Security Rules rule set for managed code
You should include the Microsoft Security Rules rule set to maximize the number of potential security issues that are reported.
Rule |
Description |
|---|---|
Review SQL queries for security vulnerabilities |
|
Catch non-CLSCompliant exceptions in general handlers |
|
Review imperative security |
|
Do not declare read only mutable reference types |
|
Array fields should not be read only |
|
Secure asserts |
|
Review deny and permit only usage |
|
Review declarative security on value types |
|
Review visible event handlers |
|
Pointers should not be visible |
|
Secured types should not expose fields |
|
Method security should be a superset of type |
|
Call GC.KeepAlive when using native resources |
|
APTCA methods should only call APTCA methods |
|
APTCA types should only extend APTCA base types |
|
Review SuppressUnmanagedCodeSecurityAttribute usage |
|
Seal methods that satisfy private interfaces |
|
Secure serialization constructors |
|
Static constructors should be private |
|
Do not indirectly expose methods with link demands |
|
Override link demands should be identical to base |
|
Wrap vulnerable finally clauses in outer try |
|
Type link demands require inheritance demands |
|
Security critical constants should be transparent |
|
Security critical types may not participate in type equivalence |
|
Default constructors must be at least as critical as base type default constructors |
|
Delegates must bind to methods with consistent transparency |
|
Methods must keep consistent transparency when overriding base methods |
|
Level 2 assemblies should not contain LinkDemands |
|
Members should not have conflicting transparency annotations |
|
Transparent methods must contain only verifiable IL |
|
Transparent methods must not call methods with the SuppressUnmanagedCodeSecurity attribute |
|
Transparent methods may not use the HandleProcessCorruptingExceptions attribute |
|
Transparent code must not reference security critical items |
|
Transparent methods must not satisfy LinkDemands |
|
Transparent code should not be protected with LinkDemands |
|
Transparent methods should not use security demands |
|
Transparent code should not load assemblies from byte arrays |
|
Transparent methods should not be decorated with the SuppressUnmanagedCodeSecurityAttribute |
|
Types must be at least as critical as their base types and interfaces |
|
Transparent methods may not use security asserts |
|
Transparent methods must not call into native code |
|
Assemblies should have valid strong names |