SECURITY TOOLS FORSOFTWARE DEVELOPMENT

FXCOP 10.0David Angulo Rubio

OVERVIEW

Security Development Life Cycle Tool What is FxCOP Why use FxCOP Code Analysis Rules checked by FxCOP Sample rule Possibilities Using FxCOP Conclusion

THE SECURITY DEVELOPMENT LIFECYCLE (SDL) AND FXCOP

Security best practices in Microsoft Provides guidance within established

development processes Design considerations Creating effective security plans Leveraging tools across the

development cycle Better then simply hunting for bugs

Requirements Design Implementation Verification Release Response

FXCOP

Began as an internal Microsoft Solution Enforces adherence to .NET Framework

Design Guidelines Available free

http://www.microsoft.com/download/en/details.aspx?id=6544.

Uses “Introspection” Faster analysis Multi-thread analysis

Contains over 200 rules Ability to create custom rules

FXCOP

A static code analysis tool that examines managed assemblies for design and code correctness issues

Console and graphical applications that manage: Targets (items for analysis) Rules (checks to execute) Messages (feedback from rules)

A general infrastructure for writing checks against managed code

WHY USE FXCOP

Do you:Have a well defined coding standardsBut have no way of enforcing those

standards?Spend much time writing codeBut even more time editing code?Want to have your applications run

smoothlyBut seem to always be held back by

errors? Then…FxCop is for you!

CODE ANALYSIS

Unlike traditional analysis tools (Lint for C), FxCOP does not analyze source code. Instead, it analyzes the binary Common Intermediate Language (CIL) generated by the .NET compilers and persisted in the .NET assemblies (EXE and DLL files). Analysis is enable by the rich metadata that is part of the CIL.

By analyzing assemblies directly, FxCOP avoids being tied to any particular programming language: it will work without modification against C#, VB.net, and potentially any other .NET languages

RULES

The tool is designed to check .NET code for violations of a wide range of programming rules and conventions. The rules included with FxCOP draw heavily upon Microsoft’s Framework Design Guidelines.

The rules checked by FxCOP include: Design, Globalization,Interoperabiliyy,Mobility, Naming, Performance, Portability, Security, Usage

SAMPLE METADATA XML

POSSIBILITIES

Ensure that the names of controls on forms and web pages follow your naming conventions.

Check that your preferred controls, components, and classes are used instead of alternatives.

Inspect literal arguments values being passed to your methods.

Examine control structures, such as conditions and loops, to evaluate code metrics.

Determine the callers and callees of methods. Spell-check text elements such as identifiers, literals, and

resource strings. Verify that elements are properly documented with XML

documentation comments. Build standalone tools that take advantage of FxCOP

code analysis APIs

USING FXCOP Recall that FxCOP checks compiled assemblies. Prior to

running FxCOP, you need to compile the program that you want to check.

SUMMARY

FxCOP is a free static code analysis tool from Microsoft that checks .NET managed code assemblies for conformance to Microsoft's .NET Framework Design Guidelines

FxCOP analyzes the compiled object code, not the original source code

FxCOP includes both GUI and command line versions of the tool

FxCOP ensures that the specified rules are used in the source code.