Security Tools For Software Development FxCop 10.0

1. Security Tools ForSoftware DevelopmentFxCop 10.0 David Angulo Rubio

2. Overview • Security Development Life Cycle Tool • What is FxCOP • Why use FxCOP • Code Analysis • Rules checked by FxCOP • Sample rule • Possibilities • Using FxCOP • Conclusion

3. The Security Development Lifecycle (SDL) and FxCOP • Security best practices in Microsoft • Provides guidance within established development processes • Design considerations • Creating effective security plans • Leveraging tools across the development cycle • Better then simply hunting for bugs Requirements Design Implementation Verification Release Response

4. FxCOP • Began as an internal Microsoft Solution • Enforces adherence to .NET Framework Design Guidelines • Available free http://www.microsoft.com/download/en/details.aspx?id=6544. • Uses “Introspection” • Faster analysis • Multi-thread analysis • Contains over 200 rules • Ability to create custom rules

5. FxCOP • A static code analysis tool that examines managed assemblies for design and code correctness issues • Console and graphical applications that manage: • Targets (items for analysis) • Rules (checks to execute) • Messages (feedback from rules) • A general infrastructure for writing checks against managed code

6. Why Use FxCOP • Do you: • Have a well defined coding standards • But have no way of enforcing those standards? • Spend much time writing code • But even more time editing code? • Want to have your applications run smoothly • But seem to always be held back by errors? • Then…FxCop is for you!

7. Code analysis • Unlike traditional analysis tools (Lint for C), FxCOP does not analyze source code. Instead, it analyzes the binary Common Intermediate Language (CIL) generated by the .NET compilers and persisted in the .NET assemblies (EXE and DLL files). Analysis is enable by the rich metadata that is part of the CIL. • By analyzing assemblies directly, FxCOP avoids being tied to any particular programming language: it will work without modification against C#, VB.net, and potentially any other .NET languages

8. Rules • The tool is designed to check .NET code for violations of a wide range of programming rules and conventions. The rules included with FxCOP draw heavily upon Microsoft’s Framework Design Guidelines. • The rules checked by FxCOP include: Design, Globalization,Interoperabiliyy,Mobility, Naming, Performance, Portability, Security, Usage

9. Sample Metadata XML

10. Possibilities • Ensure that the names of controls on forms and web pages follow your naming conventions. • Check that your preferred controls, components, and classes are used instead of alternatives. • Inspect literal arguments values being passed to your methods. • Examine control structures, such as conditions and loops, to evaluate code metrics. • Determine the callers and callees of methods. • Spell-check text elements such as identifiers, literals, and resource strings. • Verify that elements are properly documented with XML documentation comments. • Build standalone tools that take advantage of FxCOP code analysis APIs

11. Using FxCOP • Recall that FxCOP checks compiled assemblies. Prior to running FxCOP, you need to compile the program that you want to check.

12. SUMMARY • FxCOPis a free static code analysis tool from Microsoft that checks .NET managed code assemblies for conformance to Microsoft's .NET Framework Design Guidelines • FxCOP analyzes the compiled object code, not the original source code • FxCOP includes both GUI and command line versions of the tool • FxCOP ensures that the specified rules are used in the source code.