Code Analysis for All

Hello All –

As many of you already know, the SDL team at Microsoft has a strong relationship with our colleagues in the MSEC Security Science team – these guys are on the front line of tool development for the SDL, and are always looking for new ways to take the security technologies they produce and make them broadly available.  With that in mind, I am quite pleased to turn over the blog to Tim Burrell to let you know about some new developments on the code analysis front.

– Dave


At the recent BUILD Conference, the Visual Studio Code Analysis team presented some great new features of Microsoft Visual Studio 11 C++ Code Analysis. We thought we’d highlight a couple of the security aspects.

This is the first time that Code Analysis has been made available in an Express edition of Visual Studio – a reflection of Microsoft’s commitment to helping secure the software ecosystem beyond just our own software. It is also testament to the value that we believe such static analysis tools have to offer to every developer today. This value comes in many forms, mainly deriving from the fact that it’s way cheaper to fix a bug early on during development:

  • Fixing a bug early avoids wasted time debugging strange crashes or reliability issues later on.
  • Fixing a bug early avoids resetting/repeating testing after a bug is fixed late in the development cycle.
  • Fixing a bug early avoids the complexities associated with fixing it if it is exposed after the application ships.

The Security Science team with the Microsoft Security Engineering Centre (MSEC) worked closely with the Visual Studio Code Analysis team to ensure that the Visual Studio Developer Preview includes as many of the SDL mandatory C/C++ Code Analysis warnings as possible. These are the security-related warnings that Microsoft considers critical to fix for internal C/C++ software development.

Choosing which warnings to include in Microsoft Visual Studio 11 Express is a balancing act between giving all developers access to these warnings and not overloading people with so many warnings that they just ignore them. We’ve tried to select the best combination of high severity / low noise. We are keen to hear your feedback on your experience of using Code Analysis in Express.

Of course the Security Development Lifecycle (SDL) is an entire process and methodology for developing secure software and as such includes much more than just fixing a given set of warnings – you can read more and find additional resources related to SDL here.

As we alluded to at the start, code analysis covers more than just security bugs – indeed the distinction between security and reliability can sometimes be a subtle one: the bug that manifests as a crash today (a reliability issue?) could turn out to be controllable by an attacker tomorrow (a security issue). We highly recommend running Visual Studio Code Analysis to help develop secure and reliable applications.

Tim Burrell, MSEC Security Science

About the Author
Dave Ladd

Principal Security Group Program Manager

Join the conversation

  1. Anonymous

    Is it still going to be limited to 32 bit only?

  2. Tom Kirby-Green

    In the domain of financial services ( and I'm quite sure others such as DCC) 64 bit support should be the platform you target first for features like this.

    Kind regards,



    I'm wondering if Code Analysis supports C++/CX?

  4. Anonymous

    Hmm, first time it's been included in VS Express, perhaps. But I remember when it was included in the (free) Windows SDK. I'm not sure what that says about Microsoft's "commitment" to anything. Essentially undoing a decision you made a couple of years ago?

    But anyway, very nice. Limiting static analysis to VS Ultimate was an absurd decision.

  5. sdl

    CodeAnalysis support for x86 is in the Developer Preview tools. Providing 64-bit support is a high priority for us.

  6. sdl

    Pierre – There are elements of C++/CX that are really new and different, which means that although CodeAnalysis runs, we are aware that the accuracy of warnings is sometimes not always as good as for traditional C++ code.

  7. Anonymous

    When you going to add support for C99?

  8. diegumzone

    Hi grit-z,

    Microsoft is committed to deliver that portion of C99 that is also part of C++11 (especially the preprocessor and standard library). In particular, the C++11 implementation incorporates the entire C99 standard library, which we are now shipping in this release of Visual C++ as part of the standard library.

  9. Anonymous

    i like to know why is no safe no more in pc

    any one can enter to ur pc where is the safety??????

  10. Anonymous

    Thanks for your useful informations, Am working in <a href=""> Custom software development company, Bangalore</a>

Comments are closed.