SECURITY TOOLS FOR
SOFTWARE DEVELOPMENT
FXCOP 10.0
David Angulo Rubio
OVERVIEW
Security Development Life Cycle Tool
 What is FxCOP
 Why use FxCOP
 Code Analysis
 Rules checked by FxCOP
 Sample rule
 Possibilities
 Using FxCOP
 Conclusion

THE SECURITY DEVELOPMENT LIFECYCLE
(SDL) AND FXCOP
Security best practices in Microsoft
 Provides guidance within established
development processes

Design considerations
 Creating effective security plans
 Leveraging tools across the
development cycle


Better then simply hunting for bugs
Requirements
Design
Implementation
Verification
Release
Response
FXCOP
Began as an internal Microsoft Solution
 Enforces adherence to .NET Framework Design
Guidelines
 Available free

http://www.microsoft.com/download/en/details.aspx?id=6544.

Uses “Introspection”
Faster analysis
 Multi-thread analysis

Contains over 200 rules
 Ability to create custom rules

FXCOP
A static code analysis tool that examines
managed assemblies for design and code
correctness issues
 Console and graphical applications that manage:

Targets (items for analysis)
 Rules (checks to execute)
 Messages (feedback from rules)


A general infrastructure for writing checks
against managed code
WHY USE FXCOP
Do you:
 Have a well defined coding standards
 But have no way of enforcing those
standards?
 Spend much time writing code
 But even more time editing code?
 Want to have your applications run smoothly
 But seem to always be held back by errors?
 Then…FxCop is for you!

CODE ANALYSIS
Unlike traditional analysis tools (Lint for C),
FxCOP does not analyze source code. Instead, it
analyzes the binary Common Intermediate
Language (CIL) generated by the .NET compilers
and persisted in the .NET assemblies (EXE and
DLL files). Analysis is enable by the rich
metadata that is part of the CIL.
 By analyzing assemblies directly, FxCOP avoids
being tied to any particular programming
language: it will work without modification
against C#, VB.net, and potentially any other
.NET languages

RULES
The tool is designed to check .NET code for
violations of a wide range of programming rules
and conventions. The rules included with FxCOP
draw heavily upon Microsoft’s Framework Design
Guidelines.
 The rules checked by FxCOP include: Design,
Globalization,Interoperabiliyy,Mobility,
Naming, Performance, Portability, Security,
Usage

SAMPLE METADATA XML
POSSIBILITIES








Ensure that the names of controls on forms and web
pages follow your naming conventions.
Check that your preferred controls, components, and
classes are used instead of alternatives.
Inspect literal arguments values being passed to your
methods.
Examine control structures, such as conditions and
loops, to evaluate code metrics.
Determine the callers and callees of methods.
Spell-check text elements such as identifiers, literals,
and resource strings.
Verify that elements are properly documented with
XML documentation comments.
Build standalone tools that take advantage of FxCOP
code analysis APIs
USING FXCOP

Recall that FxCOP checks compiled assemblies. Prior to running
FxCOP, you need to compile the program that you want to check.
SUMMARY
FxCOP is a free static code analysis tool from
Microsoft that checks .NET managed code
assemblies for conformance to Microsoft's .NET
Framework Design Guidelines
 FxCOP analyzes the compiled object code, not the
original source code
 FxCOP includes both GUI and command line
versions of the tool
 FxCOP ensures that the specified rules are used
in the source code.
