Microsoft Source Code Analyzer for SQL Injection (MSSCASI_ASP) is a static code analyzer for classic ASP VBScript code that can help identify pages that might have a SQL injection vulnerability. It seems like a nice tool, but now that I've found Microsoft Code Analysis Tool for .Net (CAT.NET) -- a static analyzer designed to help find SQL injection plus other security problems in .NET code --, I wish MSSCASI_ASP were a little more flexible. In particular, CAT.NET doesn't limit you to the included, pre-built security analyses; instead it lets you write your own rules in XML for what does and does not constitute, say, a SQL injection attack. I would like to do something similar with MSSCASI_ASP. The command-line options don't suggest there is anything like this, but I'm wondering if anyone here has figured something out. As an alternative, are there any tools available addressing the same basic purpose as MSSCASI_ASP, but with a little more flexibility?