Microsoft updates code analysis tool, SQL injection XSS library

By Robert Westervelt, News Editor 16 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft released the latest beta versions of its code analysis tool and anti-cross site scripting (anti-XSS) library for developers.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Anti-XSS tool is in version 3 of its beta. Microsoft said the encoding library uses a white-listing technique to protect against XSS attacks. The latest version contains some performance improvements, an expanded white list and support for additional languages.

The software giant also released a binary analysis tool called CAT.NET v1 CTP. The binary analysis tool can be used to identify vulnerabilities that leave applications vulnerable to XSS, SQL injection and XPath injection attacks.

Related information: Microsoft identifies tools to address SQL injection attacks: On the heels of a tidal wave of SQL injection attacks in recent months, Microsoft issued an advisory to identify tools that could help stave off the attacks. Microsoft tools won't be quick fix for SQL injection attacks: Microsoft's security advisory will help raise awareness about secure software coding, but it won't stop the onslaught of SQL injection attacks, experts say. New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.

Writing on Microsoft's Security Development Lifecycle blog, Todd Kutzke, senior director of Microsoft's Application Consulting & Engineering (ACE) Team, explained that the group has been working to design specific tools to help in the development and maintenance of business applications. Kutzke said his team plans to release additional tools in 2009.

"These tools are examples of technologies we've develop and are using internally as a part of our larger SDL initiative in helping to build and maintain secure code and we're excited to share these tools with our customers," Kutzke said. "As various forms of data become more readily available through online applications, managing the security of these applications is becoming more critical."

In June, Microsoft recognized the need to protect its customers from SQL injection attacks. It issued a security advisory identifying several tools that could be used to bolster Web application development and scan websites for security holes.

SearchSecurity radio:

The tools were released because security researchers were tracking a surge in SQL injection attacks. Part of the surge was tied to the Asprox Trojan. The automated attacks seek out vulnerable websites and insert code to infect visitors' PCs with malware.

Among the tools it identified was the Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks. The tool addresses ASP code written in VBScript.

Microsoft also identified UrlScan version 3.0 Beta, which blocks HTTP requests. Microsoft said the tool will stop harmful requests from reaching the Web application on the server. The tool is designed to read the configuration from the urlscan.ini file. Multiple instances of the tool can be installed to serve as URL filters. It can be tweaked by an administrator to restrict the types of requests processed by the Internet Information Services (ISS).

Tags: Software Development Methodology,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary