The Code Analysis Tool (CAT.NET) v1 CTP came out last December and I have been meaning to try it out. There is a 32-bit Visual Studio plug-in version available, although there appears to be some issues with it at this point in time. If you are running a 64-bit machine then you can grab a 64-bit command line version - this version does not suffer from the same limitations as the 32-bit version.
CAT.NET is a static, as opposed to runtime tool. It looks at the assemblies in your project and traces the information flow from start to finish. You then get a report of what it finds in XML and HTML format. I ran it on an application I developed and located two potential XSS vulnerabilities in a library I obtained from another vendor.
This is an incredibly simple tool to use and I cannot think of any excuse not to take a few moments to run it on an application prior to going live. Think of it as one extra layer of safety.
Currently, it check for the following vulnerabilities:
* Cross Site Scripting
* SQL Injection
* Process Command Injection
* File Canonicalization
* Exception Information
* LDAP Injection
* XPATH Injection
* Redirection to User Controlled Site
This tool and others, such as the Anti-Cross Site Scripting Library, are developed by the Connected Information Security Group (CIGS) at Microsoft. It's definitely worth your while to check out the CIGS Team blog.
Helpful Resources:
* Cross-Site Request Forgeries and You
* How to Prevent Cross-Site Scripting in ASP.NET
* How to Protect from Injection Attacks in ASP.NET