Prevent security mishaps with CAT.NET

Static code analysis can improve software security by looking for common security errors like (SQL/XML/LDAP) injection, Cross Site Scripting (XSS), and more. Generally this is done by looking for malformed queries where malicious input can be injected. The CAT.NET tool from Microsoft goes one better and analyzes the data as it flows from trusted (or untrusted) inputs to output. This is a great QA check as well as a teaching tool for developers to understand where their applications may be vulnerable to attack.

The tool is available as a Visual Studio plugin or command-line tool. It will scan your object code (assemblies) and provide a report for you to review. Microsoft offers a tool to handle XSS attacks known as the Anti-XSS library. For the remainder of the errors, you are on your own to mitigate them.

I was writing some code to search Active Directory with an LDAP query. CAT.NET found this and marked it as a vulnerability for LDAP injection. I made sure to sanitize the input (and decorate the method with a System.Diagnotics.CodeAnalysis.SupressMessage attribute), and it disappeared from the report. This is a great tool to use in a daily build to ensure common security bugs can be eliminated.

Leave a Reply

Name *
Email *