Security tools from Microsoft

We are currently looking for some tool to help us find weaknesses in our code. There is not lots of options currently on the market. A tool we are looking on is http://www.fortify.com and http://www.armorize.com/, but who does best work on code? Biggest advantage for Fortify is that it supports many different languages, but damn it is really expensive tools.

Microsoft is  planning to release their Security Tools but i think they are currently on early stage.
https://connect.microsoft.com/site/sitehome.aspx?SiteID=734&wa=wsignin1.0

  • CAT.NET – the managed code security source code scanning tool
  • WACA – Web Application Configuration Analyzer
  • WPL – Web Protection Library (formerly Anti-XSS)
  • TAM – Threat Modeling and Analysis tool
    Only tool i tried to so far is CAT.NET but something is going terribly wrong when i run test on code (see error below), but i think this is a great initiative from Microsoft. What is wrong with my pdb, think is have wrong paths set or something…

Error from my run CAT.NET  

    C:\Program Files (x86)\Microsoft Information Security\Microsoft Code Analysis for .NET (CAT.NET) v2.0>CATNetCmd.exe /fil
    e:c:\aDLLFILE.dll /configdir:C:\myPathToFolder
    Microsoft (r) Code Analysis Tool for .NET (CAT.NET) Tool 2.0.0.0
    Copyright (c) Microsoft Corporation 2009.  All rights reserved.

    Running in 32-bit mode

    2009-11-25 13:17 : Information : Loading analysis rules…done.
    2009-11-25 13:17 : Information : Total 40 rules loaded by the engine.
    2009-11-25 13:17 : Information : Processing analysis rules…
    2009-11-25 13:17 : Information : Initializing configuration analysis engine…done.
    2009-11-25 13:17 : Information : Initializing interprocedural data flow analysis engine…The available PDB has been str
    ipped so it does not contain the required
    information for native or IJW images.
    Please find the full PDB for this binary and re-run your scenario.

    Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indi
    cation that other memory is corrupt.
       at Phx.Pdb.ReaderImplementation.GetDataStream(String sectionNameString)
       at Phx.PE.ReaderPhase.ReadPEFixups()
       at Phx.PE.ReaderPhase.SeedFixups()
       at Phx.PE.ReaderPhase.CodeDiscovery()
       at Phx.PE.ReaderPhase.Translate()
       at Phx.PEModuleUnit.LoadGlobalSymbols()
       at Microsoft.InformationSecurity.CodeAnalysis.Engines.AnalysisEngine.TaintedAnalysisEngine.Initialize(String assembly
    path, String[] phoenixargs, Int32 maxnumofpasses, Rules rules)
       at Microsoft.InformationSecurity.CodeAnalysis.Engines.RulesEngine.RulesEngine.ProcessRules()
       at Microsoft.InformationSecurity.CodeAnalysis.UI.CommandLine.Program.Main(String[] args)

    Update
    Seems like it is a Windows 7 problem.

http://social.msdn.microsoft.com/Forums/en-US/phoenix/thread/2085fa72-19d8-4a6b-b6e0-8777e4fbfc59?prof=required

Kommentera

Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut / Ändra )

Twitter-bild

Du kommenterar med ditt Twitter-konto. Logga ut / Ändra )

Facebook-foto

Du kommenterar med ditt Facebook-konto. Logga ut / Ändra )

Google+ photo

Du kommenterar med ditt Google+-konto. Logga ut / Ändra )

Ansluter till %s