The SDL Static Analysis Story
With the two day Microsoft Security Development Conference starting tomorrow in DC, I am curious to hear about one thing: what is the static code analysis story in the Security Development Lifecycle?
Microsoft explains their vision of the Security Development Lifecycle and provides SDL Practice #10: Perform Static Analysis. On that page, under the heading of Tools specific to this practice, CAT.NET is recommended and download links are provided. However, the links are to CAT.NET version 1.0. What happened to CAT.NET 2.0?
On the MSDN blog a post from the SDL folks implies that security-oriented code analysis is going to be part of Visual Studio 11. I believe there is a lot of value in having a separate tool, like FxCop, to perform static code analysis across VS projects and solutions and on 3rd-party assemblies.
I would love to hear more about the tools specific to SDL Practice #10: Perform Static Analysis, and I am hopeful that this will be described in detail in one or more sessions at some future SDC.
Don’t keep us in suspense … What did they say? :-)
@domz82 Cheers! Unfortunately, as it turned out, I couldn’t make SDC. A couple of my colleagues were there. I will post an update once I have more information.
I attended the SDC this month, where they mentioned the importance of static analysis tools, and the consequences of not addressing security vulnerabilities during development. However, they didn’t go into detail about security-oriented static analysis or show any recommended tools. Some speakers did show some high-level metrics about how their vulnerabilities would go down after measuring and tackling them.
Personally, I would recommend HP’s Fortify/WebInspect set of tools for security-related code analysis, both dynamic and static. I also spoke to an IBM representative in the audience, who suggested IBM’s AppScan as well.
In the sessions I’ve attended they’ve mentioned only the static analysis Visual Studio will ship with and how to use SAL (source annotation language) to expand its capabilities to your own source code. The rest of the talks covered other tools they have to complement SDLC but zero mentions about CAT.NET.
@pba, thanks for the info on VS and SAL. For those interested, I found more info at these links:
@Shahed C, the HP tool set is very helpful. It identifies many important vulnerabilities. For those interested, here is a Fortify blog with lots of info: http://blog.fortify.com/blog/
If you’d like info on getting started with IBM AppScan, take a look at this post: http://realsearchgroup.org/SEMaterials/tutorials/appscan/