ource code reviews and inspections have long been considered economical methods for rooting out functional and design flaws in code even before applications make their way to testing. As security has grown in importance, and with the advent of web applications and professional hackers, source code reviews have evolved to focus on potential security vulnerabilities. However, manual code reviews for security are difficult for most developers because they may not have the proper system-wide context to understand a complex security problem, or they may lack the security experience necessary to recognize potential problems.
The idea of conducting security code reviews has picked up further momentum with the latest version of the Payment Card Industry (PCI) Data Security Standard (DSS)
, a broadly used industry standard for protecting customer payment information. The PCI standard prescribes requirements for securing and protecting customer payment data by specifying processes and countermeasures for assuring secure systems. The sixth requirement of that standard is the most relevant to development teams, because it calls for secure "review of custom code prior to release to production or customers in order to identify any potential coding vulnerability." In other words, failure to prove that your developers are performing the security code reviews could lead to noncompliance with the standard and potential loss of business.
The PCI standard has been a boon for automated source code review tools, which have evolved over the past few years to perform security code reviews. Most of these tools were initially created to attempt to identify functional flaws in systems or to examine compliance with coding standards, but many have added security code review features to help automate the new requirements for security code reviews. However, these tools are expensive, difficult for untrained developers to use, and often not terribly accurate.
Source Code Analysis
Most source code review tools that focus on security belong to a slightly different product category: source code analysis tools. The term "source code analysis" is a nuanced misnomer, because the products do not typically review the source code itself; instead, they compile the code into an intermediate representation, such as Microsoft Intermediate Language (MSIL) for .NET, and then statically analyze call graphs and data flows using the compiled code. Commercial security products from vendors such as Coverity, Fortify Software, and Ounce Labs all approach source code analysis in this way.
Microsoft Visual Studio 2005 introduced a new code analysis feature for .NET developers that implements source code reviews via static analysis using this same technique. The Visual Studio code analysis feature is based on the FxCop tool that Microsoft developed years ago for internal code review. FxCop is still available separately as a command-line tool, but Microsoft bundles its capabilities with Visual Studio Team System. The bundled Visual Studio version provides enhanced usability, control through the user interface, and integration with the build process.
Even though Visual Studio 2005 Team System's (VSTS) code analysis capabilities provide powerful automated code review features for developers, those features focus mostly on checking code for adherence to coding standards and best practices. VSTS includes a few security rules, but they're largely generic, which tends to produce false positives and sometimes makes it difficult to decipher the exact problems to which the included rules apply. The usability is compounded by poor documentation for the included code review rules, meaning that developers are sometimes left guessing whether flagged items in their code are really worth worrying about. However, the VSTS code analysis rules are inherently integrated into the build process, and you can easily configure the rules to run as part of on-demand or scheduled builds.
Fortunately, Microsoft recognized some of the code analysis limitations, and now provides an API that you can use to implement your own custom security rules and improve the code analysis process. Unfortunately, that API is both officially unsupported and largely undocumented, but the VSTS developers responsible for the code analysis feature provide a good bit of guidance, samples, and advice through blog postings and forums. This article walks you through a simple example that shows how to write a custom security rule and points you to some resources for branching out and writing your own security code review rules.