Glossary

Checkmarx Visual Studio Static Code Analysis Plugin

Visual Studio, an integrated development environment (IDE) created by Microsoft, is arguably the most used editor today thanks to its added functionality. It fully supports the .NET framework and also languages such as HTML, CSS and JavaScript. Checkmarx offers a unique Visual Studio static code analysis plugin for enhanced security testing.

A brief introduction to Visual Studio

Visual Studio has evolved over the years and now has a built-in code analyzer. The IDE now has a code analysis tool window, which helps the user view, sort and fix detected loopholes. This internal code analyzer scans the project and checks if the code is in compliance with the latest Microsoft .NET Framework Design Guidelines.

Added functionality in Visual Studio 2013 (and above) involves:

  • Code warnings that can be filtered by severity and keywords.
  • Unsecure code which is highlighted by selecting a code warning in the window.
  • Code Analysis support for Windows Store apps.
  • New concurrency warnings in C/C++ programs.
  • In-depth analysis of the driver source code.

Checkmarx’s Visual Studio static code analysis plugin

Checkmarx’s Visual Studio code analysis plug-in is fully integrated into the IDE, creating a user-friendly and easy-to-access interface. Visual Studio 2005 and above are fully supported. The CxViewer’s four panes make it extremely easy to view and analyze the findings. This effective break-down optimizes the vulnerability mitigation process.

These panes, that provide various levels and types of information, include:

  • CxViewer Tree – This hub lists all located vulnerability types in a navigation tree according to their severity (high/medium/low/information). Clicking on one vulnerability type automatically displays its instances in the other panes.
  • CxViewer Result – This is a tabular list of instances of the vulnerability selected in the CxViewer Tree. This field displays the instances in detailed fashion with in-depth analysis for the user’s convenience. Appears at the top of the screen.
  • CxViewer Graph – Located below the result pane, this field displays full paths of the detected vulnerability type selected in the CxViewer Tree. Graphical intersections represent the relationships between the various instances.
  • CxViewer Path – The selected vulnerability instance in the CxViewer Graph pane is showcased in this pane. The whole path of code elements that constitute the vulnerability instance is shown to the user for easy break-down of the issue.

Since the Checkmarx solution is basically a plug-in, changes to the code can be made while reviewing the vulnerabilities, with no need to switch between applications.  This plugin display’s the paths in their entirety with all their intersections, pointing exactly at the optimal mitigation points. This enables the fixes to be extremely efficient.

Other benefits of using Checkmarx’s Visual Studio static code analysis

1) Optimized mitigation process: After getting an overview of the vulnerabilities found after Checkmarx’s Visual Studio code analysis, the user can then start working on the recommended mitigation points, a feature unique to the Checkmarx solution.

2) Seamless integration: This plugin is unique as it is planted into the Visual Studio and requires no additional steps from the user’s side. The Visual Studio project’s code is directly uploaded to CxSuite, Checkmarx’s primary source code analysis solution.

3) Easy setup and installation: Installation is a breeze. All the developer needs to do is to download the file from the Checkmarx website and install it on his system. Only a quick setup configuration process needs to be performed before using the plugin.

3) Fully customizable security solution: Checkmarx’s Visual Studio code analysis solution can easily be customized. The aforementioned analysis display panes can be re-arranged or hidden as per the user’s needs and preferences.

4) Detection of application-layer vulnerabilities: SQL Injections (SQLi), Cross-Site Scripting (XSS). Cross-Site Request Forgery (CSRF) and other vulnerabilities found in the OWASP Top-10 are detected with the help of Checkmarx’s security solution.

5) Fast scanning speeds and high accuracy: The Checkmarx Visual Studio static code analysis is suitable for both small and large projects. It is capable of scanning large numbers of K-LoCs at a time, while maintaining low levels of false-positives (FP).

Checkmarx brings similar integration and functionality with its Eclipse and IntelliJ plugins. Source code analysis (SCA) built into IDEs is a potent security solution all developers must have at their disposal. This results in more robust applications with lesser erroneous code, eventually keeping the malicious attackers at bay.