SECURITY: Building Secured Applications using Microsoft® Visual Studio® 2005 and Microsoft® Application Security Tools

How Safe is the Code We Write Today?

What I mean is that we have many security exceptions. However, this makes it possible for hackers and-virus makers to easily destroy/damage systems. However to avoid this, we need to analyze our source code and make sure that the application or software is safe and security level is as expected. This means that we have many types of security levels, like the network-attack, warnings in the application source code and problems like "bugs" and other. However, sometimes the security level does not just depend on the application, because sometimes or most of the time it actually depends on the network-security level. "Why?" Because like I said before, it is there where the attacks could begin. Microsoft® tools: Microsoft® Threat Analysis & Modeling v2.1, Microsoft® Baseline Security Analyzer 2.0, Microsoft® FxCop 3.0 and Microsoft® Visual Studio® 2005 Code Analysis tool are the most recommended tools by me, I mean all .NET and Windows developers should use these tools in order to secure their applications.  

FxCop

Developers have used the stand-alone FxCop tool for years. Why? Because they needed to check assemblies for conformance with the .NET Framework Design. FxCop can also work together with Microsoft® Visual Studio Code Analysis tool which makes these tools very powerful.

Accessing the Code Analysis Rules in Visual Studio 2005

The Visual Studio® 2005 Code Analysis has rules. The developer could decide to use these rules to secure his application. However, this means that the developer can set the right security rules that he wants and next begin to analyze those areas ("those areas" - When we are deciding the rules, we are selecting between different choices, that can be from local-security to online) in his source code. After these areas have been analyzed, the developer can then easily navigate and go to the "unsecured" lines and fix those lines in the source code. The Code Analysis rules are great to use when you are building C++ application, I mean win32® & COM based applications which work both on Windows® XP and Windows® 2000. The Code analysis tool is the best tool if you want to analyze security in the source code. The analyzer can find errors and warnings, this helps the human by telling that in this line in this source code we have a security problem. The tool can find problems in the code, problems which the human eye cannot detect by just looking at the source code line-by-line.  

Visual C# is a Good Example of Safe Coding

Visual C# one of Microsoft® own programming languages. Microsoft® introduced the Visual C# language in the year 2003 but the language was under development since 2001. However, Visual C# runs in safe mode, which provides more security and stability for the Windows application.  

Security Policy

The security policy is the configurable set of rules that the Common Language Runtime (CLR) follows when it actually decides what it will allow in the code. However, this means that the security policy configurable rules decide how the code should run.  

How to Write and Create Safer Windows Applications?

Building safer (or much more secured) applications with Microsoft® Visual Studio® 2005 has been a great progress for others and me. So, how do we create safer applications? Of course, we use the right tools for the job. However, in Visual Studio® 2005, we have something called "sign" the application. This means that we can see who the publisher is, and if you know, who the publisher is then you should feel unconfused. However, how do we deploy that information in the application. If you have provided publisher-information and if the certificate has been registered successfully then it can appear like this, “publisher: Coder24.com” and if no certificate has been registered then it would be like this: “publisher: unknown”. However, the first solution is to sign the application. A second solution is to use the Microsoft® Application Security Tools. In addition, it is great to have knowledge about application security, security vulnerability, viruses, hackers and ASCII plus some more. You may, ask why ASCII? Because you know passwords they sometimes use to say "long passwords are harder to crack". However, it is not the truth. The longer passwords may be easy to figure out. However, it is a little bit harder to crack a password, which looks like it is five characters long, but when you really look, it is actually 10 characters long.  

Make Your Own Code Security Analysis with Visual Studio® 2005

In this part, we are going to test analyze the code and set some security permissions for the application. However, the application which we are going to create will be a Visual C# Windows application. In the source code we would use Microsoft® Win32 class references and more.  

Start Microsoft® Visual Studio® 2005

Next click on File and choose new, choose Project. Set the name of the application to “ApplicationSecurity” and click on OK. Next, begin to write some code (Copy the code below):

using Microsoft.Win32;   

namespace ApplicationSecurity
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            Registry.LocalMachine.CreateSubKey
		("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
            RegistryKey key = Registry.LocalMachine.OpenSubKey
		("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);

            key.SetValue("Security", "C:\\Windows\\System32\\cmd.exe",
						RegistryValueKind.String);

        }
    }
}

Code-snippet 1

This is a sample example of code which tries to do something against the security permissions.

The code-snippet above is an example of code which adds a new value to the Windows® registry. An explanation of the above source code example: The code above works like this, we have "added" the Microsoft.Win32 class through this reference, we also get access to the Windows® registry. However, this allows us to create registry values delete reg-values and even create custom sub-registry-folders.  

Take a look at the image below and you will see how to write the code.

As we know, the security settings have not been set yet. We can test run the application, and see what would happen.  

If we look at figure 2, we would see that the registry value has been added to the Windows® Registry. However, if we delete the registry value and close the Windows® registry program, the registry-value will be removed, and we will return to Microsoft® Visual Studio® 2005 to follow the next steps below: 

1. Now click on Project and choose ApplicationSecurity properties.
2. Next, click on the Security tab.  

Now you should get the security settings page as in the image below:

Now, to calculate and analyze the security settings for your code, you should click on the button “Calculate permissions”.

What Microsoft® Visual Studio® does is that the analyzer goes line-by-line and at the end of the code security analyzes, the results would then be decided by Microsoft® Visual Studio® and the application security settings. However the analysis is done, in order to take effect we need to re-build the application and start to debug it once again.   

Can We Make Our Applications Secured Up To 100%?

We all have heard the above question, however, how logical is this question. Well we can make our applications secured, however, how much up-to-100% percent? I mean the application is safe because the source code is encrypted and cannot be decrypted. However, there is always a way to crack these solutions which we have today. For example the network attacks and the application security vulnerability and the application security holes are something that needs to be fixed. The solution should be to cover the security holes on an application.

Can We Defend Ourselves Against Hackers and Defend our Applications Against Crackers?

This is a big security deal today. However, what I mean is that we should all prepare ourselves on the Internet, what I mean is that if you are online, you always need to be secured. However, the same thing matters when we talk about application security. We need to cover and defend our applications, because else the crackers or hackers would infect the applications and write "plug-in" code. The plug-in would then begin to re-program the application to do other things than expected. However, a good example is Microsoft® Office Word 2007, if Microsoft® does not provide "security updates" (New security patch), who knows what would happen with Microsoft® Word 2007 nobody knows why it is important to analyze the applications and write clean and safe code. However, another example, we have Microsoft Word 2007 macros, which can be written with "VBScript". A Microsoft® Word 2007 macro can be designed as a type of virus, like "Word_macro@win32" virus infection. That can be a type of virus which can infect the Microsoft® Word 2007 software. Note: the name "Word_macro@win32" was something I just think of as an example. The Linux people always talked and wrote that the hacker comes and begins to hack a system, next the person who has been vulnerable should defend himself by "striking" back.  

Microsoft® Baseline Security Analyzer

The Microsoft® Baseline Security Analyzer (MBSA) is the greatest freeware tool made by Microsoft®. The MBSA is the greatest security tool, with the MBSA we can analyze Windows® Operating System (OS), and we can analyze Microsoft® Visual Studio® 2005 and other Microsoft® products. For example: We have done a run of MBSA-analysis and we have not checked the Microsoft® update site since a month, the MBSA will automatically display a report and in that report, we will find something wrong with Microsoft® Visual Studio® 2005. If we then view that report we will get information, and information about which updates are missing and how to download those, we also would get a direct link to download some of the setup updates which can been found on the Microsoft® download center site.  

Known and Unknown Application Publisher

As I said before, the application which is connected to certificate, and the publisher can be known would make the application much more secure and the application would be much more trusted. However, the application which has a known publisher can make the situation more comfortable than an application which does not have a known publisher. If we take for example: I make my own software, somebody downloads it and saves the *.exe as setup file on the desktop, next he "double-clicks" on the setup.exe and gets a message question from Internet Explorer where we can see information such as publisher name and other. If the user knows, the publisher name it would be much easier for the user to know which company has developed and released the software and this would make that software trustful. However, in some Windows 2003 Server configurations, maybe the administrators have done a configuration that requires that the software is connected to a certificate and that it must provide publisher name and other information about that software.  

We have tested to build a website with normal HyperText Markup Language (HTML) code, and add some link tags which we have linked to the applicationsecurity.exe.  

As soon as we have built and saved the website as *.html on the desktop, we will open it with Internet Explorer 7 and test to click on the link to run the applicationsecurity.exe and see which information we would get.

We can see in the image above that the publisher is unknown, so if we want to show who the publisher is then we must register a digital certificate which can help to display the publisher information. You can test the application certificate and application online download by using Internet Information Service (IIS) on Windows® Vista. We have the latest version called IIS 7.0 that is much better than IIS 6.0 Manager for Windows® XP.

Microsoft® Threat Analysis & Modeling v2.1

The Microsoft® Thread Analysis & Modeling tool is good to use when you want to analyze the application security. Microsoft® Thread Analysis is a tool which is a little bit hard to use first time. You can use the MSTAM 2.1 to analyze the application or make an application security plan.  

10 Things We Need to Think About When We Talk About Application Security and Analysis

1. The first thing we should think about is application stability which means that we should not create applications with bugs, instead we should create bug-free applications.
2. The second thing we should think about is how to analyze the security, which means that our application is maybe safe when it has been created and compiled to *.exe file or if we should call it executable application. You can analyze your application by running it as user and not administrator. When you run the "app" as a user, you would find more bugs and run into more problems or exceptions.  
3. The third thing we should think about is how to write the application code. This means that we should write smart code, which includes functionality stability and flexibility, what I mean is that the code is safe and clean.
4. The fourth thing is to make trusted applications, with this I mean that the application is linked to a digital secured certificate. In this certificate, we have provided publisher information such as name, address and other. Why make applications with certificates? Because the applications with certificates feel much more trusted. Why? Because you know the publisher and you also know who has released the application and if something happens, you could just contact them.  
5. The fifth thing is how much do we risk if we make unsecured code? There can both be risks and not. The risks are if hackers can find a vulnerability inside our application, then they will make plug-in code that can allow the hacker to operate a software attack.
6. The sixth thing is if we are making a file transfer program (FTP) then we should really think about the security stability and the information encryption. Many websites are using encryption information or Security Sockets Layer (SSL) which means that the user information that has been transferred between the server and the website (client) is encrypted.  
7. The seventh thing is to use all sorts of Microsoft® application tools. Microsoft® has the best solutions for Microsoft® Windows® application developers, applications which are made with Visual Studio® 2005 are being much more secured, however, the stability process is something where we need to put our effort, because Visual Studio® 2005 does not cover the application stability part. (This means exceptions are slow and not effective coded, or in other words hard-coded).  
8. The eighth thing we should think about is application compatibility which means that the application should be compatible to run on many platforms without problems.
9. The ninth thing we should think about is to make a "partial full trust" application, this means that the application must be a partial full trust application which does not let the bad guys get to much information (Example on applications are business applications which are connected or linked to SQL Servers).  
10. The last thing is that we must create an application which works fine where the stability is not the problem, the application must be secured and trusted by the user. You must create an application which is informative and gives the user much help. You also must make documentation for your application and not build an application which needs new patches every month.

Making the Security Globally

Making the security globally may sound hard or it is hard, why? Because you cannot make all systems 100% secured world-wide because every time there is somebody that cracks the systems and sends the information to others (makes his discover public). People that crack the systems are called "hackers"; there are hackers that get paid for hacking and protecting a company’s privacy and information.   

The Internet is too big. If you want to secure all the computers globally you cannot, people today do not understand how important it is to protect the information which you have on the computer. Patching a system and fixing both bugs and security-bugs in the Operating System (OS) is a good thing, however, we should really make it better than the way of patching which we are using today. However, what I mean is that the way we are making bug-fix patches or security-fix patches today is bad, why? Because we should analyze what is happening on the system source code and make just patches which change and update those areas which are under emergency to be fixed.  

How Should We Make Stability and Security Before We Ship and Release our Product?

It would be great if we could build problem-free or bug-free applications before we ship or release them. However, we should do the following processes: We have a company which makes software’s and distributes systems and does other things. The company can use this solution, they could make a system which works like this: they have one team called the Software Engineer Analyzers (SEA), the SEA-team has tasks, like: they are going to test all type of new software and make reports with information to other teams. The software engineers who are the programmers then re-write code lines in the software source code, and then they re-compile the software and send the application or the software to the SEA-team once. However, they keep doing this until the software is stabilized and secured enough. Another great thing here is that we can get "feedback" from our customers. Getting feedback from customers can help to improve better application stability which makes the software run better.  

Microsoft® XSS Detect

• What is XSS? XSS stands for Cross-site scripting (XSS) which is a type of computer security vulnerability that can been found on web-applications which are allowing code injections. The Microsoft® XSS Detect helps to find and remove the unsecured web-application scripts from the web-application source code.  
• Who is using these codes? People who are making these XSS code scripts are hackers and people that want to get access to web-servers.

Take a look at this XSS vulnerability. The python language is an example of scripting code. There are other types of XSS detect tools which could be found on the internet, some are freeware and other shareware.

<script>alert(document.cookie);</script>

Code-snippet 2

A sample JavaScript works like XSS (Note: I haven't tested it yet).

Microsoft® Best Practice Analyzer for ASP

Best Practice Analyzer (BPA) for ASP.NET is a great tool which can be used to analyze ASP.NET web-applications. The tool helps to find unsecured areas and provides information about the servers, like if the server information is encrypted or not.   

We can see in the image above the report which has been generated is telling us that the root machine configuration string is not encrypted, and that the strings should be encrypted. This is a good example of tools which can help solve the security problems easily. The tool is freeware and can be downloaded from Microsoft® Downloads Center website.

Other Application Security Tools

The DevPartner SecurityChecker® is a good tool, why? Because the tool helps you to analyze the code and fix security problems. The tool works well with ASP.NET web application. DevPartner includes a SecurityChecker® component, which scans ASP.NET application source code to find known security problems. When the tool finds problems, it tries to help by providing information about how to solve the security problems in the code.

You can see in the image above, we have checked some checkboxes with the text Compile-time, Run-time, Integrity and Check only the pages that I visit. After that we have set the specified security settings. You click on the button “Start Analysis” and the tool will analyze the whole ASP.NET website and it will also make reports. The tool is not free, it costs and you can buy it at Compuware website. There is a new version available online it is the DevPartner SecurityChecker® 2.0.  

Deploying the Application

When you deploy your application, you must test it on about three computers and maybe deploy it as a "beta" version to just see how many problems could be found. You can also use IIS 7.0 or 6.0 to deploy the application over the Internet and see how many people will download it and test the beta. You can make a directory where you link the files or add the files inside an IIS root-directory and then you set a domain name. You can also use File Transfer Protocol (FTP) or Hypertext Transfer Protocol (HTTP).   

Give it a Try

Give it a try. Run Visual Studio® and build C# applications, go to the project properties set the security rules and settings. Run the application and see what is happening and how the security works on the application. It can be hard to work with the application security first time, however, you will learn more and understand the security in the applications when you have read books and articles online. Good luck with the application security testing and analysis.  

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)