SDL Crypto Code Review Macro

Over the last few weeks I’ve been experimenting with the Visual Studio 2005 macro and extensibility framework to build security-related tools. I’m a big believer in “learning by doing” so I thought I would create a macro to help me do some code reviews.

When I review code for security bugs I basically do the following:

1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.

Task (2) can be done with good ol’ grep, but I get sick of running grep because I would rather see a list of items that need further review in the IDE rather than from the command-line because I live in VS2005. So I decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. It’s not totally done, it’s really just a proof of concept, but it seems to work ok!

I will admit one thing; I am NOT a VB developer, so I am not pretending that this code is the best possible VB macro code!

All you need to do is pop open the zip file at the end of this post, and load the SDLCryptoCheck macro, assign it to a key if you like. You also need to load the EnvironmentEvents macro, it’s the code that takes you to the offending line when you double click a task in the task list.

To use it just open a bunch of files, they can be C#, C, C++, VB or various script files (VBS, JS) and the macro will scan for CNG, CAPI, CAPICOM and Managed code SDL crypto issues.

There is certainly room for improvement in the code, so I welcome any ideas!


Comments (8)

  1. Just out of curiosity, MS being a company that makes their money off of closed-source software, how do they feel about you (as an employee) giving out source code? Does MS still own it if you write it and publish it?

  2. Nektar says:

    Thanks for the macroes. Now you know how difficult it can sometimes be to write simple macroes in VS and that that VS Extensibility could have been designed better.

  3. Nektar, once you learn the quirks, it’s pretty easy!

  4. Steven

    Microsoft releases loads of source every year, nothing new here!

  5. Zian Choy says:

    I’m getting a "Value does not fall within the expected range." message box when I run the macro on my WinForms VB 2005 application.

    Does anyone have any suggestions? I’m willing to try tracking it down further if someone can give me some pointers.

    I’m not familiar with VS macros.

  6. Zian

    would you be willing to email me your code so i can debug it?

  7. Michael,

    I did not know that. Now that you’ve whetted my appetite I’ve got to go find it =).

  8. Zian Choy says:

    Michael, I’ve e-mailed you a note about it via the contact form.

    If the message didn’t go through, please send your e-mail address to me at zianchoy AT