:::: MENU ::::

Wednesday, December 15, 2010

Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly as possible, and the complexity of the platform and vast number of configuration options often leaves the application in a less than desirable security state. In addition, the configuration requirements for debugging and production are different, which can often introduce debugging settings in production, causing a variety of issues.

Over the years, the ASP.NET platform has matured and better documentation has been made available through MSDN and community blogs, but knowing which feature or configuration setting to use is often troublesome. Even with good knowledge of the security functionality, mistakes can happen that could result in security vulnerabilities in your application.

Peer code review is a useful process and a good way to catch issues early. Still, not everyone has the time or budget—or knowledgeable peers at hand—for such review.

Since the introduction of code analysis in Visual Studio 2005, developers have been able to automatically analyze their code to see if it complies with a series of best practices ranging from design, maintainability, performance and security. So far, code analysis has been a great tool, but it hasn't focused on providing best security practice guidance for ASP.NET—until now.

In this article I'll introduce you to the new ASP.NET code analysis rules that can be used with Visual Studio code analysis as well as with the standalone FxCop application to improve the security of your ASP.NET applications.

Overview

You can download the ASP.NET security code analysis rules package for Visual Studio 2010 and FxCop version 10.0 from go.microsoft.com/?linkid=9750555. The installation contains three new rules packages:

  • ASP.NET.Security: This category focuses on security best practices related to how System.Web.Ui.Page properties are initialized.
  • ASP.NET.MVC.Security: This category focuses on security best practices related to how ASP.NET MVC is used.
  • ASP.NET.Security.Configuration: This category focuses on security best practices related to configuration elements under the web.config files.

Once the rules package is installed, you can start reviewing the security of your Web application automatically by clicking on the Run Code Analysis on Web Site button under the Build menu (see Figure 1). The analysis will review each Page class and web.config file of your application against a series of security best practices for ASP.NET.

More

 

Monday, December 13, 2010

Today we are announcing the release of GhostDoc v3.0 - a new major release of the product. This version includes product usability and menu changes, adds many new features - menus, configuration rules, configuration options. It also features new error logging to improve troubleshooting of GhostDoc issues. The new version introduces GhostDoc Pro Edition - enhanced version of the product that gives users complete control over your XML Comment content and layout as well as automates XML Comment generation via batch actions.

For Edition comparison please see GhostDoc product page - http://submain.com/ghostdoc/

New in v3.0:

  • (Pro Only) New Document Type feature - generates XML comments for the entire type/class
  • (Pro Only) New Document File feature - generates XML comments for the entire file
  • (Pro Only) Introduced T4 template based rules that replace rule macros of the Free version
  • Improved support for VS2010
  • New Load/Unload menu items allow to disable GhostDoc temporary without uninstalling it
  • New Help menu item
  • New option to and menu to Re-assign Shortcut
  • Added Rule for read-only property to turn off generation of the tag line
  • Added Rule for private constructor
  • Added support for new tags - <inheritdoc>, <author> and <remarks>
  • Added support for enums, delegates and fields
  • Added option to modify Configuration Folder path
  • Added option to Keep Single Line when for long comments
  • Changed leading tabs to leading spaces for compatibility with other products
  • Changed "gets or sets" summary prefix to just "Gets" when setter is private
  • Fixed automatically implemented properties issue 

GhostDoc and GhostDoc Pro build 3.0.10340 are available for download right now at http://submain.com/download/ghostdoc/

Please note GhostDoc EULA was updated to reflect the introduction of GhostDoc Pro.

Download More