Ruthlessly Helpful

Stephen Ritchie's offerings of ruthlessly helpful software engineering practices.

The SDL Static Analysis Story

With the two day Microsoft Security Development Conference starting tomorrow in DC, I am curious to hear about one thing: what is the static code analysis story in the Security Development Lifecycle?

Microsoft explains their vision of the Security Development Lifecycle and provides SDL Practice #10: Perform Static Analysis. On that page, under the heading of Tools specific to this practice, CAT.NET is recommended and download links are provided. However, the links are to CAT.NET version 1.0. What happened to CAT.NET 2.0?

On the MSDN blog a post from the SDL folks implies that security-oriented code analysis is going to be part of Visual Studio 11. I believe there is a lot of value in having a separate tool, like FxCop, to perform static code analysis across VS projects and solutions and on 3rd-party assemblies.

I would love to hear more about the tools specific to SDL Practice #10: Perform Static Analysis, and I am hopeful that this will be described in detail in one or more sessions at some future SDC.


6 responses to “The SDL Static Analysis Story

  1. domz82 May 23, 2012 at 12:26 pm

    Don’t keep us in suspense … What did they say? :-)

  2. Stephen D. Ritchie May 23, 2012 at 12:42 pm

    @domz82 Cheers! Unfortunately, as it turned out, I couldn’t make SDC. A couple of my colleagues were there. I will post an update once I have more information.

  3. Shahed C May 23, 2012 at 2:52 pm

    I attended the SDC this month, where they mentioned the importance of static analysis tools, and the consequences of not addressing security vulnerabilities during development. However, they didn’t go into detail about security-oriented static analysis or show any recommended tools. Some speakers did show some high-level metrics about how their vulnerabilities would go down after measuring and tackling them.

    Personally, I would recommend HP’s Fortify/WebInspect set of tools for security-related code analysis, both dynamic and static. I also spoke to an IBM representative in the audience, who suggested IBM’s AppScan as well.

  4. pba May 31, 2012 at 11:35 am

    In the sessions I’ve attended they’ve mentioned only the static analysis Visual Studio will ship with and how to use SAL (source annotation language) to expand its capabilities to your own source code. The rest of the talks covered other tools they have to complement SDLC but zero mentions about CAT.NET.

  5. Stephen D. Ritchie June 1, 2012 at 8:51 am

    @Shahed C, the HP tool set is very helpful. It identifies many important vulnerabilities. For those interested, here is a Fortify blog with lots of info:
    If you’d like info on getting started with IBM AppScan, take a look at this post:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: