For Visual Studio developers, using security extensions helps them produce more secure code, faster. Visual Studio extensions allow you to add on new features or integrate existing developer tools to customize and enhance your Visual Studio experience. Extensions include everything from spell checkers, templates, and controls to image optimizers, debuggers, and testing tools. The main purpose of these extensions is to add functionality to increase ease of use and developer productivity.
In this blog, we’ll take a look at some of the top Visual Studio security extensions that help developers write more secure code. Note that the majority of tools mentioned here are free to download and use.
ReSharper is a very popular Visual Studio extension for .NET developers that makes code navigation, editing, and review easier. ReSharper’s productivity features allow individual developers and teams to write and manage code using industry best practices to produce high-quality applications faster. Developers like ReSharper because its autocompletion features give them intelligent suggestions to help generate code.
Microsoft DevLabs has rebuilt its popular 100+ FxCop rules as a live analyzer to help developers detect problems in their code and fix them on the spot. This extension has been updated to provide live analysis as you type, providing quick fixes for applicable diagnostics using Ctrl+. It provides diagnostics for API design, performance, security, and best practices for C# and Visual Basic. In addition, diagnostics appear in the editor, Error List, and scroll bar, adding to its ease of use.
PVS-Studio is a static source code analyzer for bug detection in C, C++, C#, and Java projects on Windows, Linux, and macOS. It detects and fixes security and quality issues in code before they turn into vulnerabilities, crashes, or painful debugging. PVS-Studio performs a wide range of code checks and is especially useful in finding misprints and Copy-Paste errors.
This Visual Studio Extension is a security static code analyzer for .NET. It operates in two modes — one for developers and one for auditors. Security Code Scan looks for security vulnerability patterns, including SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and XML External Entity Injection (XXE). It offers taint analysis, which tracks every source of user input data through the system to make sure it gets sanitized before anything is done to it. Security Code scan is able to analyze .NET and .NET Core projects in the background or during a build.
ASP.NET Core Boilerplate is a project template for building secure, fast, robust, and adaptable web applications or sites. It provides the minimum amount of code required on top of the default ASP.NET project template provided by Microsoft and uses familiar tools to implement best practices. ASP.NET Core Boilerplate is modular and extensible and gives developers the infrastructure to build their own modules.
Security Intellisense is a Visual Studio extension that provides inline security suggestions and fixes for C# and XML source code. It also targets web projects and crypto usage. The extension is part of the Secure DevOps Kit for Azure, a collection of scripts, tools, extensions, and automation that caters to the security needs of DevOps teams using extensive automation and smoothly integrating security into native DevOps workflows. Developers have remarked they like Security Intellisense because it gives them, for example, a NuGet package that makes integration into CI/CD pipelines easier.
Fortify on Demand is a Software as a Service (SaaS) solution that enables security and development teams to begin a static code analysis security scan within minutes of setup. This Visual Studio extension allows developers to upload their code to Fortify on Demand for static assessment. Developers can also open analysis results for remediation. Developers like Fortify on Demand for its intuitive interface, broad language support, and comprehensive API that allows automation to be customized.
DevSkim is a framework of IDE plugins and language analyzers that provide inline security analysis as the developer writes code. Developers are notified when they introduce a security vulnerability as potential security issues are highlighted in the code with links to more information and, when available, one-click access to safer alternative code.
WhiteSource Advise gives developers immediate visibility into open source component security data early in the development life cycle. By fixing vulnerabilities from within the IDE, developers are able to save time and create more secure code by avoiding problematic open source components.