Don't Skimp Code Security, Check Out DevSkim

Sign in to queue

Description

Today's Visual Studio Extension is a Public Preview framework of VS plugins and analyzers that is meant to help you fall into the pit of secure code success.

One of the things I found unique is how the rules are created...

Microsoft DevSkim

DevSkim is a framework of IDE plugins and Language analyzers that provide inline security analysis in the dev environment as the developer writes code. It is designed to work with multiple IDEs (VS, VS Code, Sublime Text, etc.), and has a flexible rule model that supports multiple programming languages. The idea is to give the developer notification as they are introducing a security vulnerability in order to fix the issue at the point of introduction, and to help build awareness for the developer.

PUBLIC PREVIEW
DevSkim is currently in public preview. We're looking forward to working with the community to improve both the scanning engines and rules over the next few months, and welcome your feedback and contributions! You can find us at https://github.com/Microsoft/DevSkim
Usage
As a developer codes DevSkim will flag certain security issues and call attention to them with errors or warnings (depending on a very generalized estimation of the severity).  Mousing over the issue will show a description of the problem and how to address it, and a link to more information.  For some issues, one or more safe alternatives are available in the lightbulb menu so that the issue can be fixed with a couple mouse clicks.  For issues where the alternative has different parameters than the unsafe API that is called out, guidance for the parameters will be inserted in the form of <some guidance info>  (example, when DevSkim turns gets() into fgets() it adds <size of firstparamname> to cue a user that they need to provide the size of the buffer).

DevSkim-VisualStudio-Demo-1

...

Programming Language Support
DevSkim takes an approach that is programming language agnostic.  At this stage, it primarily finds issues via regular expression, so rules can be written for just about any programming language.  Out of the box DevSkim can find dangerous crypto usage in most programming languages and has regular expressions for language specific issues for C/C++, Java, C#, JavaScript, PHP, and a number of other languages.  We are growing  our built in ruleset regularly, but we have also tried to make it very easy for people to write their own rules.  All it requires is a passable knowledge of regular expressions and json.  Details can be found on our Github wiki

... [Click through to download it]

Writing Rules

Rules in DevSkim are fairly simple, relative to other analysis engines. The detection logic is a regular expression (based on JavaScript/C# based RegEx syntax - there is a translation layer in the sublime plugin to translate capture groups and other discrepancies for its Python based engine), though long term there will also be support for JavaScript based lambdas for a bit more sophisticated detection logic. The overall rule is JSON, with the guidance, suggested fixes, etc. all present. Below is a sample rule, and following that is an explanation of each key/value pair. An ATOM based UI is in the works to make creating and editing rules a little more approachable, but once familiar with them it is fairly straight forward to simply add and edit the .json files directly.

image

...

And of course, it's open source, https://github.com/Microsoft/DevSkim 



The Discussion

Add Your 2 Cents