Hello All –

As many of you already know, the SDL team at Microsoft has a strong relationship with our colleagues in the MSEC Security Science team – these guys are on the front line of tool development for the SDL, and are always looking for new ways to take the security technologies they produce and make them broadly available.  With that in mind, I am quite pleased to turn over the blog to Tim Burrell to let you know about some new developments on the code analysis front.

– Dave


At the recent BUILD Conference, the Visual Studio Code Analysis team presented some great new features of Microsoft Visual Studio 11 C++ Code Analysis. We thought we’d highlight a couple of the security aspects.

This is the first time that Code Analysis has been made available in an Express edition of Visual Studio – a reflection of Microsoft’s commitment to helping secure the software ecosystem beyond just our own software. It is also testament to the value that we believe such static analysis tools have to offer to every developer today. This value comes in many forms, mainly deriving from the fact that it’s way cheaper to fix a bug early on during development:

  • Fixing a bug early avoids wasted time debugging strange crashes or reliability issues later on.
  • Fixing a bug early avoids resetting/repeating testing after a bug is fixed late in the development cycle.
  • Fixing a bug early avoids the complexities associated with fixing it if it is exposed after the application ships.

The Security Science team with the Microsoft Security Engineering Centre (MSEC) worked closely with the Visual Studio Code Analysis team to ensure that the Visual Studio Developer Preview includes as many of the SDL mandatory C/C++ Code Analysis warnings as possible. These are the security-related warnings that Microsoft considers critical to fix for internal C/C++ software development.

Choosing which warnings to include in Microsoft Visual Studio 11 Express is a balancing act between giving all developers access to these warnings and not overloading people with so many warnings that they just ignore them. We’ve tried to select the best combination of high severity / low noise. We are keen to hear your feedback on your experience of using Code Analysis in Express.

Of course the Security Development Lifecycle (SDL) is an entire process and methodology for developing secure software and as such includes much more than just fixing a given set of warnings – you can read more and find additional resources related to SDL here.

As we alluded to at the start, code analysis covers more than just security bugs – indeed the distinction between security and reliability can sometimes be a subtle one: the bug that manifests as a crash today (a reliability issue?) could turn out to be controllable by an attacker tomorrow (a security issue). We highly recommend running Visual Studio Code Analysis to help develop secure and reliable applications.

Tim Burrell, MSEC Security Science