writing secure codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 ·...
TRANSCRIPT
![Page 1: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/1.jpg)
![Page 2: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/2.jpg)
Writing Secure CodeWriting Secure CodewithwithVisual Studio Team SystemVisual Studio Team System
Chatree DechabumphenChatree DechabumphenMicrosoft ConsultantMicrosoft Consultant
Microsoft (Thailand)Microsoft (Thailand)
![Page 3: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/3.jpg)
Objectives
To demonstrate how to use new features of Visual Studio 2005 that help makes application more secure and robust
![Page 4: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/4.jpg)
Agenda
Visual Studio Team System Overview
Using FXCop to Uncover Code Defects
Writing Less Privilege Applications Using Code Access Security
Using Integrated Code Coverage
Stress Testing Web Application
Summary
![Page 5: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/5.jpg)
Visual Studio Team SystemProcess and Architecture Guidance
Process and Architecture Guidance
Visual Studio Industry Partners
Visual Studio Industry Partners
Dynamic Code Analyzer
Visual Studio
Team Architect
Static Code Analyzer
Code Profiler
Unit Testing
Code Coverage
Visio and UML Modeling
Team Foundation Client (includes CAL)
Visual Studio Professional Edition
Class Designer
Load Testing
Manual Testing
Test Case Management
Application Designer
Logical Infra. Designer
Deployment Designer
Visual Studio
Team DeveloperVisual Studio
Team Test
Dynamic Code Analyzer
Static Code Analyzer
Code Profiler
Unit Testing
Code Coverage
Change Management
Work Item Tracking
Reporting
Project Site
Visual Studio
Team FoundationIntegration Services
Project ManagementBig Build
![Page 6: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/6.jpg)
Team System
Dev Writes Unit TestsDev Writes Unit Tests
Dev Writes And Tests CodeDev Writes And Tests Code
Dev Reviews WorkDev Reviews Work
Dev Runs Code AnalysisDev Runs Code Analysis
Dev Writes Load TestsDev Writes Load Tests
Dev Checks In WorkDev Checks In Work
Dev Diagnoses & FixesDev Diagnoses & Fixes
Dev Checks In WorkDev Checks In Work
Tester Checks Build StatusTester Checks Build Status
Tester Runs Load TestTester Runs Load Test
Tester Reports BugTester Reports Bug
DeveloperDeveloper
TesterTester
![Page 7: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/7.jpg)
Using FXCopto Uncover Code Defect
![Page 8: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/8.jpg)
FXCop
A Code Analysis Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
Use Reflection, MSIL Parsing, and CallGraph Analysis to inspect Assemblies for more than 200 defects
Intended for Class Library Developer
![Page 9: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/9.jpg)
Static Analysis
Find errors in your code before you run or deploy it
Checks range from style to code correctness to security issues
Integrated into the Team System Build Environment
![Page 10: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/10.jpg)
Static AnalysisThe dev process without Static Analysis
CompileCompileCodeCode BinaryBinary
PreprocPreprocGrammarGrammar
LinkLink
RaiseRaise
ErrorsErrors
CL1
![Page 11: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/11.jpg)
Slide 10
CL1 cutChris Lucas, 2/19/2004
![Page 12: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/12.jpg)
Static AnalysisThe dev process with Static Analysis
CodeCode
CompileCompileStaticStatic
AnalysisAnalysis
AnalyzeAnalyze
CodeCode
CheckCheck
RulesRules
RaiseRaise
ErrorsErrors
BinaryBinary
CL2
![Page 13: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/13.jpg)
Slide 11
CL2 cutChris Lucas, 2/19/2004
![Page 14: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/14.jpg)
Demo :Demo :
Using FXCopto Uncover Code Defect
![Page 15: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/15.jpg)
Writing Less Privilege Applications Using Code Access Security
![Page 16: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/16.jpg)
Code Access Security (CAS)
CAS limits the access the code has to protected resources and operations by restricting it to an explicit set of permissions according to policy specified
![Page 17: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/17.jpg)
CAS Benefits
Restrict What Your Code Can Do
Restrict Which Code Can Call Your Code
Identify Code
![Page 18: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/18.jpg)
Demo :
Writing Less Privilege Applications Using Code Access Security
![Page 19: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/19.jpg)
Using Integrated Code Coverage
![Page 20: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/20.jpg)
Code Coverage
Test Authoring isn’t about quantity, it’s about quality
Code coverage helps you monitor your tests effectiveness
Team Members can analyze results at a high-level
Can also analyze source for specific missed methods and branches
![Page 21: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/21.jpg)
Code Coverage
void PurchaseItem(int itemID)
{
if (itemID == 0)
{
throw new Exception();
}
else
{
ProcessOrder(itemID);
}
}
UnitTest()
{
PurchaseItem(1);
}
![Page 22: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/22.jpg)
Code Coverage
void PurchaseItem(int itemID)
{
if (itemID == 0)
{
throw new Exception();
}
else
{
ProcessOrder(itemID);
}
}
UnitTest()
{
PurchaseItem(1);
}
![Page 23: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/23.jpg)
Code Coverage
void PurchaseItem(int itemID)
{
if (itemID == 0)
{
throw new Exception();
}
else
{
ProcessOrder(itemID);
}
}
UnitTest()
{
PurchaseItem(1);
}
![Page 24: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/24.jpg)
Code Coverage
void PurchaseItem(int itemID)
{
if (itemID == 0)
{
throw new Exception();
}
else
{
ProcessOrder(itemID);
}
}
UnitTest()
{
PurchaseItem(1);
}
![Page 25: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/25.jpg)
Code Coverage
void PurchaseItem(int itemID)
{
if (itemID == 0)
{
throw new Exception();
}
else
{
ProcessOrder(itemID);
}
}
UnitTest()
{
PurchaseItem(1);
}
![Page 26: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/26.jpg)
Code Coverage
void PurchaseItem(int itemID)
{
if (itemID == 0)
{
throw new Exception();
}
else
{
ProcessOrder(itemID);
}
}
UnitTest()
{
PurchaseItem(1);
}
![Page 27: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/27.jpg)
Demo :
Using Integrated Code Coverage
![Page 28: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/28.jpg)
Stress Testing Web Application
![Page 29: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/29.jpg)
Demo :
Stress Testing Web Application
![Page 30: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/30.jpg)
Summary
Learn about new suite of tools in Visual Studio Team System for
Static Code Analysis (FXCop)
Code Access Security (CAS)
Code Coverage
Automated Stress Testing Tool
![Page 31: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/31.jpg)
Questions
![Page 32: Writing Secure Codedownload.microsoft.com/download/6/6/7/6679864e-d50d-449d... · 2018-10-13 · Dynamic Code Analyzer Visual Studio Team Architect Static Code Analyzer Code Profiler](https://reader030.vdocuments.net/reader030/viewer/2022040513/5e68aed7f1e80e551a4389d0/html5/thumbnails/32.jpg)
©© 2004 Microsoft Corporation. All rights reserved.2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.makes no warranties, express or implied, in this summary.