tags:

views:

467

answers:

2

I am looking for a utility that can be used against .NET assemblies to validate code against best practices, and most importantly can review the code for Security, Injection, and Cross Site Scripting vulnerabilities. I know that it isn't an exact science, but I'm looking for anyones experience/recommendations on the best way to a solution that will at least set a baseline standard. I know that nothing beats doing an individual review, but I'm looking at the high level.

I have been doing some research on Fortify, and so far it is looking like a good tool, from what I can tell it provides a very detailed response. I know that FXCop is out there as well, but I don't know if it goes in deep enough.

EDIT One attractive thing I found about Fortify, and that would be nice in a tool is the combination of security review, AND .NET Best practices review. IE fortify checks fo potential un-closed connections, recommends the use of Using statements, etc.

A: 

We have licenses for Ounce for the development side, and I've heard great things about SpiDynamics for testing applications post development.

Abyss Knight
Ounce looks pretty good, does it do anything for "best practices" recommendations as well?
Mitchel Sellers
It says something along those lines on the product page, but I can't be certain. We all have licenses, but ironically not many of us have disk space left to install it.Best practices copy: http://www.ouncelabs.com/homesdlc.asp
Abyss Knight
+2  A: 

FxCop is a static code analysis tool, though not specifically targetting security, it will pick up alot of common errors (be sure to turn off the naming rules you aren't interested in).

Also, I came across the "Performance Code Review Tool – Practices Checker" here.

Mitch Wheat
I missed the fact you mentioned FxCop, sorry.
Mitch Wheat
Nice find on the Performance Code Review Tool.
Mitchel Sellers