Not long ago, Microsoft was the chief butt of security jokes in the IT world. It’s safe to say that they no longer wear the crown – in fact they’ve moved to being a company often pointed to as ‘getting it right.’ And that’s coming from someone typing this post from his Ubuntu Linux laptop.
Microsoft has always been very developer focused. One of the most important shifts they’ve made has been to focus their communication on the message that security bugs are just another kind of software defect to be eliminated. I’m especially pleased that they decided to invest effort into combating a classification of bug as serious as XSS, by developing code automation tools. While not quite a replacement for SCA software like Fortify, it does cover one very serious issue using automated techniques.
The Microsoft ACE Team blog just announced a ‘free’ tool (60 day beta) that’s worth checking out if you develop or security .NET web apps.
“XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code. ”
If that sounds fresh and exciting to you, visit:
There have been a string of newer articles posted about this tool in the meanwhile, as well: http://blogs.msdn.com/ace_team/default.aspx