November 14, 2016 With security, we need all the help we can get. Today we’ve got two Visual Studio extensions that should be in your security toolbox…First, we have the one and only Mads Kristensen with a great extension that will help you find dependent npm/bower packages that have known security issuesPackage Security AlertsIdentifies npm and Bower packages that contains known security vulnerabilities to ensure your project is always using the most secure package versions.Makes sure the npm and Bower packages used doesn’t contain any known security vulnerabilities.See the change log for changes and road map.FeaturesShows warnings for packages known to have security issues Works with both Bower and npm Integrates with JSON editor Based on retire.jsSecurity risk levelsThere are 3 types of security risk levels:Low Medium High When you open package.json or bower.json, icons representing the security risk are shown next to the packages. … [Click through to download it and to get the source]Next we have a cool usage of the power behind Roslyn, using it to help you identify possible security issues in your code….NET Security GuardSecurity Guard is a set of roslyn analyzers that aim to help security audit on .NET applicationsFeatures19 bug patternsIt can detect 19 vulnerability patterns with 38 different signatures. IntegrationThe Roslyn analyzers can be run from Visual Studio. Continuous integrationIt can be integrated to any continuous integration that supports MSBuild. Open for contributionsThe project is open-source and is open for contributions. Visual Studio integrationScan your application for potential vulnerabilities directly from your IDE. …Here’s a peek at a few of the .NET Security Rules…RulesHardcoded passwordThe password configuration to this API appears to be hardcoded. It is suggest to externalized configuration such as password to avoid leakage of secret information.Potential SQL injectionThe dynamic value passed in the SQL query should be validated.Weak cipher modeThe ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.ECB mode is weakECB mode will produce the same result for identical blocks (ie: 16 bytes for AES). An attacker could be able to guess the encrypted message. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.CBC mode is weakThis specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding.Weak cipher algorithmDES is not considered a strong cipher for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES.Certificate Validation has been disabledCertificate Validation has been disabled. The communication could be intercepted.… [See the rest]Both are free and both are open source!Follow @CH9 Follow @coding4fun Follow @gduncan411 Source link