Monday 7 November 2011

The future of secure code? Fixing/Encoding .NET code in real time (in this case Response.Write)

If we really want to help developers to fix they code, we ultimately need to move all the way into their IDEs and actually provide them code-fixes in context!

A while back somebody asked me how to perform actually .NET code changes and patches using O2's .NET Static Analysis engine, and I wrote a little PoC that clearly shows how that can be done (and a preview of what the future looks like).

I just wrote a O2 blog post about it which you can find here: (if you have O2 installed just run the Fixing Response.Write.h2 script)

Here is a 20 sec video that shows this script in action:

I really like this concept and it is sort of similar to what Spring is doing with Roo ( where the developer's code is automatically refactored in order to meet specific objectives