0

I have to make a choice between Veracode and FxCop for application security testing. Obviously Veracode comes with a price and FxCop is free.

But to know the efficiency of FxCop I must compare my results with the free analysis result provided by veracode. Both the tests are run against the same dll.

How will I know which one is a Cross-site scripting error or an CRLF injection in FxCop? Is there any guide available? Any way to decipher if I am looking at the same errors in both?

Any help is appreciated.

mjs
  • 2,837
  • 4
  • 28
  • 48
Soumya Das
  • 21
  • 2
  • Hi, Why do you have to make a choice? They have different purposes and are complementary. We run both and they report different information leading hopefully to higher quality & secure solution. – Al Mills Jul 08 '14 at 07:54
  • Hi Al, Thanks for the response. We are just evaluating the alternatives to Veracode. Are there any other ways to test the code for the same vulnerabilities? So that we can compare the results with Veracode. We want to check cheaper open source alternatives before deciding on the issue. – Soumya Das Jul 08 '14 at 12:48

1 Answers1

0

FxCop is not specifically geared towards security testing. Though it has a couple of rules that check for specific security issues, it's far less advanced than VeraCode, Coverity or Fortify in this respect. It's not meant to replace them, on this front, it's meant to provide basic checks.

Code Analysis also checks other aspects like localization and globalization issues, memory leaks and other generally bad things that have nothing to do with security.

You base solution should at least use Code Analysis inside Visual Studio. Whether you want to use additional security checks from 3rd party vendors is up to you. There are a number of (open source) rulesets available that extend Code Analysis with additional security rules. These are not standard rules that ship with Visual Studio though (and haven't been updated in ages).

To see which types of check are built into Code Analysis (FxCop), look at the documentation. You'll see that there is no cross site scripting warnings present, which makes sense, as you're likely to make such mistakes in HTML and Javascript and not primarily in C#. CodeAnalysis and FxCop target issues in your Managed .NET code, not in your client side scripts or HTML.

Other tools like JsHint/JsLint and and tools recommended by the OWASP group may provide free alternatives.

jessehouwing
  • 106,458
  • 22
  • 256
  • 341