Following up AntiXSS Mark Curphey also announces the first public release of CAT.NET.

CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a wealth of real world knowledge and experience to the tool over the years. We will be posting several deep dive blogs this week on the inner workings of call graph and flow graph analysis and the algorithms behind CAT.NET from MSR. It is a technology preview; we appreciate that there are some performance and functionality limitations that we will be working on over time but we are already deep in discussion about the future design of CAT.NET and it's looking potentially very compelling!

You can download the current CTP builds from MSDN (32 bit here and 64 bit here) submit bugs and feedback to our Connect site (see post later this week for details).

If you worry at all about vulnerabilities this is another one to add to your arsenal.