Guarding the code with Package Security Alerts and Roslyn Security Guard

Description

With security, we need all the help we can get. Today we've got two Visual Studio extensions that should be in your security toolbox...

First, we have the one and only Mads Kristensen with a great extension that will help you find dependent npm/bower packages that have known security issues

Package Security Alerts

Identifies npm and Bower packages that contains known security vulnerabilities to ensure your project is always using the most secure package versions.

Makes sure the npm and Bower packages used doesn't contain any known security vulnerabilities.

See the change log for changes and road map.

Features

  • Shows warnings for packages known to have security issues
  • Works with both Bower and npm
  • Integrates with JSON editor
  • Based on retire.js
Security risk levels

There are 3 types of security risk levels:

  1. Low
  2. Medium
  3. High

When you open package.json or bower.json, icons representing the security risk are shown next to the packages.

  image

... [Click through to download it and to get the source]

Next we have a cool usage of the power behind Roslyn, using it to help you identify possible security issues in your code...

.NET Security Guard

Security Guard is a set of roslyn analyzers that aim to help security audit on .NET applications

Features

19 bug patterns
It can detect 19 vulnerability patterns with 38 different signatures.
Integration
The Roslyn analyzers can be run from Visual Studio.
Continuous integration
It can be integrated to any continuous integration that supports MSBuild.
Open for contributions
The project is open-source and is open for contributions.

Visual Studio integration

Scan your application for potential vulnerabilities directly from your IDE.

 image

...

Here's a peek at a few of the .NET Security Rules...

Rules

Hardcoded password

The password configuration to this API appears to be hardcoded. It is suggest to externalized configuration such as password to avoid leakage of secret information.

Potential SQL injection

The dynamic value passed in the SQL query should be validated.

Weak cipher mode

The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.

ECB mode is weak

ECB mode will produce the same result for identical blocks (ie: 16 bytes for AES). An attacker could be able to guess the encrypted message. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.

CBC mode is weak

This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding.

Weak cipher algorithm

DES is not considered a strong cipher for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES.

Certificate Validation has been disabled

Certificate Validation has been disabled. The communication could be intercepted.

... [See the rest]

Both are free and both are open source!



The Discussion

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to send us feedback you can Contact Us.