Tuesday 2 October 2012

What am I doing with Cat.NET?

I was asked this today, so here is the answer (in Oct 2012).


  • showing what a SAST should do 
  • 'making it work' 
  • showing how a 'real-time' SAST scanner is possible and can be made to work (namely educating the 'buying audience' that this possible and they should demand it from their SAST vendors/suppliers)
  • figuring out the workflow needed for SAST to be effective used in SDLs
  • expanding the SAST usage by getting developers and software teams realize the value of SAST
  • educating developers and security consultants on:
    • how to use SAST technology
    • what secure code looks like
    • what vulnerable code looks like
  • show how SAST can be integrated with other tools. For example with the O2 PoCs, I already show integration with:
    • VisualStudio 2010 
    • Roslyn
    • MSBuild
    • a stand-alone exe (i.e. running/distributing a scanner in one stand-alone exe)
    • TeamMentor (ie. show how its guidance can be used by an developer in an IDE)
  • developing public schemas for findings, rules, coding artefacts, etc...
  • creating a community to publish, share and comment on SAST rules
  • creating an environment where commercial (or OpenSource) SAST vendors/products/services, can come together and collaborate.
The last point is the most important, I have no interrest in developing a SAST engine or solve the hard scalability challenges that come with it. 

What I really want is to get us all working together so that we can really make a difference in the Web Application Security world.

Unfortunately, in Oct 2012 there is not one SAST company that is playing the game ... but hopefully once we build it they will come :)

So, ultimately, the reason I'm using Cat.NET is because I CAN :)

Cat.NET is the only free SAST engine that I can easily customise and use! 

As mention in Providing licenses to security consultants , the SAST vendors still have no idea/solution/program to deal security consultants like me. Which is not very clever, since they are losing a lot of mind-share by being over protective of their technology (and those 'super precious rules')

If you are interested in SAST and want to be involved, here is a list of areas that need energy: What are the challenges with SAST that don't need a better engine