Five Ways to Use Visual Studio to Avoid Secure Coding Mistakes

I was talking with a colleague recently, and we got on the subject of static analysis and why we all have to suffer with the problem of first making the mistakes in code, and then fixing them later.  She challenged me to come up with some ways that we could avoid the mistakes in the first place, and here’s what I told her:

  1. IntelliSense — the Visual Studio IDE is pretty smart about providing as-you-type hints and recommendations on all sorts of common coding flaws (or at least, it catches me on a lot of the mistakes that I frequently make), and they’re enabled out of the box (at least for Visual Basic.NET — I can’t recall if that’s true for C# as well).  [But I wonder why IntelliSense doesn’t handle some of the basic code maintenance?]
  2. Code snippets — Visual Studio has a very handy feature that allows you to browse a self-describing tree of small chunks of code, that are meant to accomplish very specific purposes.  These snippets save lots of time on repetitive or rarely-used routines, and reduce the likelihood of introducing errors in similar hand-coded blocks of code.
  3. PInvoke.net — if you ever need to P/Invoke to Win32 APIs (aka unmanaged code), this free Visual Studio add-on gives you as definitive a library as exists of recommended code constructs for doing this right.
  4. Code Analysis (cf. FxCop) — this is a bit of a cheat, as these technologies at first are simply about scanning your code (MSIL in fact) to identify flaws in your code (including a wide array of security-related flaws).  However, with the very practical tips they provide on how to resolve the coding flaw, this quickly becomes a teaching tool to reinforce better coding behaviours so you (and I) can avoid making those mistakes again in the future.
  5. Community resources — F1 is truly this coder’s best friend.  Banging on the F1 key in Visual Studio brings up a multi-tabbed search UI that gives you access not only to local and online versions of MSDN Library, but also to two collections that I personally rely on heavily: the CodeZone community (a group of MS-friendly code-junkie web sites with articles, samples and discussions) and the MSDN Forums (Microsoft’s dazzling array of online Forums for discussing every possible aspect of developing for the Microsoft platform).  If there’s one complaint I have about the MSDN Forums, it’s that there so freakin’ many of them, it’s very easy to end up posting your question to the wrong Forum, only to have the right one pointed out to you later (sometimes in very curt, exasperated, “why do these morons keep showing up?” form).

However, if like me you’re not satisfied with just the default capabilities of Visual Studio, then try out some of these add-ons to enhance your productivity:

There are a large number of third-party code snippets available from http://www.gotcodesnippets.net as well (though the quality of these is totally unverified, and should be approached with caution).

 

  • Code Analysis (FxCop):
    • JSL FxCop — a coding tool that eases the difficulty of developing custom rules, as well as a growing library of additional rules that weren’t shipped by Microsoft.
    • Detecting and Correcting Managed Code Defects — MSDN Team System walkthrough articles for the Code Analysis features of Visual Studio.

I’m also working on trying to figure out how to add a set of custom sites to the Community search selections (e.g. to add various internal Intel web sites as targets for search).

Advertisements

One thought on “Five Ways to Use Visual Studio to Avoid Secure Coding Mistakes

  1. Its interesting topic as most developer believe that Its almost impossible to code correct and error-less in first attempt as there remain bugs that can be removed by testing.The list you presented to overcome this is really very interesting and I am going to use this lets see how it work

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s