Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Security ReviewSecurity Review
Previous
 
Next
New Post
7/6/2009 2:43 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

I would be curious if Jim could come back in after discussions with Cathal and the rest to give us a bit of insight as to the way that those issues were identfied.

I have been a third-party to a number of security reviews of DNN in the past, and had similar false-positives as well.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
7/7/2009 11:29 AM
 
Jeff Cochran


Joined: 6/3/2005
Posts: 2799

Jim Hudson wrote
 

The Microsoft Visual Studio 2008 Team Suite code analysis tool generated a report with approximately 3,200 critical defects and 5,400 high priority defects.  Because the tool stops at a total of 100,000 errors and warnings, the full extent of problems can't be determined.  What does this mean to you?

Not much, really.  But then I already realize the tool itself is faulty.  :)

You raise a few legitimate issues with the default installation of DNN, but all of these are easily corrected with normal administrator actions.  As mentioned, Windows Authentication, changes to the SQL setup, requiring SSL, all will strengthen security and correct what you (or the tools) may perceive as code flaws.  These are in reality administration flaws.

No code operates in a vacuum, if security is the major concern it has to be all-encompassing.  The code in DNN itself is very secure, but there are a million ways an admin can make it more vulnerable.

Jeff
 
New Post
7/7/2009 11:54 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

Out of interest I ran the vs.net 2008 code analysis tools that the analyst had ran and if you accept all the defaults you do see about 8,500 reported issues. However, all of these are warnings, none of them are errors (and none are critical as indicated). The code analysis tools in vs.net have a number of different rule sets, and developers typically enable which ones are applicable to their application (even Microsoft don’t use all the rules - http://blogs.msdn.com/fxcop/archive/2007/08/09/what-rules-do-microsoft-have-turned-on-internally.aspx)

In this case the analyst seems to have selected them all. As a test, I unchecked the “naming rules” ruleset which checks for cases such as use of “ID” rather than “Id” in variable names, don’t start label fields with “lbl” etc, and over 5000 issues disappeared. As DotNetNuke predates fxcop and the vs.net code analysis I don’t think it’s realistic that we rename a lot of variables/fields etc., simply to meet naming conventions, as these renames would introduce a large amount of breaking changes and add little value beyond passing a subjective report.

From experience I know that pretty much any .net application (including ones from Microsoft) will show a lot of issues – it’s intended as a guidance tool and not as a definitive guide to code (though many shops such as ones I’ve worked for make the performance, reliability and security rulesets mandatory), so I don’t feel that the statistics quoted were either representative or fair.
 

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
7/7/2009 12:29 PM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

cathal connolly wrote

As DotNetNuke predates fxcop and the vs.net code analysis I don’t think it’s realistic that we rename a lot of variables/fields etc., simply to meet naming conventions, as these renames would introduce a large amount of breaking changes and add little value beyond passing a subjective report.

I strongly agree here; in fact, this is the case with virtually all applications that predate the Framework Design Guidelines text.  I suspect that the number of warnings correlate more strongly with the age of an application than it does with code quality (and this is coming from a huge fan of the tool itself).  While it is a good idea for applications to be moving in the direction of conformance, the risk of (for example) arbitrary naming changes often exceeds any derived benefit.  Historical Hungarian naming may be subjectively offensive, but it certainly is not a quality issue.

...so I don’t feel that the statistics quoted were either representative or fair.
 

I have plenty of experience with security personnel "going for the jugular" in an analysis, and indeed this is generally an appropriate role.  But here I agree that the data cited was highly precipitous and largely ungrounded.

Brandon

 

Brandon Haynes
BrandonHaynes.org
 
New Post
7/7/2009 7:20 PM
 
Philip Beadle


Joined: 1/7/2003
Posts: 1822

Ive been using Style Cop for Resharper lately on new projects and am finding it really useful for reminding me how to keep the style correct.  Too hard to use on any legacy apps though :)

Philip Beadle - Employee
 
 Page 2 of 2
Previous12 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Security ReviewSecurity Review


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out