Mark Curphey has obviously been whipping his team into a frenzy and a new version of CAT.NET, along with WPL and WACA have been announced. They’re all in CTP and available from Connect.

WPL is the evolution of AntiXSS, which is turning into a nice basis for a web application firewall (ok, it’s a stupid marketing term I know, but with the Security Runtime Engine and the new extensibility features it will allow you to build something that sits between your app and the evil internet and protects you. That’s not an excuse for getting it right in the first place though). Now I’m wondering if I can take AntiCSRF and use the extensibility bits to put it into the SRE/

WACA (is anyone else hearing pacman noises) is a new configuration checker which will run over your application installation, SQL installation, windows and look at the configuration and security settings and dump out a report telling you where you’re going wrong, errr, not following best practice.

And CAT.NET is a data flow analyser which will track the flow of input through a system, looking for sanitation/encoding and warning you if you’re reflecting input as output without doing anything sensible with it.

You can be scared by Mark’s pink shirt via his appearance on Channel 9, along with RV where they discuss the new toys.

Now if only CAT.NET understood common provider models or dependency injection/IoC containers and didn’t require the .NET 4.0 runtime.