patterns & practices Security Code Review Index
Retired Content |
---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
patterns & practices Developer Center
J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan
Microsoft Corporation
September 2005
Summary
This page provides an index of patterns & practices resources to help you perform a security code review.
Contents
Security Code Review Approach
Baseline Activity
.NET Framework Version 1.1
.NET Framework Version 2.0
Common Security Issues
Security Code Review Approach
The purpose of a security code review is to inspect source code to discover security issues before testing and deployment begin. The four major code review steps are shown in Figure 1.
Figure 1. Code review steps
Review your code each time there is a meaningful change instead of reviewing it all at once at the end of the project. This allows you to focus on what has changed rather than trying to find all the issues at once.
The code review process involves the following steps:
- Step 1. Identify security code review objectives. Establish goals and constraints for the review.
- Step 2. Perform a preliminary scan. Use static analysis to find an initial set of security issues and improve your understanding of where the security issues are most likely to be discovered through further review.
- Step 3. Review the code for security issues. Review the code thoroughly with the goal of finding security issues that are common to many applications. You can use the results of step two to focus your analysis.
- Step 4. Review for security issues unique to the architecture. Complete a final analysis looking for security issues that relate to the unique architecture of your application. This step is most important if you have implemented a custom security mechanism or any feature designed specifically to mitigate a known security threat.
Baseline Activity
The baseline activity shows you the techniques and steps to perform an effective security code review. Use the baseline activity in conjunction with the companion question lists and checklists to perform a security code review.
- How To: Perform Security Code Review for Managed Code (Baseline Activity)
- At a Glance: Security Code Review for Managed Code (Baseline Activity)
.NET Framework Version 2.0
The following links offer question lists and checklists for reviewing .NET Framework 2.0 code. The question lists should be used in conjunction with the baseline code review activity, How To: Perform Security Code Review for Managed Code (Baseline Activity).
Question Lists
Checklists
- Security Checklist: ASP.NET 2.0
- Security Checklist: .NET Framework 2.0
- Security Checklist: ADO.NET 2.0
.NET Framework Version 1.1
The following links offer guidelines and checklists for reviewing .NET Framework 1.1 code.
- .NET Framework 1.1 Security Code Review
- ADO.NET 1.1 Security Code Review
- ASP.NET 1.1 Security Code Review
- Code Access Security (.NET Framework 1.1) Security Code Review
- Enterprise Services (.NET Framework 1.1) Security Code Review
- Remoting (.NET Framework 1.1) Security Code Review
- Unmanaged Code Called From Managed Code Security Code Review
- Web Services (ASMX 1.1) Security Code Review
Checklists
- Security Checklist: .NET Framework 1.1
- Security Checklist: ADO.NET 1.1
- Security Checklist: ASP.NET 1.1
- Security Checklist: Enterprise Services (.NET Framework 1.1)
- Security Checklist: Remoting (.NET Framework 1.1)
- Security Checklist: Web Services (.NET Framework 1.1)
Common Security Issues
The following patterns & practices resources help you perform security code reviews for common security issues.
Feedback
Provide feedback by using either a Wiki or e-mail:
- Wiki. Security guidance feedback page at
https://channel9.msdn.com/wiki/securityguidancefeedback/ - E-mail. Send e-mail to secguide@microsoft.com.
We are particularly interested in feedback regarding the following:
- Technical issues specific to recommendations
- Usefulness and usability issues
Technical Support
Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, see the Microsoft Support Web site at https://support.microsoft.com.
Community and Newsgroups
Community support is provided in the forums and newsgroups:
- MSDN Newsgroups: https://www.microsoft.com/communities/newsgroups/default.mspx
- ASP.NET Forums: http://forums.asp.net
To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.
Contributors and Reviewers
- External Contributors and Reviewers: Anil John; Frank Heidt; Keith Brown, Pluralsight
- Microsoft Product Group: Don Willits, Eric Jarvi, Randy Miller, Stefan Schackow
- Microsoft IT Contributors and Reviewers: Shawn Veney, Akshay Aggarwal, Talhah Mir
- Microsoft EEG: Eric Brechner, James Waletzky
- Microsoft patterns & practices Contributors and Reviewers: Carlos Farre, Jonathan Wanagel
- Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
- Edit team: Nelly Delgado, Microsoft Corporation
- Release Management: Sanjeev Garg, Microsoft Corporation
Retired Content |
---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |