Thursday, March 29, 2012

FX Cop for security and Running CAT.NET in Visual Studio 2010

There's a great security tool out there CAT.NET from Microsoft which used the fxcop rule engine to analyze your projects for potential security issues. Cross-site scripting (XSS) and SQL Injection are just a couple of the items it checks for.

Also of separate note is a great fxcop ruleset on code plex -
FxCop ASP.NET Security Rules

Unfortunately there hasn't been a new release in some time. I initially tried to get it running in Visual Studio 2010 and it was crashing on me, however I've since been able to get it to work with the help from this stack overflow posting:

The CAT.NET Download links are as follows for version

32-Bit available here

64-Bit available here

Once downloaded, follow the directions below
While they haven't released the new version, the good news is you can still use the old Add-in for CAT.NET in Visual Studio 2010. All that is required is editing the default AddIn file to tell it to support the new version.

The file is installed to: %APPDATA%\Microsoft\MSEnvShared\Addins\Microsoft.ACESec.CATNet.AddIn. You can open it in a text editor and add a new node for 10.0

After you edit the file, just restart Visual Studio and you should be all set.

If the AddIn file is not there, it should be in one of the locations specified in you VS Settings under Tools > Options > Environment > Add-ins / Macro Security.

Now you can execute the tool under Tools -> CAT.NET Code Analysis

Thats all - check it out in action:


  1. You mentioned would crash visual studio until you found a useful Stack Overflow post. However, your link is missing and I haven't been able to find anything helpful on Stack Overflow. Any chance you still have the link?



    1. It seems the 64bit is just a zip not an installer. Try the 32 bit installer. You can attempt to replace the 32 bit files with the 64 bit files after install - I haven't tried it though. However the 32 bit install on a 64 bit system works fine (I just tested it)

  2. Follow the directions above after the line
    'Once downloaded, follow the directions below'

  3. Any info on what is going on with CAT.NET? Seems to have no movement for 2 years now. Is it dead?

  4. Hi Adam,
    Thanks a lot, your post was very helpful.
    I am wondering if there is anyway to display the result in the error/warning list.
    currently it creates a html file 'Report' and place it at the relative folder of commandline exe.

    Thanks in advance.

  5. Thanks for your useful post Adams....Its Worked for me.