Tools to help you write secure code

Earlier today, Bill Gates spoke at the RSA Conference 2005 in San Francisco.  Bill spoke about a Gartner report which looked at security problems and reported that 75 percent of all security problems occur at the applications level.  He mentioned that 64 percent of the developers we polled rated writing secure code as a key new skill that they wanted to acquire and they wanted tools to really be able to go in and audit what they're doing.


At Microsoft, we have been using several tools to test, analyze, profile and make our code secure.  We have standardized on a lot of these tools internally so that every developers working in every product group uses these tools to ensure that we develop and deliver secure code.  Many of these internal tools will ship in Visual Studio 2005 as a part of the Visual Studio 2005 Team System.  This includes tools like FXCop, PREfast and App Verifier.  By integrating these tools into the Visual Studio IDE, we want to enable you to develop and deliver highly secure code.  


Team System ties these tools into the lifecycle as well.  And we’ve focused significantly on usability, to make these readily accessible to all users.  For example, the source control policies will confirm that you have run the security analysis before you check in the code.  To go with the tools, Team System also delivers integrated security guidance in the updated Microsoft Solutions Framework.  MSF draws on Microsoft’s internal architectural practices, such as threat modeling, and ties to the latest Patterns and Practices available on MSDN.  


With Visual Studio 2005, our goal is to deliver a great set of tools with process and engineering guidance that will significantly enhance your productivity and enable you to deliver highly secure and reliable code.



Comments (8)

  1. Anonymous says:

    » Visual Studio 2005 Will Help With Security Problems  InsideMicrosoft – part of the Blog News Channel

  2. Bjoern Graf says:

    "Many of these internal tools will ship in Visual Studio 2005 as a part of the Visual Studio 2005 Team System."

    Does this mean that developers who require the feature set of VS.NET Pro only do not need help to write secure code? Or will these tools be available for download and the integration is left for TS users only?

  3. Thiago Oliveira says:

    Theres some version the App Verifier that can be run over an .NET Assembly?

  4. S. Somasegar says:

    Hi Thiago,

    Currently the App Verifier only runs on unmanaged (native) code. We will be looking at a future version of App Verifier and what it would take to run that on a .NET assembly.

    – Somasegar

  5. S. Somasegar says:

    Hi Bjoern,

    As part of the platform SDK, we do provide a lot of the security specific tools so that developers who use VS Pro can use these tools.

    Things like FxCop (including all the security specific rules) can be obtained from the SDK. Also, the /GS switch is something you can use with the C++ compiler that you get from all versions of Visual Studio 2005.

    – Somasegar

  6. Thiago – you could probably use FxCop to get similar functionality to what AppVerifier provides

  7. BHARIM says:

    how to c++, or all vs

Skip to main content