Security tools for Developers – Part I
The first line of defence is the developers of applications. If they are equipped with security know/how & various tools available upfront during the development cycle there would be far lesser number of security issues in the final product. I am going to talk about some security tools which developers can leverage & reduce security bugs right from the word go.
I will discuss tools available which can be used during a development of an application. These tools are code analysis tools available in Visual Studio 2005 Team System which will help you build robust and reliable software. Our problem space would be to cover tools which can help us find security flaws upfront in both managed and unmanaged scenarios.
FxCop v 1.35: Code Analysis for Managed Code
FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses reflection, MSIL parsing, and call graph analysis to inspect assemblies for more than 200 defects in the many areas including the most important piece “Security”.
Download FxCop : http://www.gotdotnet.com/Team/FxCop/
Prefast : Code Analysis for UnManaged Code
This is a static analysis that provides useful information on possible security flaws in unmanaged code base – C/C++ code. Some of the issues this tool finds ranges from possible buffer overruns, memory leaks to format strings vulnerabilities.
Here is some Good News folks !!!!
Both FxCop & Prefast have been now integrated with Visual Studio 2005 Team System edition. Now developers no longer have to buy third party code analysis tools, or run these tasks separately. This integration with the IDE provides great flexibility & control to ensure quality code is developed.
Integration of analysis tools within the development environment helps developers in detecting coding, performance, and security related issues. In addition, code analysis tools can be used as a part of the check-in policy for a nightly build process, enabling development teams to correct defects before code is checked into the source tree. But please remember check in policy will only work if you are using Team Foundation Server. By correcting problems earlier rather than later in the development cycle, teams reduce the overall cost of fixing code defects.
It is well known fact that bugs discovered early in the development cycle cost less to fix, and then why not use these existing tools to develop more robust and secure software.
Excited, alright here is news for you guys, Microsoft virtual labs have some great Hands on labs on Writing Secure code for both managed & unmanaged scenarios. These labs discuss FxCop & Prefast which are now called as “Code Analysis” in detail. Register for these MSDN labs today & be secure.
· Writing Secure Native Code with Visual C Plus Plus and Visual Studio Team System Virtual Lab
· Writing Secure Managed Code with Visual Studio Team System Virtual Lab
Do remember this old saying though -- J
“When he makes a mistake, the wise carpenter blames himself, but the unwise carpenter blames his tools”
Although these tools are incredibly helpful in detecting security flaws early in the SDLC but they should not be a replacement for comprehensive security code review.
Look for out Security Tools for Testers Part II coming soon........