.NET Code Auditing.NET Code Auditing

<insert eye-catching tag-line here>

Keith RullKeith RullSoftware EngineerSoftware EngineerFirst Allied Securities Inc.First Allied Securities Inc.

Let’s try to write some code!

• Get the piece of paper I gave you and write a C# function called CombineStrings that accepts 2 string variables and returns the combination(appended) value of the first and second variable.

*Note: Don’t copy other peoples code!

Code Samples• //** SAMPLE 1**• public string CombineStrings(string value1, string value2)• {• return value1 + value2;• }

• //** SAMPLE 2**• public string CombineStrings(string sVal1, string sVal2)• {• return sVal1 + sVal2;• }

• //** SAMPLE 3**• public string CombineStrings(string strVal1, string strVal2)• {• return strVal1 + strVal2;• }

What have we learned?

• Different people write different code.– We all have our own style when it comes

to code even if there is already guidelines set by the company.

– Believe it or not! Our code reflects how we think.

Sidebar: Bad Hair Day?!

• Programming Stereotype– Back in the early-days of VB versus the

World, There was a notion that VB developers can easily spot if a developer is a VB programmer or not by just looking at that persons hair!

Weird huh?!

Which is why…

• Most(if not all) code improvement techniques started on the C space– Code Auditing– Design Patterns– Refactoring– And many more

Uh, Ok.. So what's Code Auditing?

• According to Wikipedia– A software code audit is a

comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions.

What are the types of code audit?

• There are two types of code audit– Security

• This type of audit is done on the QA phase of the application

– Convention• This happens before an application is rolled

to QA. Checks should be done on the code to validate if the code passes the programming rules and guidelines set by the company.

So why is this important?

• Code auditing helps make sure that code on an enterprise is consistent in all projects. This enables transitions and turnovers' of projects to go smoothly since every member of the team understands the code. Code auditing also limits the number of bugs since it aggressively makes sure that guidelines are set on both security and convention side.

Ooops! We are skipping a topic!

We are skipping security audit since that topic has a league of its own which includes defensive programming (not trusting code and always putting checks and bounds on code segments) up to the most common topic which is application security (this includes SQL injection) but we might give hints about it along the way.

WITW is Convention Audit?

• Convention Audit is the process of analyzing and testing source code to see if it passes the guidelines set by the company (or institution) on how to code certain parts and elements of a program.

Two types of Convention Audit

• Manual code review• Automated code review

– There are several tools for .NET. The two popular ones are:• FxCop• SSW Code Auditor

• FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses reflection, MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas:

• Library design • Localization • Naming conventions • Performance • Security

What is FxCop?

FxCop? Show me a FxCop? Show me a Demo!Demo!

A Not-So-Minor Drawback

• FxCop is hard to configure!– Defining new rules can drive you nuts

since the rules needs to be coded in .NET and loaded as assemblies (.dll) in FxCop.

• No Scheduling Feature• Can only audit .NET code• Only assemblies can be audited

Then Comes A Better Alternative…

• SWS Code Auditor is code analysis tool that checks and validates code on the flat-file level (unlike FxCop which needs assemblies) which gives a developer to automatically analyze his code right before creating a build.

Key Features

• Uses Regular Expression to define rules

• Can analyze any text-file as long as there is a defined rule for it.

• Batch Processing of multiple projects and files.

• Can be scheduled and has the ability to integrate with an SMTP server.

• Reports can be exported to XML

SSW Code Auditor? SSW Code Auditor? Show me a Demo!Show me a Demo!

Final Thoughts

• Code Auditing can streamline the development process.

• Less stress on code/project turnovers.

• Code Auditing is a good investment.– FxCop is free– SWS Code Auditor is $899 for 10 users

Where To Learn More??

• A Good Introduction to Code Auditing– http://www.ouncelabs.com/resources/code-audit-faq.asp

• SSW Code Auditor– http://www.ssw.com.au/ssw/CodeAuditor/

• FxCop– http://www.gotdotnet.com/team/FxCop/– http://blogs.msdn.com/fxcop/

Where to catch this crazy guy?

Contact me at:URL: http://www.keithrull.comE-mail: keith.rull@gmail.com

Thanks for listening Thanks for listening

and go start auditing!and go start auditing!