This post has been republished via RSS; it originally appeared at: Channel 9.
Today's Visual Studio Extension is a Public Preview framework of VS plugins and analyzers that is meant to help you fall into the pit of secure code success.
One of the things I found unique is how the rules are created...
DevSkim is a framework of IDE plugins and Language analyzers that provide inline security analysis in the dev environment as the developer writes code. It is designed to work with multiple IDEs (VS, VS Code, Sublime Text, etc.), and has a flexible rule model that supports multiple programming languages. The idea is to give the developer notification as they are introducing a security vulnerability in order to fix the issue at the point of introduction, and to help build awareness for the developer.
DevSkim is currently in public preview. We're looking forward to working with the community to improve both the scanning engines and rules over the next few months, and welcome your feedback and contributions! You can find us at https://github.com/Microsoft/DevSkim
As a developer codes DevSkim will flag certain security issues and call attention to them with errors or warnings (depending on a very generalized estimation of the severity). Mousing over the issue will show a description of the problem and how to address it, and a link to more information. For some issues, one or more safe alternatives are available in the lightbulb menu so that the issue can be fixed with a couple mouse clicks. For issues where the alternative has different parameters than the unsafe API that is called out, guidance for the parameters will be inserted in the form of <some guidance info> (example, when DevSkim turns gets() into fgets() it adds <size of firstparamname> to cue a user that they need to provide the size of the buffer).
Programming Language Support
And of course, it's open source, https://github.com/Microsoft/DevSkim