.NET Code Auditing Keith Rull Software Engineer First Allied Securities Inc.

Slides:



Advertisements
Similar presentations
Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
Advertisements

| imodules.com RE Adapter for Encompass (v2.0) Encompass and The Raiser's Edge® Integrated Data Solution CONFIDENTIAL.
Testing and Quality Assurance
RE Adapter for Encompass (v1.0)‏ Encompass and The Raiser's Edge® Integrated Data Solution.
Green Software Engineering Sheryl John Introducing green elements and guidelines in Software Engineering.
Taxonomy Testing Techniques Which Yield High-Quality Taxonomies Charles Hoffman, CPA – UBmatrix.
1 SWE Introduction to Software Engineering Lecture 3 Introduction to Software Engineering.
Workflow In the Office of the Registrar UC Berkeley Cathy Taruskin August 2, 2004.
Computer Engineering 203 R Smith Agile Development 1/ Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Quality Assurance and Testing CSE 403 Lecture 22 Slides derived from a talk by Ian King.
Deriving Performance Metrics From Project Plans to Provide KPIs for Management Information Primavera SIG October 2013.
Introduction to Software Testing
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Design, Implementation and Maintenance
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Using Microsoft SharePoint to Develop Workflow and Business Process Automation Ted Perrotte National Practice Manager, Quilogy, Microsoft Office SharePoint.
Enhanced Collaboration and other benefits of Sharepoint Technologies Kern Sutton Business Productivity Group Microsoft Corporation.
Effective Methods for Software and Systems Integration
EasyView© for Moodle Presentation by Richard Goddard Project Manager VLE Middleware EasyView.
S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.
OEM Validation Library Nicole Ross Real World Project for Intel.
Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.
1 Introduction to.NET Framework. 2.NETFramework Internet COM+ Orchestration Orchestration Windows.NET Enterprise ServersBuildingBlockServices Visual Studio.NET.
An Introduction to ASP.NET Ed Dunhill blogs.msdn.com/edunhill SLIDE7.
Back to content Final Presentation Mr. Phay Sok Thea, class “2B”, group 3, Networking Topic: Mail Client “Outlook Express” *At the end of the presentation.
(1) Automated Quality Assurance Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of Hawaii Honolulu.
© FPT Software Code Review with VS © FPT Software Agenda What is Code review? Run Code analysis in VS 2012 Configuring Code Analysis rule set.
StyleCop Breaking down the barriers to entry Gary Ewan Park Twitter: Blog:
Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
T-unit: Tcl Unit Test Package Automated Unit Test Package For Tcl Procedures Final Presentation Joseph Boyle Loyola Marymount University.
Design and Programming Chapter 7 Applied Software Project Management, Stellman & Greene See also:
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Copyright © 2006, SAS Institute Inc. All rights reserved. SAS Enterprise Guide Old Proc – New Tricks? Tim Trussell Academic Program, SAS Canada world diabetes.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
Rules to Healthier Code Presented by Adam Cogan (Chief Architect for
TESTING LEVELS Unit Testing Integration Testing System Testing Acceptance Testing.
Chapter 7 The Practices: dX. 2 Outline Iterative Development Iterative Development Planning Planning Organizing the Iterations into Management Phases.
Enterprise Library Extensibility Brian Button VP of Engineering Asynchrony Solutions, Inc.
Cross Language Clone Analysis Team 2 October 13, 2010.
PRIOR TO WEB SERVICES THE OTHER TECHNOLOGIES ARE:.
Software Engineering1  Verification: The software should conform to its specification  Validation: The software should do what the user really requires.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
(1) Introduction to Continuous Integration Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of.
SQL SERVER 2008 Installation Guide A Step by Step Guide Prepared by Hassan Tariq.
TEAM FOUNDATION VERSION CONTROL AN OVERVIEW AND WALKTHROUGH By: Michael Mallar.
Introduction. Internet Worldwide collection of computers and computer networks that link people to businesses, governmental agencies, educational institutions,
In this session, you will learn to: Understand managed code Create managed database objects Define the Hypertext Transfer Protocol endpoints Implement.
Beginning Software Craftsmanship Brendan Enrick Steve Smith
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Implementation Topics Describe –Characteristics of good implementations –Best practices to achieve them Understand role of comments Learn debugging techniques.
SQL Database Management
Source Code Inspection and Software Reuse
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
SOFTWARE TESTING OVERVIEW
SSW Code Auditor Insert witty intro.
Adding Assignments and Learning Units to Your TSS Course
SQL Server 2005 Installation
Jared Kuehn – Skyline Technologies
WEBINAR: Becoming Agile In Software Testing: The Government Edition
SharePoint Essentials Toolkit
Design and Programming
Sharing the good, the bad, the ugly & What can we do about it?
NAVIGATING THE MINEFIELD
Introduction to ASP.NET Parts 1 & 2
Chapter 9: Implementation
Presentation transcript:

.NET Code Auditing Keith Rull Software Engineer First Allied Securities Inc.

Let’s try to write some code! Get the piece of paper I gave you and write a C# function called CombineStrings that accepts 2 string variables and returns the combination(appended) value of the first and second variable. *Note: Don’t copy other peoples code!

Code Samples //** SAMPLE 1** public string CombineStrings(string value1, string value2) { return value1 + value2; } //** SAMPLE 2** public string CombineStrings(string sVal1, string sVal2) { return sVal1 + sVal2; } //** SAMPLE 3** public string CombineStrings(string strVal1, string strVal2) { return strVal1 + strVal2; }

What have we learned? Different people write different code. –We all have our own style when it comes to code even if there is already guidelines set by the company. –Believe it or not! Our code reflects how we think.

Sidebar: Bad Hair Day?! Programming Stereotype –Back in the early-days of VB versus the World, There was a notion that VB developers can easily spot if a developer is a VB programmer or not by just looking at that persons hair! Weird huh?!

Which is why… Most(if not all) code improvement techniques started on the C space –Code Auditing –Design Patterns –Refactoring –And many more

Uh, Ok.. So what's Code Auditing? According to Wikipedia –A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions.source codeprogramming

What are the types of code audit? There are two types of code audit –Security This type of audit is done on the QA phase of the application –Convention This happens before an application is rolled to QA. Checks should be done on the code to validate if the code passes the programming rules and guidelines set by the company.

So why is this important? Code auditing helps make sure that code on an enterprise is consistent in all projects. This enables transitions and turnovers' of projects to go smoothly since every member of the team understands the code. Code auditing also limits the number of bugs since it aggressively makes sure that guidelines are set on both security and convention side.

Ooops! We are skipping a topic! We are skipping security audit since that topic has a league of its own which includes defensive programming (not trusting code and always putting checks and bounds on code segments) up to the most common topic which is application security (this includes SQL injection) but we might give hints about it along the way.

WITW is Convention Audit? Convention Audit is the process of analyzing and testing source code to see if it passes the guidelines set by the company (or institution) on how to code certain parts and elements of a program.

Two types of Convention Audit Manual code review Automated code review –There are several tools for.NET. The two popular ones are: FxCop SSW Code Auditor

FxCop is a code analysis tool that checks.NET managed code assemblies for conformance to the Microsoft.NET Framework Design Guidelines. It uses reflection, MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas: Library design Localization Naming conventions Performance Security What is FxCop?

FxCop? Show me a Demo!

A Not-So-Minor Drawback FxCop is hard to configure! –Defining new rules can drive you nuts since the rules needs to be coded in.NET and loaded as assemblies (.dll) in FxCop. No Scheduling Feature Can only audit.NET code Only assemblies can be audited

Then Comes A Better Alternative… SWS Code Auditor is code analysis tool that checks and validates code on the flat-file level (unlike FxCop which needs assemblies) which gives a developer to automatically analyze his code right before creating a build.

Key Features Uses Regular Expression to define rules Can analyze any text-file as long as there is a defined rule for it. Batch Processing of multiple projects and files. Can be scheduled and has the ability to integrate with an SMTP server. Reports can be exported to XML

SSW Code Auditor? Show me a Demo!

Final Thoughts Code Auditing can streamline the development process. Less stress on code/project turnovers. Code Auditing is a good investment. –FxCop is free –SWS Code Auditor is $899 for 10 users

Where To Learn More?? A Good Introduction to Code Auditing – SSW Code Auditor – FxCop – –

Where to catch this crazy guy? Contact me at: URL: Thanks for listening and go start auditing!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com Inc. All rights reserved.