S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.
-
Upload
meghan-parker -
Category
Documents
-
view
213 -
download
0
Transcript of S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.
SECURITY TOOLS FORSOFTWARE DEVELOPMENT
FXCOP 10.0David Angulo Rubio
OVERVIEW
Security Development Life Cycle Tool What is FxCOP Why use FxCOP Code Analysis Rules checked by FxCOP Sample rule Possibilities Using FxCOP Conclusion
THE SECURITY DEVELOPMENT LIFECYCLE (SDL) AND FXCOP
Security best practices in Microsoft Provides guidance within established
development processes Design considerations Creating effective security plans Leveraging tools across the
development cycle Better then simply hunting for bugs
Requirements Design Implementation Verification Release Response
FXCOP
Began as an internal Microsoft Solution Enforces adherence to .NET Framework
Design Guidelines Available free
http://www.microsoft.com/download/en/details.aspx?id=6544.
Uses “Introspection” Faster analysis Multi-thread analysis
Contains over 200 rules Ability to create custom rules
FXCOP
A static code analysis tool that examines managed assemblies for design and code correctness issues
Console and graphical applications that manage: Targets (items for analysis) Rules (checks to execute) Messages (feedback from rules)
A general infrastructure for writing checks against managed code
WHY USE FXCOP
Do you:Have a well defined coding standardsBut have no way of enforcing those
standards?Spend much time writing codeBut even more time editing code?Want to have your applications run
smoothlyBut seem to always be held back by
errors? Then…FxCop is for you!
CODE ANALYSIS
Unlike traditional analysis tools (Lint for C), FxCOP does not analyze source code. Instead, it analyzes the binary Common Intermediate Language (CIL) generated by the .NET compilers and persisted in the .NET assemblies (EXE and DLL files). Analysis is enable by the rich metadata that is part of the CIL.
By analyzing assemblies directly, FxCOP avoids being tied to any particular programming language: it will work without modification against C#, VB.net, and potentially any other .NET languages
RULES
The tool is designed to check .NET code for violations of a wide range of programming rules and conventions. The rules included with FxCOP draw heavily upon Microsoft’s Framework Design Guidelines.
The rules checked by FxCOP include: Design, Globalization,Interoperabiliyy,Mobility, Naming, Performance, Portability, Security, Usage
SAMPLE METADATA XML
POSSIBILITIES
Ensure that the names of controls on forms and web pages follow your naming conventions.
Check that your preferred controls, components, and classes are used instead of alternatives.
Inspect literal arguments values being passed to your methods.
Examine control structures, such as conditions and loops, to evaluate code metrics.
Determine the callers and callees of methods. Spell-check text elements such as identifiers, literals, and
resource strings. Verify that elements are properly documented with XML
documentation comments. Build standalone tools that take advantage of FxCOP
code analysis APIs
USING FXCOP Recall that FxCOP checks compiled assemblies. Prior to
running FxCOP, you need to compile the program that you want to check.
SUMMARY
FxCOP is a free static code analysis tool from Microsoft that checks .NET managed code assemblies for conformance to Microsoft's .NET Framework Design Guidelines
FxCOP analyzes the compiled object code, not the original source code
FxCOP includes both GUI and command line versions of the tool
FxCOP ensures that the specified rules are used in the source code.