What is CATScan?

CATSCan is an integration project using Microsoft CAT.NET developed by Microsoft IT Information Security Tools Team formerly known as the Connected Information Security Group (CISG). For more information about CAT.NET, check this out http://blogs.msdn.com/b/securitytools/

Essentially, CAT.NET is a static code analysis tool like fxCop but specially built for managed code and with a strong focus on security vulnarbilities. Obviously, it does not makes sense to have yet another static code analysis tool if it scanned code to produce similar results to fxCop. But CAT.NET scans manage code for specific security vulnarabilities like
  • SQL injection
  • LDAP injection
  • Cross Site Scripting
  • XPATH injection
  • and many other categories of vulnarabilities.
You can even extend the tool to include your own custom categories to meet your specific needs. To read more about CAT.NET have a look on MSDN or http://blogs.msdn.com/securitytools for more information.

This project is more about using the tool as is to automate code scans with each Visual Studio Team Build. I have used TFS 2008 but you can use the scripts and logic to automate TFS 2005 Team Build too. In fact, I am looking at trying the TFS2010 Beta 1 in the next few days when I may see if the project works with the next version of TFS Team Build 2010.

To summarise, CATScan uses the following tools:
  1. Microsoft CAT.NET CTP v1 Does not work with the current release version. See Issue tracker http://catscan.codeplex.com/workitem/list/basic
  2. Visual Studio Team System 2008 Team Build
  3. Windows Sharepoint Services 3.0
  4. Custom MSBuild scripts and
  5. Console application
The console application uses the WSS webservices to upload CAT.NET scan reports.

Click here for Project details for setting up CATScan in your own environment.

Last edited Feb 7, 2012 at 2:00 AM by yogz, version 5