RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Apply Visual Studio Code Analysis to Beef Up Security : Page 3

Visual Studio's code analysis feature offers hidden extensibility opportunities for writing custom security code review rules.

Integrating Rules with Visual Studio
After you build the custom rule and compile it into a class library containing BaseRule.cs, CustomSecurityRule.cs, and Rules.xml, you need only copy the compiled assembly into the right directory to integrate it with VSTS code analysis. Copy the DLL (CustomSecurityRule.dll in this example) from your project to the rules location at C:\Program Files\Microsoft Visual Studio 8\Team Tools\Static Analysis Tools\FxCop\Rules. When you place your custom rule DLL in this location along with the embedded rules description file, VSTS will display the custom rule in the same dialog as the built-in rules (see Figure 1).

Figure 1. Custom Security Rule: Your custom security rule shows up in the same dialog as other code analysis rules and can be controlled in the same manner.

Because the custom rule now behaves like any other VSTS code analysis rule, you can run the rule by selecting it and enabling code analysis. You can then run code analysis manually on any project by selecting Build ⇒ Run Code Analysis, or you can configure code analysis to run automatically as part of your build. Whenever the custom rule flags a problem in your code, you'll see a code analysis warning in the Error List as shown in Figure 2.

Figure 2. Error List View: Custom security rules report violations in the Visual Studio Error List.

Code Analysis in Visual Studio "Orcas"
Developers familiar with code analysis and writing custom rules have been hoping that the next version of Visual Studio would offer more robust rule customization capabilities. The Microsoft team originally planned to release a supported rule-writing API with full documentation, but unfortunately the feature was cut during the release for scheduling reasons.

Despite that cut, the Visual Studio team has been able to make some minor improvements to the code analysis interfaces to clean them up and prevent developers from making some common mistakes. However, code analysis rules customization is still technically unsupported, which means the team members will provide support only through forums and blog postings outlined in the references section. In addition, it's highly likely that future releases will break custom rules as the Visual Studio team moves toward the eventual goal of offering a fully-baked and supported custom rules API; however, the team leads promise to keep backward compatibility in mind to minimize such problems.

Remember! Free Code Reviews!
Source code reviews can be great for identifying security vulnerabilities, but they're expensive and time consuming. Fortunately, you may have the advantage of already owning the code analysis feature built into the VSTS 2005 IDE. While the security rules included with VSTS are fairly limited, you can write and integrate custom security rules, which can help your code analyses remain relatively free of the false positives inherent in generic catch-all rules.

Jason Schmitt is product manager for Steelbox Networks, makers of security video surveillance distribution and storage solutions. Jason was previously group product manager for web application security vendor SPI Dynamics and has a long history of work expertise in product management, product development, and technical consulting. He often contributes articles to industry publications on secure software development, and is the author of the digital shortcut book "Secure ASP.NET AJAX Development" published by Addison-Wesley Professional.
Email AuthorEmail Author
Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date