- The developer is writing code in O2 (i.e stand-alone .Net app) but it can also happen inside VisualStudio
- As he writes code there is an auto-compilation (done with Roslyn) and Cat.NET scan every time there is a code change (i.e. every keystroke)
- Cat.Net is Microsoft's Static Analysis Engine (SAST) which produces findings like the ones created by IBM's Ounce, CheckMarx, Veracode or Fortify
- Roslyn is a new managed Compiler (and more) from Microsoft research
- When the developer creates a vulnerability it receives (in less than 1 sec) feedback that there is a vulnerability created (note the vulnerability's list in the top-right-hand-side window)
- When the developer fixes the vulnerability, after the rescan (which happens in the background) the vulnerabilities disappear from the right-hand-side vulnerability window (in the bottom-left-hand-side there is the Cat.NET report in xml format)
- Note how fast the whole process is!!!! (both Roslyn and Cat.NET execution happen 'in-process', i.e. there is no csc.exe or CATNetCmd.exe invoked to compile and scan the code)
There are a bunch of very cool technologic developments here:
- From O2, I was able to consume Cat.Net APIs and have direct access to its engine and rules (I will blog about it later). I was also able to use Roslyn to detect compilation errors (via the AST) and compile the code into a full .Net Assembly
- This runs both as stand-alone WinForms's exe or inside VisualStudio (the video only shows the stand-alone mode)
- The O2 REPL environment allowed me to create this PoC very quickly (in both stand-alone and Visual Studio modes)
- It should be easy to make this work via a web interface (specially using ConsolR Compilify and Roslyn)
It looks simple and I was able to write it in a couple days, but this is a PoC that it took me years of O2 development to pull it off.
Finally we have an working PoC of an environment that provides real-time feedback to users on the vulnerabilities created (using a Cat.NET+Roslyn+O2)
:)
Finally we have an working PoC of an environment that provides real-time feedback to users on the vulnerabilities created (using a Cat.NET+Roslyn+O2)
:)