FXCop addresses Security vulnerabilities?
-
Saturday, August 13, 2005 11:34 PM
I'm new to FxCop. Does FXCop addresses the following list of vulnerabilities?
- Buffer Overflow Detection
- Access Control Analysis
- Format String Issues Detection
- Dangerous Function/Method Calls Detection
- Thread Safety Race Conditions Detection
- Encryption and RNG Misuse Detection
- Input Validation Analysis
- Cross Site Scripting Detection
- SQL Injection Detection
- Command Injection Detection
- Inter-Process Race Conditions Detection
- Logging Practices Analysis
- Enforcement of Best Practices for Secure Coding
- Web Services Review Capability
- Data Flow Analysis Capability
- Control Flow Analysis Capability
- Semantic Analysis Capability
All Replies
-
Monday, August 15, 2005 2:58 AM FxCop has (limited) format string issue detection, mostly in the area of correctness (ie, it detects string format patterns that will raise a runtime exception). FxCop does check for some usage of problematic API (but not all known problematic managed methods. We don't flag Assembly.LoadFrom usage, for example). FxCop's security rules capture some best practices for secure managed binaries. FxCop has control and data flow analysis capability (analysis is restricted to a method body). FxCop provides a type-system view of assemblies and multiple abstractions for IL, but does not provide a source-level semantic analysis.
Hope this is useful,
Michael Fanning
VSTS Development: Code Analysis -
Sunday, August 21, 2005 3:40 PMThank you. I really appreciated you taking time to response to my qustions. I'll download this tool and try it out.
