Partager via

SDL Crypto Code Review Macro

  • Article

Over the last few weeks I've been experimenting with the Visual Studio 2005 macro and extensibility framework to build security-related tools. I'm a big believer in "learning by doing" so I thought I would create a macro to help me do some code reviews.

When I review code for security bugs I basically do the following:

1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.

Task (2) can be done with good ol' grep, but I get sick of running grep because I would rather see a list of items that need further review in the IDE rather than from the command-line because I live in VS2005. So I decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. It's not totally done, it's really just a proof of concept, but it seems to work ok!

I will admit one thing; I am NOT a VB developer, so I am not pretending that this code is the best possible VB macro code!

All you need to do is pop open the zip file at the end of this post, and load the SDLCryptoCheck macro, assign it to a key if you like. You also need to load the EnvironmentEvents macro, it's the code that takes you to the offending line when you double click a task in the task list.

To use it just open a bunch of files, they can be C#, C, C++, VB or various script files (VBS, JS) and the macro will scan for CNG, CAPI, CAPICOM and Managed code SDL crypto issues.

There is certainly room for improvement in the code, so I welcome any ideas!

Enjoy.

SDLCrypto.zip

Comments

  • Anonymous
    June 14, 2007
    Just out of curiosity, MS being a company that makes their money off of closed-source software, how do they feel about you (as an employee) giving out source code? Does MS still own it if you write it and publish it?

  • Anonymous
    June 14, 2007
    Thanks for the macroes. Now you know how difficult it can sometimes be to write simple macroes in VS and that that VS Extensibility could have been designed better.

  • Anonymous
    June 14, 2007
    Nektar, once you learn the quirks, it's pretty easy!

  • Anonymous
    June 14, 2007
    Steven Microsoft releases loads of source every year, nothing new here!

  • Anonymous
    June 15, 2007
    The comment has been removed

  • Anonymous
    June 15, 2007
    Zian would you be willing to email me your code so i can debug it?

  • Anonymous
    June 15, 2007
    Michael, I did not know that. Now that you've whetted my appetite I've got to go find it =).

  • Anonymous
    June 19, 2007
    Michael, I've e-mailed you a note about it via the contact form. If the message didn't go through, please send your e-mail address to me at zianchoy AT yahoo.com