini file. Multiple instances of the tool can be installed to serve as URL filters. It can be tweaked by an administrator to restrict the types of requests processed by the Internet Information Services (ISS).

Tags: Software Development Methodology,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary