Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
9 contributors

Users who have contributed to this file

@v-zhgup @ganesh-msft @Akreddy123 @RiniChandra @ShrutiBhambhani @sapsh-msft @Khushboo-msft @v-nitja @GuruCharan94
592 lines (468 sloc) 35.4 KB

NOTE: This article has been updated to use the new Azure PowerShell Az module. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module.

Secure Development

Secure_Development

Contents

Security Verification Tests (SVT)

Express Route-connected Virtual Networks (ER-vNet)

Security IntelliSense (Dev-SecIntel)

Basics

Rules

Actions


Security Verification Tests (SVT)

Prerequisites: For all commands in this feature it is assumed that you have:

  1. Logged in to your Azure account using Connect-AzAccount from a PowerShell ISE.
  2. Selected a subscription using Set-AzContext.

Overview

Security Verifications Tests (or SVTs) represent the core of security testing functionality of the AzSK. For all the prominent features in Azure (e.g., Web Apps, Storage, SQL DB, Key Vault, etc.), the AzSK can perform automated security checks against Azure resources of those types. These checks are based on security standards and best practices as applicable for sensitive corporate data at Microsoft. In general, these are likely to be applicable for most scenarios that involve processing sensitive data in other environments.

An SVT for a particular resource type basically examines a resource of that type within a specified resource group and runs a set of security control checks pertinent to that resource type. The outcome of the analysis is printed on the console during SVT execution and a CSV and a LOG file are also generated for subsequent use.

The CSV file and LOG file are generated under a subscription-specific sub-folder in the folder
%LOCALAPPDATA%\Microsoft\AzSKLogs\Sub_[yourSubscriptionName]
E.g.
C:\Users\UserName\AppData\Local\Microsoft\AzSKLogs\Sub_[yourSubscriptionName]\20170331_142819

There are multiple ways that SVTs can be executed:

  1. Scan all resources in a subscription. This is the simplest approach and simply enumerates all resources in a specific subscription and runs security checks against all the known resource types found.
  2. Scan all resources in specific resource group(s). In this option, you can target resources within one or more resource group. The AzSK simply enumerates all resources in the resource group(s) and runs security checks..
  3. Scan a specific resource. In this approach, you can target a specific (individual) resource.
  4. Scan a specific resource type. In this approach, you can target a specific resource type (e.g., Storage) by specifying the 'resource type' value.

These options are described with examples below.

Back to top…

Execute SVTs for all controls of all resources in a given subscription

The cmdlet below checks security control state and generates a status report of all Azure resources in a given subscription:

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId>

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.

Note Although this command is simple, it may take time proportionate to the number of resources in your subscription and may not be ideal for 'shared' subscriptions. Typically, you would want to scan a specific application (organized under one or more resource groups or using tags). The subsequent options provide ability to narrow down the scope of the scan.

Back to top…

Execute SVTs for specific resource groups (or tagged resources)

The cmdlet below scans all Azure resources in the specified resource groups within a subscription and generates a status report:

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ResourceGroupNames <ResourceGroupNames>

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.
  • ResourceGroupNames – Comma separated list of resource groups that hold related resources for an Azure subscription.

The cmdlet below scans all resources with specific tag names/values under a given subscription:

  1. Single Tag
    Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -TagName <TagName> -TagValue <TagValue>
  1. Multiple Tags
    Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -Tag <TagHashset>

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.
  • TagName – Key to identify the resources.
  • TagValue – Value to identify the resources.
  • Tag – The tag filter for Azure resource. The expected format is @{tagName1=$null} or @{tagName = 'tagValue'; tagName2='value1'}.

Back to top…

Execute SVTs for a specific resource

The cmdlet below scans a single Azure resource within a specific resource group in a subscription and generates a status report:

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ResourceGroupNames <ResourceGroupNames> -ResourceName <ResourceName>

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.
  • ResourceGroupNames – Name of the resource group that holds the individual resource to be scanned.
  • ResourceName – Name of the resource.

Note: In the command above, 'ResourceName' should be the short name as used in Azure and shown in the portal (as opposed to the fully qualified domain name (FQDN) which may apply to some resource types such as storage blobs or SQL DB).

Back to top…

Execute SVTs for a specific resource type

The cmdlet below scans all resources for a specific Azure resource type in a subscription (and a resource group [optional]):

  1. Using Azure resource type
 Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> [-ResourceGroupNames <ResourceGroupNames>] -ResourceType <ResourceType>

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.
  • [Optional] ResourceGroupNames – Name of the container that holds related resource under an Azure subscription. Comma separated values are allowed.
  • ResourceType – Resource type as defined by Azure. E.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported types.
  1. Using a user-friendly resource type name
 Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> [-ResourceGroupNames <ResourceGroupNames>] -ResourceTypeName <ResourceTypeName>

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.
  • [Optional] ResourceGroupNames – Name of the container that holds related resource under an Azure subscription. Comma separated values are allowed.
  • ResourceTypeName – Friendly name of resource type. E.g.: KeyVault. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported values.

Back to top…

Execute SVTs for specific control severity

 Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -Severity "High, Medium"

The above command execution will result in scanning of 'High' and 'Medium' controls for Azure resources in your subscription

Note: If you have mapped the AzSK control severity in your custom org policy settings (refer: Control severity mapping for your org to know about mapping), then the final severities mapped should be passed as parameter values to -Severity parameter.

Back to top…

Execute SVTs in Baseline mode

In 'baseline mode' a centrally defined 'control baseline' is used as the target control set for scanning. The cmdlet below scans azure resources in a subscription in Baseline mode and generates a status report:

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -UseBaselineControls

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -UsePreviewBaselineControls

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -UseBaselineControls -UsePreviewBaselineControls

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.
  • UseBaselineControls – UseBaselineControls is the flag used to enable scanning of resources in Baseline mode.
  • UsePreviewBaselineControls – UsePreviewBaselineControls is the flag used to enable scanning of resources in Preview Baseline mode.

Back to top…

Execute SVTs using "-UsePartialCommits" switch

The Get-AzSKAzureServicesSecurityStatus command now supports checkpointing via a "-UsePartialCommits" switch. When this switch is used, the command periodically persists scan progress to disk. That way, if the scan is interrupted or an error occurs, a future retry can resume from the last saved state. This capability also helps in Continuous Assurance scans where Azure currently suspends 'long running' automation jobs by default.The cmdlet below checks security control state via a "-UsePartialCommits" switch:

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -UsePartialCommits

Back to top…

Execute SVTs excluding some resource groups

The Get-AzSKAzureServicesSecurityStatus command now supports a switch 'ExcludeResourceGroupNames' to exclude some of the resource groups from getting scanned. The cmdlet below will not scan the resource groups 'azsktestRg' and 'azsktestRg1'.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ExcludeResourceGroupNames "azsktestRg,azsktestRg2"

Back to top…

Execute SVTs excluding some resources

The Get-AzSKAzureServicesSecurityStatus command now supports a switch 'ExcludeResourceNames' to exclude some of the resources from getting scanned. The cmdlet below will not scan the resource groups 'azsktestApp' and 'azsktestApp2'.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ExcludeResourceNames "azsktestApp,azsktestApp2"

Back to top…

Execute SVTs excluding a resource type

The Get-AzSKAzureServicesSecurityStatus command now supports a switch 'ExcludeResourceTypeName' to exclude resources of a particular type supported by AzSK from getting scanned. The cmdlet below will not scan any Databricks resources.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ExcludeResourceTypeName Databricks

Note: Currently there is provision to exclude only one type of resources using switch '-ExcludeResourceTypeName'. To exclude multiple types of resources from getting scanned the switch'-ExcludeTags' can be used passing the user friendly name for the resource type as specified here. The cmdlet below will exclude all resources belonging to the type 'AppServices' or 'Databricks' from getting scanned.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ExcludeResourceTypeName Databricks -ExcludeTags 'AppService'

Back to top…

Execute SVTs excluding some controls from scan

The Get-AzSKAzureServicesSecurityStatus command now supports a switch 'ExcludeControlIds' to exclude AzSK security controls from getting scanned. The cmdlet below will not scan 'Azure_Storage_DP_Rotate_Keys' control for any Storage type resource.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ExcludeControlIds 'Azure_Storage_DP_Rotate_Keys'

The cmdlet below will not scan 'Azure_Storage_DP_Rotate_Keys' and 'Azure_Storage_AuthZ_Allow_Limited_Access_to_Services' control for any Storage type resource.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ExcludeControlIds "Azure_Storage_DP_Rotate_Keys, Azure_Storage_AuthZ_Allow_Limited_Access_to_Services"

Back to top…

Generate FixScripts for controls that support AutoFix while executing SVTs

The command below will not only scan the controls for all the resources in the subscription but also produce scripts to fix the controls that support AutoFix. To know if a control supports AutoFix or not, look at the value for the corresponding control under the column SupportsAutoFix in the SecurityReport.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -GenerateFixScript"

Note that this switch can be used with any variant of the Get-AzSKAzureServicesSecurityStatus command. You can read more about FixScripts here.

Back to top…

Prevent the output folder from opening automatically at the end of SVTs

When you run an AzSK scan, the output folder containing all the necessary components opens up automatically for you at the end of the scan. If you wish to prevent this, you just need to add the flag -DoNotOpenOutputFolder to any variant of the Get-AzSKAzureServicesSecurityStatus command, as shown in the example below.

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -DoNotOpenOutputFolder"

Back to top…

Understand the scan reports

Each AzSK cmdlet writes output to a folder whose location is determined as below:

  • AzSK-Root-Output-Folder = %LocalAppData%\Microsoft\AzSKLogs
     E.g., "C:\Users\userName\AppData\Local\Microsoft\AzSKLogs"
    
  • Sub-Folder = Sub_<Subscription Name>\<Timestamp>_<CommandAbbreviation>
     E.g., "Sub_[yourSubscriptionName]\20170321_183800_GSS"  
    

Thus, the full path to an output folder might look like:

E.g., "C:\Users\userName\AppData\Local\Microsoft\AzSKLogs\Sub_[yourSubscriptionName]\20170321_183800_GSS\

Note: By default, cmdlets open this folder upon completion of the cmdlet (we assume you'd be interested in examining the control evaluation status, etc.)

The contents of the output folder are organized as under:
02_Output_Log_Folder

  • \SecurityReport-<timestamp>.csv- This is the summary CSV file listing all applicable controls and their evaluation status. This file will be generated only for SVT cmdlets like Get-AzSKAzureServicesSecurityStatus, Get-AzSKSubscriptionSecurityStatus etc.
  • \<Resource_Group_or_Subscription_Name> - This corresponds to the resource-group or subscription that was evaluated
    • \<resourceType>.log- This is the detailed/raw output log of controls evaluated
  • \Etc
    • \PowerShellOutput.log - This is the raw PS console output captured in a file.
    • \EnvironmentDetails.log - This is the log file containing environment data of current PowerShell session.
    • \SecurityEvaluationData.json - This is the detailed security data for each control that was evaluated. This file will be generated only for SVT cmdlets like Get-AzSKAzureServicesSecurityStatus, Get-AzSKSubscriptionSecurityStatus etc. 02_Etc_Folder_Structure
  • \FixControlScripts - This folder contains scripts to fix the failed controls. The folder is generated only when 'GenerateFixScript' switch is passed and one or more failed controls support automated fixing.
    • \README.txt - This is the help file which describes about the 'FixControlScripts' folder.

You can use these outputs as follows -

  1. The SecurityReport.CSV file provides a quick glimpse of the control results. Investigate those that say 'Verify' or 'Failed'.
  2. For 'Failed' or 'Verify' controls, look in the .LOG file (search for 'failed' or by control-id). Understand what caused the control to fail.
  3. For 'Verify' controls, you will also find the SecurityEvaluationData.JSON file handy.
  4. For some controls, you can also use the 'Recommendation' field in the control output to get the PS command you may need to use.
  5. Make any changes to the subscription/resource configurations based on steps 2, 3 and 4.
  6. Rerun the cmdlet and verify that the controls you tried to fix are passing now.

Back to top…

Generate output report in PDF format

The Get-AzSKAzureServicesSecurityStatus command now supports generating output report in PDF format using "-GeneratePDF" parameter. You can use this parameter to generate output logs in PDF format. You can use this parameter to generate report either in 'portrait'or 'landscape mode'.The cmdlet below can be used to generate PDF report:

Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -GeneratePDF <PdfOrientation>

The parameters required are:

  • SubscriptionId – Subscription ID is the identifier of your Azure subscription.
  • GeneratePDF - This accepts either 'None', 'Portrait' or 'Landscape' as inputs.

If you execute SVTs using above command, a new PDF file with name 'SecurityReport' will get generated in the root output logs folder.

The PDF report consists of following sections:

  • Basic Details - It consists of basic details like subscription id, name, AzSK Version, Date of generation, user, command executed etc.
  • Security Report Summary -It displays the security status of all the controls Ids which gets scanned.
  • Powershell Output -It displays the raw PS console output captured during execution of SVTs.
  • Detailed Output -It displays the detailed/raw output log of controls evaluated.

Back to top…

FAQs

What Azure resource types that can be checked?

Below resource types can be checked for validating the security controls in SVT(GRS, GSS and CICD SVT task). please refer this for supported resource types in ARMChecker)

Resource Name Resource Type Name Resource Type
Analysis Services AnalysisService Microsoft.AnalysisServices/servers
API Connection APIConnection Microsoft.Web/connections
API Management APIManagement Microsoft.ApiManagement/service
App Services AppService Microsoft.Web/sites
Automation Account Automation Microsoft.Automation/automationAccounts
Batch accounts Batch Microsoft.Batch/batchAccounts
CDN profiles CDN Microsoft.Cdn/profiles
Cloud Services CloudService Microsoft.ClassicCompute/domainNames
Container Instances ContainerInstances Microsoft.ContainerInstance/containerGroups
Container Registry ContainerRegistry Microsoft.ContainerRegistry/registries
Cosmos DB Cosmos DB Microsoft.DocumentDb/databaseAccounts
Data Factories DataFactory Microsoft.DataFactory/dataFactories
Data Lake Analytics DataLakeAnalytics Microsoft.DataLakeAnalytics/accounts
Data Lake Store DataLakeStore Microsoft.DataLakeStore/accounts
Express Route-connected Virtual Networks ERvNet Microsoft.Network/virtualNetworks
Event Hubs EventHub Microsoft.Eventhub/namespaces
Key Vaults KeyVault Microsoft.KeyVault/vaults
Kubernetes Service KubernetesService Microsoft.ContainerService/ManagedClusters
Load Balancer LoadBalancer Microsoft.Network/loadBalancers
Logic Apps LogicApps Microsoft.Logic/Workflows
Notification Hubs NotificationHub Microsoft.NotificationHubs/namespaces/notificationHubs
On-premises Data Gateways ODG Microsoft.Web/connectionGateways
Redis Caches RedisCache Microsoft.Cache/Redis
Search services Search Microsoft.Search/searchServices
Service Bus ServiceBus Microsoft.ServiceBus/namespaces
Service Fabric clusters ServiceFabric Microsoft.ServiceFabric/clusters
SQL Databases SQLDatabase Microsoft.Sql/servers
Storage Accounts StorageAccount Microsoft.Storage/storageAccounts
Stream Analytics StreamAnalytics Microsoft.StreamAnalytics/streamingjobs
Traffic Manager profiles TrafficManager Microsoft.Network/trafficmanagerprofiles
Virtual Machines VirtualMachine Microsoft.Compute/virtualMachines
Virtual Networks VirtualNetwork Microsoft.Network/virtualNetworks

This list continues to grow so best way to confirm is to look at the output of the following command:

Get-AzSKSupportedResourceTypes  

We regularly add SVT coverage for more Azure features. Please write to us (mailto:AzSDKSupExt@microsoft.com) if you are looking for SVTs for a service not listed here.

What do the different columns in the status report mean?

Status report will be in CSV format and will contain below columns

  • ControlID - Unique ID for security control.
  • Status – { Passed | Failed | Verify | Manual | Error}
    • Passed: The resource complies with the security control.
    • Failed: The resource does not comply with the security control.
    • Verify: The status needs to be verified using the data generated by the automated script. This is usually an indication that some level of human judgment is required in order to attest to the control status.
    • Manual: The control is not automated (yet). It should be manually implemented and/or validated.
    • Error: An error occurred due to which the control state could not be determined.
  • FeatureName - Azure feature name e.g. AzureAppService, AzureSQLDB etc.
  • ResourceName - Azure resource name.
  • ChildResourceName - Sub resource name of the Azure resource. E.g. for SQL Server, controls validating the databases will have the resource name as ‘SQLServerName’ and child resource name as 'SQLDBName' whereas features having no sub resources will have same value for resource name and child resource name.
  • ResourceGroupName - Resource group name for resource name.
  • ControlType - Control type can be ‘TCP’, ‘Best Practice’ or ‘Information’.
  • Automated - Yes or No
    Note that not all security checks are automatable. The 'non-automated' checks (things that have to be manually validated/checked) are also listed in the reports from a completeness standpoint.
  • Description - Security control description.
  • Reference - Link to detailed document/explanation.
  • Recommendation - Recommended steps to implement a fix for a failed control.

How can I find out what to do for controls that are marked as 'manual'?

Refer the recommendations provided in the output CSV file for the security controls defined by AzSK. You can also email to AzSKSup@microsoft.com or reach out to your security point of contact for any queries.

How can I implement fixes for the failed ones which have no auto-fix available?

Refer the recommendations provided in the output CSV file for the security controls defined by AzSK. You can also email to AzSKSup@microsoft.com or reach out to your security point of contact for any queries.

Troubleshooting

Error Comments
Subscription xxxx was not found in tenant. Please verify that the subscription exists in this tenant…." Provide the valid Subscription Id to the 'Subscription' parameter while running the cmdlets that accept subscription id as the parameter.
File xxxx cannot be loaded because the execution of scripts is disabled on this system… " By default, PowerShell restricts execution of all scripts. Execute below cmdlet to fix this issue: Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Back to top…


Express Route-connected Virtual Networks (ER-vNet)

Summary
The following cmdlet can be used to scan the secure configuration of an ExpressRoute-connected virtual network (referred to as ERVnet below):

 Get-AzSKExpressRouteNetworkSecurityStatus -SubscriptionId <SubscriptionId>

This cmdlet assumes that the vNet connected to ExpressRoute circuit is in a ResourceGroup named 'ERNetwork' or 'ERNetwork-DMZ'. If you have the vNet in a different resource group then the -ResourceGroup parameter can be used.

Just like other SVTs, this will create a summary ".CSV" file of the control evaluation and a detailed ".LOG" file that includes more information about each control and the outcome.

The following core checks are currently performed by this utility:

  • There should not be any Public IPs (i.e., NICs with PublicIP) on ER-vNet VMs.
  • There should not be multiple NICs on ER-vNet VMs.
  • The 'EnableIPForwarding' flag cannot set to true for NICs in the ER-vNet.
  • There should not be any NSGs on the GatewaySubnet of the ER-vNet.
  • There should not be a UDR on any subnet in an ER-vNet
  • There should not be another virtual network gateway (GatewayType = Vpn) in an ER-vNet.
  • There should not be any virtual network peerings on an ER-vNet.
  • Only internal load balancers (ILBs) may be used inside an ER-vNet.

Additionally the following other 'protective' checks are also done:

  • Ensuring that the resource lock that is setup to keep these resources from being deleted is intact.
  • Ensuring that the RBAC permissions for the account used to track compliance are intact.
  • Setting up alerts to fire for any of the above actions in the subscription.

Back to top…

Security IntelliSense (Dev-SecIntel)


Note: Security IntelliSense extension works on Visual Studio 2015 Update 3 or later, Visual Studio 2017 and Visual Studio 2019.

Basics:

What is Security IntelliSense?

Security IntelliSense augments standard Visual Studio IntelliSense feature with secure coding knowledge. This makes it possible to get 'inline' assistance for fixing potential security issues while writing code. Code that is vulnerable or not policy compliant is flagged with red or green squiggles based on the level of severity.

In the current drop, we have support for the following features:

  • About 80 rules that cover a variety of scenarios such as:
    • various Azure PaaS API related secure coding rules
    • ADAL-based authentication best practices
    • Common Crypto errors
    • Classic App Sec and Web App Sec issues
  • Rule are auto-updated without needing to reinstall the plug-in. The plug-in periodically checks if new rules have been published to a central rule store and updates its local rule set based on that.

The screenshots below show the core functionality at work:

  • Error and warning indications for incorrect and possibly vulnerable code: (E.g., use of custom token cache in ADAL scenario)

SecIntel_Ex_1

  • Suggestions for corrections/compliant coding practices: (E.g., Instead of Random, the RNGCryptoServiceProvider class should be used in a crypto context.)
    02_SecIntel_Ex_2

Back to top…

How do I enable Security IntelliSense on my dev box?

  • For Visual Studio 2015/2017

    • Open Visual Studio

    • Go to Tools -> Extensions and Updates -> In the left sidebar select Online -> Visual Studio Gallery and search for Security IntelliSense in the right sidebar

  • For Visual Studio 2019

    • Open Visual Studio.

      (Note: If you are using a Preview release of VS2019 then you would need to start Visual Studio in admin mode.)

    • Go to Extensions -> Manage Extensions -> In the left sidebar select Online -> Visual Studio Marketplace and search for Security IntelliSense in the right sidebar

02_SecIntel_VSGallery_Download

  • Select Security IntelliSense item and click Download or Install
  • After download completes, close the Visual Studio
  • It will open VSIX Installer, click on Modify.
  • After installation completes, Start Visual Studio

Back to top…

Is there a sample I can use to see how it works?

  • We have a sample project on GitHub that you can use. Run the command below to clone the repo. If you don't have Git setup in your machine, please visit https://git-scm.com/downloads to download it.
    git clone https://github.com/azsk/azsk-secintel-samples.git
  • After cloning the repo, navigate to azsk-secintel-samples -> SecIntelSample and open the SecIntelSample.sln in Visual Studio (after completing the Security IntelliSense extension installation per steps from above).

  • Build the solution (this will fetch any requisite Nuget packages)

  • Go to View->Solution Explorer and then open one of demo files (e.g., "CryptoSample.cs") in the VS editor.

    • You should see SecIntel in action -- i.e., code that is in violation of the rules in use for the SecIntel VSIX plugin will appear as red-squigglies (errors) and green-squigglies (warnings).
      02_SecIntel_Suggestion
  • Note: In the currently implemented behavior of the extension, 'errors' don’t actually fail the build. We will change this behavior in an upcoming sprint. After that anything that is considered an 'error' will start failing the build. This will be a useful feature when integrating with CICD pipelines.

Back to top…

Rules:

What 'secure coding' rules are currently covered?

The following are some of the rules we support in current build (some are 'warnings' others 'error') -

  • Azure:
    • Use of relays without client authentication
    • Creation of shared access policy without enforcing HTTPS explicitly
    • Creation of shared access policy with an overly long expiry period -Creation of container with access set to 'Public'
    • Creation of a blob with access set to 'Public'
  • ADAL/Graph usage:
    • Use of simple member access as opposed to transitive search
    • Explicit handling of access and refresh tokens as opposed to letting ADAL manage them transparently
    • Disabling 'Authority' validation when fetching a token via ADAL
    • Use of custom mechanisms to cache the tokens (should let ADAL handle them transparently)
  • Crypto:
    • Use of Random instead of RNGCryptoServiceProvider class
    • Use of MD5 for hashing instead of SHA256CryptoServiceProvider
    • Use of SHA1 for hashing instead of SHA256CryptoServiceProvider
    • Use of RijndaelManaged instead of AesCryptoServiceProvider
    • Use of key sizes that are considered inadequate
    • Use of X509Certificate2 class (that might lead to a SHA1 based HMAC as opposed to a SHA256-based one).

For a complete list of Security IntelliSense rules please go here

Back to top…

How are the rules updated? Do I need to refresh the plugin periodically?

  • Rule are auto-updated without the need to reinstall the plugin. Currently we have defined 5 different rule templates upon which individual rules are based. We have the ability to deploy new rules that use the existing templates silently in the background.
  • Once in a while we might add entirely new 'rule templates'. When that happens, a new version of the extension will need to be downloaded. When that happens will include a notification of the same in our release announcements.

Back to top…

Can I add my own rules over and above the default set?

  • This will be included in the next month. It is a natural extension of the current behavior. We will merely need to include support for a locally managed rules file which has rules that adhere to the supported rule templates.

Back to top…

Can I 'mask' a particular rule or rules?

  • This is in our backlog. We will add it in a future sprint.

Back to top…

Can I change the 'recommended' code for a rule? (e.g., I want to recommend GCM instead of CBC mode)

  • This is in our backlog. We will add it in a future sprint.

Back to top…

Actions:

What should I do to remove the extension?

  • Go to "Tools" -> "Extensions and Updates" menu option in Visual Studio and search for "Security".
    • If you have the extension installed, you will see a screen such as below with options to "Disable" or "Uninstall" the extension.
  • Click "Uninstall" and restart Visual Studio. 02_SecIntel_VSGallery

Back to top…

What default compiler actions are configured?

  • Most of the rules configured are of severity "Warning"

Back to top…

Can I customize actions for my dev box / team? (E.g. change Error -> Warnings etc.)

  • Currently we do not support it. We have it in our pipeline to support it.

Back to top…

You can’t perform that action at this time.