Tuesday, 19 June 2012

Real-Time C# Solution Compilation and Security Scanning (using Roslyn and Cat.NET)

On the Real time Vulnerability Scanning using Cat.Net and Roslyn (SAST) example, the compilation and scanning happened on a single file, which was cool, but not that realistic.

The next step was to be able to compile and scan an VS Solution file (*.sln), like one from the 'vulnerable by design' SuperSecureBank site.

In the video below, I use Roslyn's project loading and monitoring capabilities to trigger a compilation every time there is a change made to a solution file. And if the compilation is ok, a security scan (using Cat.NET) is triggered (both steps done in a couple seconds):

This is the type of environment that we need to create where the developer has real-time (or as close to that as possible) feedback from any security vulnerabilities created or fixed.

At the moment, I'm quite happy with Roslyn performance since it happens in less than 1 sec, and (as they claim) does seem to reuse as many compilation objects as possible.

The Cat.NET is probably not as optimised as it could be since a full scan is being done every time (ideally we should only be scanning the diffs). That said, it is still quite fast :)

Related Posts:

1 comment:

Clerkendweller said...

After listening to Dinis' presentation on this topic at AppSec EU in Athens, I promised to provide some feedback. Here it is...

This makes an excellent job of integrating security tests within the developer's IDE and I was impressed how slick it was.

So now we know it works(!), I was wondering about how to make it as usable as possible. The existing interface implementation is good for a demo and beginners. Some previous demos (a while ago) were much more targetted at appsec experts (i.e. you) . But most users would be in between - neither beginners nor experts. What would they find most useful and least intrusive? Desktop space is at a premium and maybe the info panel is unnecessary regardless of size. Could the warning panel be a toolbar indicator?

Normally it would be usual to develop some personas and scenarios, and think about how O2 might be used by the roles identified e.g. Fred the developer, Susan the Lead Developer, Enrique the ISO.

Other unordered thoughts:

1. What happens if you check out someone else's buggy code and type one character?
2. Would it be useful to let the user toggle when the compile/check takes place (on key up, on request, on commit, etc)?
3. Could/should developers be able to mark a result as "skip for later" while they put more code in elsewhere or believe a result is a false positive? Might need to keep track of disabled options " ignore this rule everywhere" (who can disable/skip).
4. Could the warnings be limited to the current module/function/etc they currently editing (toggle options?)
5. Could O2 create a log or broadcast results to some other collector/management device (e.g. ThreadFix)
6. What happens with many issues? How are they displayed?
7. Does this track CWEs for the faults?
8. Click to trace data flow (text flow/chart)
9. Show in ZAP (if there is a linked running instance) to help determine context
10. Tips as they type? "I see you are about to create a XSS flaw, might I suggest you use the EncodeForHyperlinkAttributeValue() function here"