New versions of Anti-XSS & CAT.NET available today and some background and history about the ACE team

*** UPDATE **********






Hi All – this is Irfan Chaudhry, Director of the ACE Team. As you may have read on some of the other blogs, today, we’re releasing versions of Anti-XSS and CAT.NET (available in 32-bit and 64-bit versions) to the general public. Anti-XSS is a library designed to prevent Cross-Site Script attacks, while CAT.NET is designed to scan code and help identify issues such as Cross-Site Script and SQL Injection vulnerabilities. Here is a link to CISG’s blog where you’ll find detailed information on the tools and the functionality they provide. I thought I would take this opportunity to shed some light on the ACE Team’s role and involvement in the design of these tools.


First, a little history about ACE. The ACE Team was formed back in 1999. It’s primary mission at that time was to conduct performance testing and analysis of Microsoft’s line of business (LOB) applications. Today, performance testing remains a fundamental and critical service provided by the ACE Team to both internal as well as external customers. In fact, early next year we’ll be releasing some of the tools we utilize for performance testing. Please view this webcast for information on neXpert, one of the two tools we’ll be making available to external customers. In 2001, the ACE team was charted to start reviewing LOBs for security. In 2002 the charter was expanded to also include conducting privacy reviews of these LOBs. By 2004, we had reviewed close to 1000 applications and logged tens of thousands of application security bugs. As a result of these reviews, we collected some extremely useful data on vulnerabilities, training we needed to provide our developers as well as tools we need in order to more efficiently execute our processes. One of the most common issues we kept encountering was Cross-Site Script vulnerabilities. So, we decided back then to take a two prong approach. Arm the developers with code they can reuse for input validation and secondly, provide both development teams as well as our security analysts with a more efficient way to hunt down these issues. Our first foray into developing a solution around XSS resulted in a library called IOSEC. We saw a notable improvement in bug count with those teams who implemented IOSec Vs. those who chose not to utilize the library. Since then we’ve continued to build upon the concept of IOSec in the form of Anti-XSS 1.5 and now V 3.0. An additional tool we developed and released in 2004 was our Threat Analysis & Modeling (TAM) tool. The goal of TAM was to enable development teams as well as ACE to identify issues during the design phase of the SDLC. We’ve made some incremental improvements of TAM in the last few years and will continue to invest time and energy in the area of improving the threat modeling process for LOBs. In that same year, we teamed up with Microsoft Research to create a static code analysis tool. It too was named CAT.NET however, today’s version is utilizing different technology so they are in one sense dramatically different tools. However, both tools are designed with the principal of ‘tainting’ variables as a way to track input as it flows through the code.  


We still see XSS as a significant problem not only for Microsoft but the industry and a whole and therefore we will continue our partnership with teams within InfoSec and other groups at Microsoft to help combat this vulnerability. In fact, our desire is to have a positive impact on the overall IT ecosystem and releasing tools to the public is one way of doing this. But in 2004, we decided to take it a step further and provide our external customers access to our assessment processes, by having consultants from ACE go onsite to customer locations. Through our partnership with Microsoft Services (MCS & PREMIER) over the past four years, ACE consultants based around the globe have delivered services to hundreds of customers and shared with them the IP and best practices we’ve developed over the past 7 years.


2004 was a significant year for the team, but this year we also had some notable changes come to the team. Up until March of 2008, ACE’s focus remained on the security/privacy and performance assessment of applications. However, we wanted to provide a true end to end experience for our customers as well as bring efficiencies to our assessment processes. Therefore, in March, the infrastructure and risk assessment teams within Microsoft IT’s Information Security organization were merged under the ACE Team, providing us the ability to expand our services to now include application security, infrastructure security, organizational risk, privacy assessments and of course performance reviews. Please look for future blog postings on the ACE Team, our assessment services and processes as well as details on IP being planned for release. Meanwhile, I look forward to reviewing your feedback, comments and answering questions that you may have. Happy holidays everyone!!!