Security Code Review with Microsoft’s Code Analysis Tool (CAT.NET)

Microsoft recently released a new build of CAT.NET, the Code Analysis Tool from the Microsoft IT Information Security Tools Team (formerly known as the Connected Information Security Group). This is the same group that works on the AntiXSS Library that I wrote about in “Fighting Cross-Site Scripting with Anti-Cross Site Scripting Library 3.0.”

The tool is a static analysis tool that performs security reviews on the intermediate language (IL) contained in .NET project binaries. CAT.NET uses tainted data flow analysis, sometimes called tainted-variable analysis. This type of analysis attempts to identify what sources of untrusted inputs could affect trusted parts of an application.

CAT.NET couldn’t be easier to use. It is implemented as a Visual Studio add-in that installs a CAT.NET Code Analysis item to the Tools menu. Select that item to open the CAT.NET window, and click the green arrow to start analysis. After several moments (depending, of course, on how large the project is), you get the results. The following image shows the results of running the tool on a single-page website that has some fairly extensive code behind it.

Read more details and download tool from



Back to top