Over the last few weeks I've been experimenting with the Visual Studio 2005 macro and extensibility framework to build security-related tools. I'm a big believer in "learning by doing" so I thought I would create a macro to help me do some code reviews.
When I review code for security bugs I basically do the following:
1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.
Task (2) can be done with good ol' grep, but I get sick of running grep because I would rather see a list of items that need further review in the IDE rather than from the command-line because I live in VS2005. So I decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. It's not totally done, it's really just a proof of concept, but it seems to work ok!
I will admit one thing; I am NOT a VB developer, so I am not pretending that this code is the best possible VB macro code!
All you need to do is pop open the zip file at the end of this post, and load the SDLCryptoCheck macro, assign it to a key if you like. You also need to load the EnvironmentEvents macro, it's the code that takes you to the offending line when you double click a task in the task list.
To use it just open a bunch of files, they can be C#, C, C++, VB or various script files (VBS, JS) and the macro will scan for CNG, CAPI, CAPICOM and Managed code SDL crypto issues.
There is certainly room for improvement in the code, so I welcome any ideas!