Automating Code Review Tools – Part I

The Connected Information Security Group blog at Microsoft recently published a couple of articles (part 1, part 2) about a tool recently released called CAT.NET. This is a static code analysis tool which reads a compiled programs code and looks for security problems such as null pointers, null references, and other problems specific to interpreted languages.

I’ve started to put this tool, as well as FxCop, into my build process. The biggest headache in the CAT.NET automation process is defining the sources and sinks necessary for the tool to be effective. Some of this can be autogenerated using XML comments in the code, and as I explore this more I’ll give some details here.

Over the next week I’m going to be publishing a series of articles detailing how to automate these tools to make your code more secure and best practices compliant. It will also help reduce your manual code review process (you do have a code review process in place, don’t you?) because these tools are designed to catch the most common errors that take up a lot of time during a human review.