AppSec USA 2016 has ended
Thursday, October 13 • 9:30am - 10:30am
Continuous Integration: Live Static Analysis using Visual Studio & the Roslyn API

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...

With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.

avatar for Eric Johnson

Eric Johnson

Senior Security Consultant, Cypress Data Defense, LLC
Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. Eric is a Certified SANS Instructor and is a course author for DEV544: Secure Coding in .NET, DEV531: Mobile App Security Essentials, and several... Read More →

Thursday October 13, 2016 9:30am - 10:30am EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001