Microsoft .NET tools Best Practices
Microsoft cuenta con unas series de herramientas muy útiles para analizar las aplicaciones hechas en .NET. Aquí os dejo para que los que les interesen hagan el mejor uso de ellas.
Best Practice Analyzer for ASP.NET
The Best Practice Analyzer ASP.NET (alpha release) is a tool that scans the configuration of an ASP.NET 2.0 application. The tool can scan against three mainline scenarios (hosted environment, production environment, or development environment) and identify problematic configuration settings in the machine.config or web.config files associated with your ASP.NET application. This is an alpha release intended to gain feedback on the tool and the configuration rules included with it.
Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP – 32 bit
CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application — module-by-module — and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application’s source code where those issues were found. The following rules are currently support by this version of the tool. – Cross Site Scripting – SQL Injection – Process Command Injection – File Canonicalization – Exception Information – LDAP Injection – XPATH Injection – Redirection to User Controlled Site
Microsoft Anti-Cross Site Scripting Library V3.0 Beta
The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include: – An expanded white list that supports more languages – Performance improvements – Performance data sheets (in the online help) – Support for Shift_JIS encoding for mobile browsers – A sample application – Security Runtime Engine (SRE) HTTP module
Microsoft FxCop 1.36
FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas:
Interoperability and portability
FxCop includes both GUI and command line versions of the tool and supports analyzing .NET 1.x, .NET 2.0 and .NET 3.x components.
This version provides support for .NET 3.5 SP1.
ASP.NET MVC 1.0
ASP.NET MVC 1.0 provides a new Model-View-Controller (MVC) framework on top of the existing ASP.NET 3.5 runtime. This means that developers can take advantage of the MVC design patterns to create their Web Applications which includes the ability to achieve and maintain a clear separation of concerns (the UI or view from the business and application logic and backend data), as well as facilitate test driven development (TDD). The ASP.NET MVC framework defines a specific pattern to the Web Application folder structure and provides a controller base-class to handle and process requests for “actions”. Developers can take advantage of the specific Visual Studio 2008 MVC templates within this release to create their Web applications, which includes the ability to select a specific Unit Test structure to accompany their Web Application development.
The MVC framework is fully extensible at all points, allowing developers to create sophisticated structures that meet their needs, including for example Dependency Injection (DI) techniques, new view rendering engines or specialized controllers.
As the ASP.NET MVC framework is built on ASP.NET 3.5, developers can take advantage of many existing ASP.NET 3.5 features, such as localization, authorization, Profile etc.n
Microsoft Source Code Analyzer for SQL Injection
In response to the recent mass SQL injection attacks, Microsoft has developed a new static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Web developers can run the tool on their ASP source code to identify the root cause of the attack and address them to reduce their exposure to future attacks. The tool will scan ASP source code and generate warnings related to first order and second order SQL Injection vulnerabilities. The tool also provides annotation support that can be used to improve the analysis of the code.
Improving Web Application Security: Threats and Countermeasures
This download contains guidelines for architecting, designing, building, reviewing, and configuring secure to build hack resilient ASP.NET Web applications across the application tiers, technology, and servers. Topics include Threats and Countermeasures; Threat Modeling; security review for architecture, design, code and deployment; Hosting web applications; CAS; securing web, application and database servers; ASP.NET, Enterprise Services (COM+), Web Services, Remoting, and data access (including ADO.NET and SQL Server).
Aún no hay comentarios.