Static Code Analysis: Some Tools

-
Security for applications is extremely important. While there are various considerations for securing the application, in this post, we will be concentrating on the code vulnerability scanning.   

In a traditional approach, security audits were carried out in the final stages of development, with dedicated security audit teams and manual checks. It takes a long time to complete the security scans and audits and when vulnerabilities are identified at these final stages even longer to fix it. 

The best way to do security audits in the DevOps world is to shift left and make the audits part of the build process, so the team is instantly aware of the application's security posture and the vulnerabilities are mitigated much earlier in the development cycle. 

The first step in the journey to better code quality is to use source code analyzers such as FxCopAnalyzers that analyze the code for code style, quality, and maintainability, etc and provide metrics. 

The Microsoft Learning path, Build applications with Azure DevOps is a good starting point to anyone who wants to learn setting up CICD for various application frameworks with quality and security best practices.  Here we are using mslearn-tailspin-spacegame-web repository for running tests and configure build pipelines. 

Here is an example of code quality metrics that was available in Visual Studio while running code analysis locally. 

You can check the properties of each diagnostic run by the analyser from solution explorer. More information on installing and configuring code anlyzers can be found here.  After running the code analysis we can see the same in visual studio error list. 


When it comes to continuous analysis of code quality, reliability, and security, automatically detecting bugs, vulnerabilities, code smells and other issues  tools like SonarCloudResharper and WhiteSource can be utilised.  

The Azure DevOps Labs blog post describes the steps used to do static code analysis with SonarCloud. Apart from the Azure DevOps blogpost, the Microsoft Learn Course Scan code for vulnerabilities in Azure Pipelines provides details of using SonarCloud locally and part of Azure DevOps pipeline.

Here is a sample of mslearn-tailspin-spacegame-web application scan result available in SonarCloud. 

Another tool used for Code Analysis is Resharper. To take advantage of the complete ReSharper toolset, it must be used in the code development phase, with the ReSharper extension installed on each developer’s Visual Studio IDE.

To enable code quality checks from Continuous Integration pipelines, ReSharper provides a free command-line version of ReSharper. ReSharper Command Line Tools is a set of free standalone tools that execute hundreds of ReSharper code inspections outside of Visual Studio and additionally find code duplicates. 

WhiteSource is another comprehensive tool that deals with security and licensing of open source components in your codebase. The WhiteSource has a Free marketing tool (WhiteSource Bolt) available to use with Azure DevOps pipeline and a paid complete solution with real-time alerting, policy-based approvals, custom reports for auditing, etc. A complete comparison can be found here. 

Microsoft Security Code Analysis is Microsoft's offer for  Static Code Analysis. This analysis is recommended by the Secure Development Lifecycle (SDL) experts at Microsoft.MSCA provides a toolset that includes both Static Application Security Testing (SAST) including Credential Scanner and Roslyn Analyzers and Dynamic Application Security Testing (DAST), specifically integration with Microsoft Security Risk Detection Fuzzing. It makes it easy to run these automatically as part of your build and release pipelines in Azure DevOps.  

It includes the following tools  
  • Anti-Malware Scanner: Anti-Malware Scanner is run on a build agent that has Windows Defender already installed. 
  • Binskim: An open-source tool Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. 
  • Credential Scanner: A proprietary static analysis tool that detects credentials, secrets, certificates, and other sensitive content in your source code and your build output. 
  • Microsoft Security Risk Detection: Security Risk Detection is Microsoft’s unique cloud-based fuzz testing service for identifying exploitable security bugs in software. This service requires a separate onboarding process. 
  • Roslyn Analyzers: Microsoft’s compiler-integrated static analysis tool for analyzing managed code (C# and VB). 
  • TSLint: An open-source extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. and can be customized with your own lint rules, configurations, and formatters. 

Comments

Post a Comment

Popular posts from this blog

Check SQL Server Database Status

-
Image
It's been a month since my last post. Today I am posting a function that can be used to check the status of MS SQL Server databases. At the current moment, I am not sure about the limitations on where this script works like which versions of Windows OS or supported MS SQL Server versions. I have been using the script on my laptop where I have installed Windows 10 OS and SQL Server 2014 Developer Edition. SQL Server Developer edition can be downloaded from here . There are multiple methods to connect to a SQL Server instance from Powershell. I found this very useful article on sqlshack . The script in this post makes use of the SQLPS module. <# . Synopsis Check database status on MS SQL Server instances. . DESCRIPTION Check the database status on one or a list of MS SQL Server instances. . Parameter ServerInstance Provide the server instance to connect to in case of a named instance servername\instancename. . EXAMPLE Get-DBStatus -Serv
Read more

PowerShell and Azure Resource Graph

-
Image
Introduction On today’s post, I want to discuss a service introduced on the Microsoft Azure platform fairly recently, Azure Resource Graph . Azure Resource Graph service enables the administrators to explore resources in large scale deployment with relative ease across multiple subscriptions and management groups. Azure Resource Graph queries provide the following capabilities. Ability to query resources with complex filtering, grouping, and sorting by resource properties. Ability to iteratively explore resources based on governance requirements and convert the resulting expression into a policy definition. Ability to assess the impact of applying policies in a vast cloud environment. Ability to detail changes made to resource properties (preview). Azure Resource Graph service was announced during 2018’s Microsoft Ignite Conference. The service coupled with cross-platform PowerShell Az module enables the administrators to discover resources much faster compared to
Read more