tags:

views:

467

answers:

2
+8  Q: 

.NET Code Security Review Tool

I am looking for a utility that can be used against .NET assemblies to validate code against best practices, and most importantly can review the code for Security, Injection, and Cross Site Scripting vulnerabilities. I know that it isn't an exact science, but I'm looking for anyones experience/recommendations on the best way to a solution that will at least set a baseline standard. I know that nothing beats doing an individual review, but I'm looking at the high level.

I have been doing some research on Fortify, and so far it is looking like a good tool, from what I can tell it provides a very detailed response. I know that FXCop is out there as well, but I don't know if it goes in deep enough.

EDIT One attractive thing I found about Fortify, and that would be nice in a tool is the combination of security review, AND .NET Best practices review. IE fortify checks fo potential un-closed connections, recommends the use of Using statements, etc.

A: 

We have licenses for Ounce for the development side, and I've heard great things about SpiDynamics for testing applications post development.

Abyss Knight  2008-10-13 14:50:11
Ounce looks pretty good, does it do anything for "best practices" recommendations as well?
Mitchel Sellers  2008-10-13 15:03:01
It says something along those lines on the product page, but I can't be certain. We all have licenses, but ironically not many of us have disk space left to install it.Best practices copy: http://www.ouncelabs.com/homesdlc.asp
Abyss Knight  2008-10-14 13:54:52
+2  A: 

FxCop is a static code analysis tool, though not specifically targetting security, it will pick up alot of common errors (be sure to turn off the naming rules you aren't interested in).

Also, I came across the "Performance Code Review Tool – Practices Checker" here.

Mitch Wheat  2008-10-13 14:54:01
I missed the fact you mentioned FxCop, sorry.
Mitch Wheat  2008-10-13 14:54:55
Nice find on the Performance Code Review Tool.
Mitchel Sellers  2008-10-13 15:03:58

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?