CAT.NET V2.0 released to Beta

Syed Aslam Basha here from the Information Security Tools Team.

CAT.NET is released to beta, this beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.


You can download the bits at Connect (link below)


-Syed Aslam Basha ( )

Microsoft Information Security Tools (IST) Team

Test Lead