Archive

Archive for the ‘Information Security Tools’ Category

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 30th, 2010 Comments off

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 30th, 2010 No comments

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 30th, 2010 No comments

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 29th, 2010 No comments

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 Comments off

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:AntiXssSample ApplicationbinSampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:AntiXssSample ApplicationbinSampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 Comments off

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

CAT.NET 2.0 – Beta

February 4th, 2010 No comments

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

CAT.NET 2.0 – Beta

February 4th, 2010 Comments off

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

CAT.NET 2.0 – Beta

February 4th, 2010 No comments

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

Delay Between Actions Feature in CUIT

January 18th, 2010 No comments

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one milliseconds during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Delay Between Actions Feature in CUIT

January 18th, 2010 Comments off

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one milliseconds during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Delay Between Actions Feature in CUIT

January 18th, 2010 No comments

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one milliseconds during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Data Drive CUIT Scripts

January 18th, 2010 No comments

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

One of the major feature for any automation tool is support for data driven test cases, CUIT too supports data driven testing. Let me show an example of data driving CUIT scripts.

Suppose you want to validate login feature of an application with different users.

  • Select test menu and click on windows –> Test View
  • Select the required test name say validatehomepage

image

  • Click on ellipse button next to data connection string in properties window
  • You can configure the required data source, select CSV file, click on Next

image

  • Click on Finish

image

  • Click on yes for “Copy the database file into the current project and add as deployment item”

image

  • You can see data source code being added to the Validatehomepage file

    [DataSource("Microsoft.VisualStudio.TestTools.DataSource.CSV", "|DataDirectory|\\UserNames.csv", "UserNames#csv", DataAccessMethod.Sequential), DeploymentItem("PortalAutomation\\UserNames.csv"), TestMethod]

    public void ValidateHomePage()

  • Data source is added to the project, now assign the values from data source to parameters of CUIT
  • this.UIMap.LoginAdminParams.UsernameEditText = testContextInstance.DataRow[0].ToString();
  • Run the tests, it runs for two iterations and shows the results

Likewise you can data drive any of the test cases, if you think out of the box you can apply the concept to validate all links present in web page.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Data Drive CUIT Scripts

January 18th, 2010 Comments off

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

One of the major feature for any automation tool is support for data driven test cases, CUIT too supports data driven testing. Let me show an example of data driving CUIT scripts.

Suppose you want to validate login feature of an application with different users.

  • Select test menu and click on windows –> Test View
  • Select the required test name say validatehomepage

image

  • Click on ellipse button next to data connection string in properties window
  • You can configure the required data source, select CSV file, click on Next

image

  • Click on Finish

image

  • Click on yes for “Copy the database file into the current project and add as deployment item”

image

  • You can see data source code being added to the Validatehomepage file

    [DataSource("Microsoft.VisualStudio.TestTools.DataSource.CSV", "|DataDirectory|\\UserNames.csv", "UserNames#csv", DataAccessMethod.Sequential), DeploymentItem("PortalAutomation\\UserNames.csv"), TestMethod]

    public void ValidateHomePage()

  • Data source is added to the project, now assign the values from data source to parameters of CUIT
  • this.UIMap.LoginAdminParams.UsernameEditText = testContextInstance.DataRow[0].ToString();
  • Run the tests, it runs for two iterations and shows the results

Likewise you can data drive any of the test cases, if you think out of the box you can apply the concept to validate all links present in web page.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Data Drive CUIT Scripts

January 18th, 2010 No comments

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

One of the major feature for any automation tool is support for data driven test cases, CUIT too supports data driven testing. Let me show an example of data driving CUIT scripts.

Suppose you want to validate login feature of an application with different users.

  • Select test menu and click on windows –> Test View
  • Select the required test name say validatehomepage

image

  • Click on ellipse button next to data connection string in properties window
  • You can configure the required data source, select CSV file, click on Next

image

  • Click on Finish

image

  • Click on yes for “Copy the database file into the current project and add as deployment item”

image

  • You can see data source code being added to the Validatehomepage file

    [DataSource("Microsoft.VisualStudio.TestTools.DataSource.CSV", "|DataDirectory|\UserNames.csv", "UserNames#csv", DataAccessMethod.Sequential), DeploymentItem("PortalAutomation\UserNames.csv"), TestMethod]

    public void ValidateHomePage()

  • Data source is added to the project, now assign the values from data source to parameters of CUIT
  • this.UIMap.LoginAdminParams.UsernameEditText = testContextInstance.DataRow[0].ToString();
  • Run the tests, it runs for two iterations and shows the results

Likewise you can data drive any of the test cases, if you think out of the box you can apply the concept to validate all links present in web page.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Customize CUIT scripts

January 18th, 2010 Comments off

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

In the previous blog posts I have shown how to automate functional test cases using CUIT and adding check points/ assertions to CUITs. Lets see with an example “how to customize the CUIT scripts”.

Lets take a close look at the files that are generated after recording;

  • codedUITest1.cs file which has the method calls which we have recorded
  • UIMap.cs at this stage it has nothing much than empty UIMap class which we will modify in the due course
  • UIMap.Designer.cs contains code generated by CUIT builder
  • UserControls.cs contains definitions of specialized classes used in CUIT

image

  • UIMap.Designer.cs and UIMap.cs contains partial UIMap class. The designer file contains auto-generated code. As with any of the designer file, the modifications done to it would be lost if the code is regenerated.
// ------------------------------------------------------------------------------
//  <auto-generated>
//      This code was generated by coded UI test builder.
//      Version: 10.0.0.0
//
//      Changes to this file may cause incorrect behavior and will be lost if
//      the code is regenerated.
//  </auto-generated>
// ------------------------------------------------------------------------------

Suppose we have recorded sanity test cases and like to use to test production site. All you need is to modify the UIMap.cs file as shown below. Here we are updating the launch portal site params variable BlankPageWindowsInteWindowUrl to https://productionSite.

   1: public partial class UIMap

   2:     {

   3:  

   4:         public void ProductionValues()

   5:         {

   6:             this.LaunchPortalSiteParams.BlankPageWindowsInteWindowUrl = "https://productionSite";

   7:         }

   8:     }

Call this function from CUIT before any other function is called as;

   1: public void CodedUITest1()

   2:         {

   3:  

   4:             // To generate code for this test, select "Generate Code for Coded UI Test" from the shortcut menu and select one of the menu items.

   5:             this.UIMap.ProductionValues();

   6:             this.UIMap.LaunchPortalSite();

   7:             this.UIMap.ValidateHomePageLinks();

   8:             this.UIMap.ClosePortalSite();

   9:         }

Now you are good to test production site, likewise you can set values to any of the variables defined in UIMap.Designer.cs.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead