Static Code Analysis Toolsets

| 0 comments

In keeping with my last couple of post on Security Development Lifecycle I thought I would put together a list of free and commercial products. While there are many other products out there this should be enough to get you thinking about how you can analyze your code before shipping. .NET FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements. Many of the issues concern violations of the programming and design rules set forth in the Design Guidelines, which are the Microsoft guidelines for writing robust and easily maintainable code by using the .NET Framework. StyleCop analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Visual Studio or integrated into an MSBuild project. StyleCop has also been integrated into many third-party development tools. Gendarme is a extensible rule-based tool to find problems in .NET applications and libraries. Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET) and looks for common problems with the code, problems that compiler do not …

Continue reading

Reading Club: The Art Of Unit Testing

| 0 comments

This month my recommendation for reading is The Art of Unit Testing by Roy Osherove. This book was originally published back in May 2009 and if you’re like me and never took the time to read it before then I urge you to do so. I am about 40% complete reading this book and I only picked it up a couple days ago. If you want to learn more in the aspect of Unit Testing this book has you covered. I like the fact that Roy starts out small and builds upon unit testing in each chapter. It is amazing how much you can learn by a well written book and this one is work adding to your library. Check out sample chapter 1 and 3 for yourself. Unit testing, done right, can mean the difference between a failed project and a successful one, between a maintainable code base and a code base that no one dares touch, and between getting home at 2 AM or getting home in time for dinner, even before a release deadline. The Art of Unit Testing builds on top of what’s already been written about this important topic. It guides you step by step …

Continue reading

Security Development Lifecycle: Introduction

| 0 comments

I am not entirely sure how many parts of this subject there will be however, I felt I had to start somewhere. Basically I would like to use this series as an opportunity to interact with you on the level of sharing Security Development Lifecycle (SDL) methodologies. In other words, is SDL important, what tools do you employ, how do you approach education, and most importantly with the ever changing security threats how does one stay current? How would you answer these questions? To answer my first question, SDL is absolutely important and as I see this subject it is something that all stakeholders are not entirely educated on and yes that includes those that write software for a living. If you disagree with my statement simply stop and think about a product that you were handed where it was obvious security risk in the areas of cross site scripting or SQL injection attacks. I know I have seen these type of risk during my 15 years and surprisingly enough I still encounter them even with all the content published by Microsoft, Sun, and Oracle. I realize no one is perfect and there is no way to produce code that …

Continue reading

Security Development Lifecycle Design

| 0 comments

Later this month, I will be attending a one day event held by Microsoft in New York, New York on the subject of Security Development Lifecycle. The speaker is Doug Cavit, Principle Security Strategist at Microsoft Corp. Discussions will based upon include discussions based on Customer Focused Design principles and The Ishikawa Method. Both methodologies should facilitate a highly interactive discussion while driving to actionable results. In other words it should be exciting. In the spirit of Security Development Lifecycle, I have put together a handful of resources that I hope you find informational: Code Access Security What’s New in Code Access Security in .NET Framework 4.0 – Part 1 What’s New in Code Access Security in .NET Framework 4.0 – Part 2 SQL Injection Walkthrough OWASP Top 10 for 2010 If you’re one of those individuals who say this will never happen to me or that your protected behind a firewall then you need to pay more attention than ever. Not every SQL injection attack may be from someone meaning harm. Just last month a new series of mass SQL injection attacks has planted links to malware sites and hidden iframes in over a million webpages, including parts of …

Continue reading