Hands-free Security Scanning within .NET Applications
I'm sure if you follow any news sources at all, you see countless hacks, breaches, and leaks from various big-name companies which you might assume would be better at protecting your information. Now most of these incidents can probably be related to non-technical issues like social engineering, but not all of them.
All too often security is a second (or later) class citizen within applications and rather than making it a concern initially, it's left to be "tacked on" after everything else is done. This is how seemingly well-constructed applications fall prey to silly and generally easily preventable attacks such as SQL Injection, Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF).
If you fall into this category (security as a second-class citizen), then this post is for you. It introduces two freely available tools that you can easily integrate into your development environment to help warn you about potential issues during the development phase before releasing your product into the wild.
Security via Extension
One of the best aspects of developing software in a powerful IDE such as Microsoft's Visual Studio is the wide array of available extensions. There are extensions for just about everything under the sun to make developing applications easier than ever, and in this case, more secure.
The two extensions that I'm referring to, which I'm sure there are others are:
- Roslyn Security Guard
- Puma Scan
Both are freely available, extremely easy to use, and can check for many of the most common security vulnerabilities that you'll likely encounter in the wild.
Getting Started with a Security Analysis Extension
To get started, search and install one or both aforementioned extensions (Roslyn Security Guard or Puma Scan) within the Extensions and Updates area in Visual Studio:
After installing one (or both) of the extensions, you'll need to ensure that you have Full Solution Analysis enabled within Visual Studio under Tools > Options > C# > Text Editor > Advanced > Enable Full Solution Analysis:
At this point, you are pretty much all set and ready to start looking for potential vulnerabilities within your application, so let's see what that looks like.
Hello World (Now with Security)
Since both scanners leverage the Roslyn compiler platform, it allows them to work in real-time and warn you of potential code vulnerabilities as you write code.
Let's spin up a new Web API project within Visual Studio to see this in action:
So, what's happening here? Well:
- We created a brand-new Web API Project.
- We opened the default
ValuesController.cs
file. - The scanners recognized that all the HTTP POST methods were vulnerable to potential CSRF attacks.
- It provided a recommendation to decorate these methods with a
[ValidateAntiForgeryToken]
attribute to curb these attacks.
It's just that easy. Let's see another example of another example of something you might see pretty often, SQL Injection:
As with the previous example, you can see the moment that string concatenation is detected within a string that is going to be used as a query, you'll be aware of potential SQL Injection.
So - these real-time features are extremely nice, but it's worth noting that these extensions simply extend the built-in code analysis within Visual Studio. This means that any time that you use the Run Code Analysis feature at the project or solution-level, you'll receive all the available errors and warnings within it:
NOTE: If you find that no security-related errors are appearing in your Error List, ensure that Build + Intellisense is selected in the available drop-down under that section. Either that - or you don't have any errors at all :)
Taking It Beyond The IDE
Now that you have real-time security analysis of your code, what's next? Well, how about adding this to your Build Server as part of a CI process?
The Puma Scan scanner offers a Professional License that allows you to run the various security rules from a Build Server against any number of projects - and it's pretty easy to do. First, you'll need the following NuGet packages included within your project:
- Microsoft.Net.Compilers
- Microsoft.CodeAnalysis
- Puma.Security.Rules.Pro
After including these, you'll need to go into your preferred CI portal and set up the following arguments to the MSBuild command for that project:
MSBuild.exe /p:DeployOnBuild=true /p:Configuration=Release /p:OutDir=../Publish /fl1 /fl2 /fl3 /flp1:logfile=build.log /flp2:logfile=build_errors.log;errorsonly /flp3:logfile=build_warnings.log;warningsonly %WORKSPACE%\YourSolution.sln
This will generate several log files related to Puma Scan that will contain any security information such as warnings and errors that might be present in your application.
After generating these files, you can use the following command to export the warnings to the Puma Parser utility, which will allow you to define thresholds for your organization based on these results to determine if you should push out a build or not:
"C:\Program Files\dotnet\dotnet.exe" "C:\Tools\Puma.Security.Parser\Puma.Security.Parser.dll" --file "%WORKSPACE%\build_warnings.log" --workspace "%WORKSPACE%" --output puma_warnings.log
What Other Options Are Out There?
If you are serious about security, then I cannot recommend visiting the Open Web Application Security Project (OWASP) site enough. OWASP is a non-profit organization with a focus on improving software security and their site features a wealth of knowledge and best practices for securing your applications.
If you enjoyed trying out the Rosyln Security Guard and Puma Scan tools, then you might try checking out the following resources from OWASP regarding static and source code analysis tools: