News Stay informed about the latest enterprise technology news and product updates.

Microsoft updates code analysis tool, SQL injection XSS library

The tools for developers help identify flaws to protect enterprise applications against SQL Injection and cross site scripting attacks.

Microsoft released the latest beta versions of its code analysis tool and anti-cross site scripting (anti-XSS) library for developers.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

The Anti-XSS tool is in version 3 of its beta. Microsoft said the encoding library uses a white-listing technique to protect against XSS attacks. The latest version contains some performance improvements, an expanded white list and support for additional languages.

The software giant also released a binary analysis tool called CAT.NET v1 CTP. The binary analysis tool can be used to identify vulnerabilities that leave applications vulnerable to XSS, SQL injection and XPath injection attacks.

Related information:

Microsoft identifies tools to address SQL injection attacks: On the heels of a tidal wave of SQL injection attacks in recent months, Microsoft issued an advisory to identify tools that could help stave off the attacks.

Microsoft tools won't be quick fix for SQL injection attacks: Microsoft's security advisory will help raise awareness about secure software coding, but it won't stop the onslaught of SQL injection attacks, experts say.

New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.

Writing on Microsoft's Security Development Lifecycle blog, Todd Kutzke, senior director of Microsoft's Application Consulting & Engineering (ACE) Team, explained that the group has been working to design specific tools to help in the development and maintenance of business applications. Kutzke said his team plans to release additional tools in 2009.

"These tools are examples of technologies we've develop and are using internally as a part of our larger SDL initiative in helping to build and maintain secure code and we're excited to share these tools with our customers," Kutzke said. "As various forms of data become more readily available through online applications, managing the security of these applications is becoming more critical."

In June, Microsoft recognized the need to protect its customers from SQL injection attacks. It issued a security advisory identifying several tools that could be used to bolster Web application development and scan websites for security holes.

The tools were released because security researchers were tracking a surge in SQL injection attacks. Part of the surge was tied to the Asprox Trojan. The automated attacks seek out vulnerable websites and insert code to infect visitors' PCs with malware.

Among the tools it identified was the Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks. The tool addresses ASP code written in VBScript.

Microsoft also identified UrlScan version 3.0 Beta, which blocks HTTP requests. Microsoft said the tool will stop harmful requests from reaching the Web application on the server. The tool is designed to read the configuration from the urlscan.ini file. Multiple instances of the tool can be installed to serve as URL filters. It can be tweaked by an administrator to restrict the types of requests processed by the Internet Information Services (ISS).

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.