Wednesday 6 June 2012

Video: Real time Vulnerability Scanning using Cat.Net and Roslyn (SAST)

Here is a pretty cool PoC of creating an environment for developers that helps them to know when they create a security vulnerability (in real time).

In this video:
  • The developer is writing code in O2 (i.e stand-alone .Net app) but it can also happen inside VisualStudio
  • As he writes code there is an auto-compilation (done with Roslyn) and Cat.NET scan every time there is a code change (i.e. every keystroke)
    • Cat.Net is Microsoft's Static Analysis Engine (SAST) which produces findings like the ones created by IBM's Ounce, CheckMarx, Veracode or Fortify
    • Roslyn is a new managed Compiler (and more) from Microsoft research
  • When the developer creates a vulnerability it receives (in less than 1 sec) feedback that there is a vulnerability created (note the vulnerability's list in the top-right-hand-side window)
  • When the developer fixes the vulnerability, after the rescan (which happens in the background) the vulnerabilities disappear from the right-hand-side vulnerability window (in the bottom-left-hand-side there is the Cat.NET report in xml format)
  • Note how fast the whole process is!!!!  (both Roslyn and Cat.NET execution happen 'in-process', i.e. there is no csc.exe or CATNetCmd.exe invoked to compile and scan the code)
There are a bunch of very cool technologic developments here:
  • From O2, I was able to consume Cat.Net APIs and have direct access to its engine and rules (I will blog about it later). I was also able to use Roslyn to detect compilation errors (via the AST) and compile the code into a full .Net Assembly
  • This runs both as stand-alone WinForms's exe or inside VisualStudio (the video only shows the stand-alone mode)
  • The O2 REPL environment allowed me to create this PoC very quickly (in both stand-alone and Visual Studio modes)
  • It should be easy to make this work via a web interface (specially using ConsolR Compilify and Roslyn)
It looks simple and I was able to write it in a couple days, but this is a PoC that it took me years of O2 development to pull it off.

Finally we have an working PoC of an environment that provides real-time feedback to users on the vulnerabilities created (using a Cat.NET+Roslyn+O2)