How to analyse your code for OWASP vulnerability?
Last year, a friend of mine asked how he can make sure that his team follows the OWASP recommendations. Is there a way to find out the code’s vulnerability before the code goes to production? Before I talk about achieving this, let’s look at OWASP and its recommendations and their importance.
OWASP (Open Web Application Security Project) is an online community that has produced methodology, documentation, tools and technologies for web application security.
As cyber-attacks rising every day, it is paramount to ensure your application is secure and follow the best security practices when your development team develops code. OWASP guides and recommendations are a good starting point to deliver secure code. You can read more about OWASP top 10 security risks here in detail.
Now lets install and setup SecurityCodeScan in Visual Studio. SecurityCodeScan analyses .Net and .Net core projects in the background or during the build process using IntelliSense in Visual Studio.
Installation and setup
In Visual Studio, open Tools > Extensions and updates and select “Online” in the left
Now search for SecurityCodeScan in search and install “Security Code Scan (for VS2017 and newer)“.
Background analysis scope feature in the Visual Studio enables you to see code analysis. It is disabled by default as it lowers Visual Studio performance slightly. To enable background analysis, open Tools > Options, then select Text Editor > C# > Advanced and select entire “Enable full solution analysis“.
We are all set for analysing our static code while developing. Open a solution and open the “Error List” tab at the bottom of the Visual Studio. It takes a few seconds to appear full analysis of code as it takes some time to analyse code as shown in the image below.
How to analyse aspx and config files
Modify all your project (.csproj) in the solution and add this line.
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<TargetFrameworkProfile />
<!-- Add the line below -->
<AdditionalFileItemNames>$(AdditionalFileItemNames);Content</AdditionalFileItemNames>
</PropertyGroup>
Limitations
SecurityCodeScan analyses code correctly and provide a list of issues, but it doesn’t tell you how to write code to fix vulnerabilities.
In my next blog, I will explain how to write code and fix issues suggested by OWASP. Write secure C# code as per OWASP recommendations?
Thanks Anil for your help. I really appreciate for your time. Please let me know if I can be of any help in future.
Rahul
Common Rahul, I am always happy to help friends. I am glad it helped you.
Anil
Hi Anil,
Its a very good article. Thanks for sharing. Can this work for VS 2015?
John
I am not 100% sure as I don’t use VS 2015 anymore. Have you tried using an older version of this ad-on?
Very nice
Hi Anil
Are you a security consultant? I am looking for director level role security consultants for my London based clients.
No William, I am not 🙂
And not looking for a job.