Guarding the code with Package Security Alerts and Roslyn Security Guard
With security, we need all the help we can get. Today we've got two Visual Studio extensions that should be in your security toolbox...
First, we have the one and only Mads Kristensen with a great extension that will help you find dependent npm/bower packages that have known security issues
Identifies npm and Bower packages that contains known security vulnerabilities to ensure your project is always using the most secure package versions.
Makes sure the npm and Bower packages used doesn't contain any known security vulnerabilities.
See the change log for changes and road map.
- Shows warnings for packages known to have security issues
- Works with both Bower and npm
- Integrates with JSON editor
- Based on retire.js
Security risk levels
There are 3 types of security risk levels:
When you open package.json or bower.json, icons representing the security risk are shown next to the packages.
Next we have a cool usage of the power behind Roslyn, using it to help you identify possible security issues in your code...
Security Guard is a set of roslyn analyzers that aim to help security audit on .NET applications
19 bug patternsIt can detect 19 vulnerability patterns with 38 different signatures.
IntegrationThe Roslyn analyzers can be run from Visual Studio.
Continuous integrationIt can be integrated to any continuous integration that supports MSBuild.
Open for contributionsThe project is open-source and is open for contributions.
Visual Studio integration
Scan your application for potential vulnerabilities directly from your IDE.
Here's a peek at a few of the .NET Security Rules...
The password configuration to this API appears to be hardcoded. It is suggest to externalized configuration such as password to avoid leakage of secret information.
Potential SQL injection
The dynamic value passed in the SQL query should be validated.
Weak cipher mode
The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.
ECB mode is weak
ECB mode will produce the same result for identical blocks (ie: 16 bytes for AES). An attacker could be able to guess the encrypted message. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.
CBC mode is weak
This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding.
Weak cipher algorithm
DES is not considered a strong cipher for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES.
Certificate Validation has been disabled
Certificate Validation has been disabled. The communication could be intercepted.
... [See the rest]
Both are free and both are open source!