I am looking for a utility that can be used against .NET assemblies to validate code against best practices, and most importantly can review the code for Security, Injection, and Cross Site Scripting vulnerabilities. I know that it isn’t an exact science, but I’m looking for anyones experience/recommendations on the best way to a solution that will at least set a baseline standard. I know that nothing beats doing an individual review, but I’m looking at the high level.
I have been doing some research on Fortify, and so far it is looking like a good tool, from what I can tell it provides a very detailed response. I know that FXCop is out there as well, but I don’t know if it goes in deep enough.
EDIT One attractive thing I found about Fortify, and that would be nice in a tool is the combination of security review, AND .NET Best practices review. IE fortify checks fo potential un-closed connections, recommends the use of Using statements, etc.
FxCop is a static code analysis tool, though not specifically targetting security, it will pick up alot of common errors (be sure to turn off the naming rules you aren’t interested in).
Also, I came across the ‘Performance Code Review Tool – Practices Checker’ here.