Tuesday 19 June 2012

Real-Time C# Solution Compilation and Security Scanning (using Roslyn and Cat.NET)

On the Real time Vulnerability Scanning using Cat.Net and Roslyn (SAST) example, the compilation and scanning happened on a single file, which was cool, but not that realistic.

The next step was to be able to compile and scan an VS Solution file (*.sln), like one from the 'vulnerable by design' SuperSecureBank site.

In the video below, I use Roslyn's project loading and monitoring capabilities to trigger a compilation every time there is a change made to a solution file. And if the compilation is ok, a security scan (using Cat.NET) is triggered (both steps done in a couple seconds):

This is the type of environment that we need to create where the developer has real-time (or as close to that as possible) feedback from any security vulnerabilities created or fixed.

At the moment, I'm quite happy with Roslyn performance since it happens in less than 1 sec, and (as they claim) does seem to reuse as many compilation objects as possible.

The Cat.NET is probably not as optimised as it could be since a full scan is being done every time (ideally we should only be scanning the diffs). That said, it is still quite fast :)

Related Posts: