Top Visual Studio Security Extensions

4 Mins read
 Top Visual Studio Security Extensions
With the shifting left of security in the DevOps pipeline, secure coding best practices are increasingly being emphasized and adopted. It’s no wonder: Security is a high priority for most companies, and even a small data breach could prove disastrous.

For Visual Studio developers, using security extensions helps them produce more secure code, faster. Visual Studio extensions allow you to add on new features or integrate existing developer tools to customize and enhance your Visual Studio experience. Extensions include everything from spell checkers, templates, and controls to image optimizers, debuggers, and testing tools. The main purpose of these extensions is to add functionality to increase ease of use and developer productivity. 

In this blog, we’ll take a look at some of the top Visual Studio security extensions that help developers write more secure code. Note that the majority of tools mentioned here are free to download and use.

ReSharper by JetBrains

ReSharper is a very popular Visual Studio extension for .NET developers that makes code navigation, editing, and review easier. ReSharper’s productivity features allow individual developers and teams to write and manage code using industry best practices to produce high-quality applications faster. Developers like ReSharper because its autocompletion features give them intelligent suggestions to help generate code. 

Refactoring capabilities make writing intricate code easier, saving developers hours and hours of time and frustration. Code review is also easier with hard-to-miss inspection markers that show errors and suggest improvements. ReSharper supports testing with a unit test runner that helps developers run and debug unit tests based on NUnit,, MSTest, QUnit, and Jasmine.

Microsoft Code Analysis by Microsoft DevLabs

Microsoft DevLabs has rebuilt its popular 100+ FxCop rules as a live analyzer to help developers detect problems in their code and fix them on the spot. This extension has been updated to provide live analysis as you type, providing quick fixes for applicable diagnostics using Ctrl+. It provides diagnostics for API design, performance, security, and best practices for C# and Visual Basic. In addition, diagnostics appear in the editor, Error List, and scroll bar, adding to its ease of use. 

SonarLint for Visual Studio 2017 by SonarSource

The SonarLint Visual Studio plug-in is an open-source, Roslyn-based static code analyzer that supports five languages: C#, VB .Net, C, C++, and Javascript. Developers like SonarLint because it provides real-time feedback with extensive explanations on the quality of their code as they write it, which improves productivity. 

SonarLint has been described as a spell checker for code because of its ability to fix nasty bugs and code smells on-the-fly. SonarLint’s deep code analysis algorithms can detect issues in seconds using pattern matching and dataflow analysis. With hundreds of rules and growing, SonarLint is a great tool for developers to check code quality.

PVS-Studio by Evgeniy Ryzhkov

PVS-Studio is a static source code analyzer for bug detection in C, C++, C#, and Java projects on Windows, Linux, and macOS. It detects and fixes security and quality issues in code before they turn into vulnerabilities, crashes, or painful debugging. PVS-Studio performs a wide range of code checks and is especially useful in finding misprints and Copy-Paste errors. 

PVS-Studio helps developers catch bugs at the earliest development stage, comes with detailed documentation, and provides great support service. Developers really like the incremental analysis feature, which helps check fresh portions of code immediately after they are written.

Security Code Scan by Jaroslav Lobačevski and Philippe Arteau

This Visual Studio Extension is a security static code analyzer for .NET. It operates in two modes — one for developers and one for auditors. Security Code Scan looks for security vulnerability patterns, including SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and XML External Entity Injection (XXE). It offers taint analysis, which tracks every source of user input data through the system to make sure it gets sanitized before anything is done to it. Security Code scan is able to analyze .NET and .NET Core projects in the background or during a build.

ASP.NET Core Boilerplate by Rehan Saeed

ASP.NET Core Boilerplate is a project template for building secure, fast, robust, and adaptable web applications or sites. It provides the minimum amount of code required on top of the default ASP.NET project template provided by Microsoft and uses familiar tools to implement best practices. ASP.NET Core Boilerplate is modular and extensible and gives developers the infrastructure to build their own modules. 

Security Intellisense by Microsoft DevLabs

Security Intellisense is a Visual Studio extension that provides inline security suggestions and fixes for C# and XML source code. It also targets web projects and crypto usage. The extension is part of the Secure DevOps Kit for Azure, a collection of scripts, tools, extensions, and automation that caters to the security needs of DevOps teams using extensive automation and smoothly integrating security into native DevOps workflows. Developers have remarked they like Security Intellisense because it gives them, for example, a NuGet package that makes integration into CI/CD pipelines easier.

Fortify on Demand by Micro Focus

Fortify on Demand is a Software as a Service (SaaS) solution that enables security and development teams to begin a static code analysis security scan within minutes of setup. This Visual Studio extension allows developers to upload their code to Fortify on Demand for static assessment. Developers can also open analysis results for remediation. Developers like Fortify on Demand for its intuitive interface, broad language support, and comprehensive API that allows automation to be customized.

Microsoft DevSkim by Microsoft DevLabs

DevSkim is a framework of IDE plugins and language analyzers that provide inline security analysis as the developer writes code. Developers are notified when they introduce a security vulnerability as potential security issues are highlighted in the code with links to more information and, when available, one-click access to safer alternative code. 

This allows them to immediately remediate the vulnerability and also builds awareness so developers can learn about potential security flaws. Microsoft DevSkim boasts a flexible rule model that supports multiple programming languages. 

WhiteSource Advise for Visual Studio by WhiteSource

WhiteSource Advise gives developers immediate visibility into open source component security data early in the development life cycle. By fixing vulnerabilities from within the IDE, developers are able to save time and create more secure code by avoiding problematic open source components. 

Integrating security testing pre-build allows potential open source issues to be detected earlier when they are easier and less costly to fix. Developers like WhiteSource Advise because it offers a transparent user experience and provides a dedicated view of reported open source security vulnerabilities (CVEs) with fix recommendations. Plus it just works right out of the box.

Leave a Reply

Your email address will not be published. Required fields are marked *