All hail bug reports: how we reduced the analysis time of the user’s project from 80 to 4 hours

People often see work in support as something negative. Today we’ll look at it from a different perspective. This article is about a real communication of 100+ messages, exceptions, the analysis that didn’t complete in three days…

Continue reading

OWASP Top 10 and Software Composition Analysis (SCA)

The OWASP Top Ten 2017 category A9 (which became A6 in OWASP Top Ten 2021) is dedicated to using components with known vulnerabilities. To cover this category in PVS-Studio, developers have to turn the analyzer into a full SCA solution. How will the analyzer look for vulnerabilities in the components used? What is SCA? Let’s try to find the answers in this article!

Continue reading

XSS: attack, defense – and C# programming

XSS – or cross-site scripting – is one of the most common vulnerabilities in web applications. It has been on the OWASP Top 10 list (the list of the most critical security risks to web applications) for a while now. So let’s figure out together how your browser can acquire and execute a script from a third-party website, and what this may lead to (spoiler: your cookies could get stolen, for example). And while we’re at it, we’ll talk about ways you can protect yourself from XSS.

Continue reading

OWASP, vulnerabilities, and taint analysis in PVS-Studio for C#. Stir, but don’t shake

We continue to develop PVS-Studio as a SAST solution. Thus, one of our major goals is expanding OWASP coverage. You might ask, what’s the use when there’s no taint analysis? That’s exactly what we thought – and decided to implement taint analysis in the C# analyzer. Curious about what we accomplished? Read on!

Note. This article briefly touches upon the topics of SQL injections and working with SQL in C#. This theory serves as context. For in-depth information on these topics, do additional research.

Continue reading

Creating Roslyn API-based static analyzer for C#

After you read this article, you’ll have the knowledge to create your own static analyzer for C#. With the help of the analyzer, you can find potential errors and vulnerabilities in the source code of your own and other projects. Are you intrigued? Well, let’s get started.

Continue reading

XSS: attack, defense – and C# programming

XSS – or cross-site scripting – is one of the most common vulnerabilities in web applications. It has been on the OWASP Top 10 list (the list of the most critical security risks to web applications) for a while now. So let’s figure out together how your browser can acquire and execute a script from a third-party website, and what this may lead to (spoiler: your cookies could get stolen, for example). And while we’re at it, we’ll talk about ways you can protect yourself from XSS.

Continue reading

Optimization of .NET applications: a big result of small edits

Today we’re going to discuss how small optimizations in the right places of the application can improve its performance. Imagine: we remove the creation of an extra iterator in one place, get rid of boxing in the other. As a result, we get drastic improvements because of such small edits.

Continue reading