Architecture Guarding with Static Code Analyzer and Code Fix

Ever worked on a codebase where the original architecture seems like a distant myth?

In large organizations, it’s easy for software architecture to drift as documentation becomes outdated and implicit knowledge fades. This wastes valuable knowledge and makes onboarding new developers a nightmare.

The Problem of Architecture Drift

In medium to large organizations, software architecture tends to drift away from its intended design over time. Documentation like wikis gets neglected or forgotten. The cognitive load on developers’ minds is too high to remember all architectural decisions. New developers are often unaware of the intended architecture.

Using Static Code Analysis integrated into the IDE & CI pipelines is the remedy.

Static Code Analysis

Static code analysis is the process of analyzing source code to detect potential issues, vulnerabilities, or deviations from coding rules and best practices without actually executing the program. It helps enforce quality standards and architectural guidelines early in the development lifecycle.

There are different types of static analyzers ranging from simple linting tools to sophisticated data flow analyzers that can detect complex coding issues, security vulnerabilities, and architectural violations.

.NET Roslyn Analyzers

For .NET projects, Roslyn Analyzers leverage a deep understanding of the .NET codebase to identify architectural violations.
These analyzers can dissect the code’s syntax tree and scrutinize code declarations to uncover even subtle architectural rule drifts. This fine-grained analysis makes Roslyn Analyzers, coupled with Roslyn Code Fix, incredibly powerful tools. By enforcing architectural best practices and automatically correcting common mistakes, they significantly improve the system quality. Furthermore, integrating seamlessly with developer IDEs like Visual Studio and VS Code shortens the issue-fixing cycle. Developers receive real-time feedback as they write code, allowing them to address problems before they reach the code repository. This proactive approach minimizes the number of issues that make it into the codebase, ultimately leading to cleaner, more maintainable software.

Integrating Static Code Analysis into CI/CD

Once you’ve established your architectural rules within static code analyzers like Roslyn Analyzers, the next step is to integrate them seamlessly into your CI/CD pipeline. This ensures that architectural violations are caught early in the development process, preventing them from reaching production.

Several popular tools facilitate integrating static code analysis into your CI/CD workflow. Here are a few examples, including both dedicated static code analyzers and platforms that manage them:

Static Code Analyzers:

• Roslyn Analyzers (for .NET): As mentioned previously, offer a powerful way to enforce architectural best practices specifically for .NET projects. They integrate directly with developer IDEs and can be configured to fail builds in CI/CD pipelines upon detecting violations.

CI/CD Integration Platforms:

• SonarQube: This popular platform goes beyond basic static code analysis. It aggregates the results from various static code analyzers, including Roslyn Analyzers, providing a consolidated view of code quality across your entire codebase. SonarQube integrates seamlessly with most major CI/CD tools and allows you to set quality gates within your pipelines. Builds will fail if these quality gates, which can include architectural compliance metrics, are not met.
• GitHub Actions, Jenkins, Azure DevOps: While these are primarily CI/CD platforms, they offer extensive plugin support for integrating various static code analyzers. These plugins allow you to configure analysis jobs within your pipelines and often integrate with platforms like SonarQube for centralized reporting and quality gate management.

By choosing the tools that best suit your CI/CD platform, development environment, and desired level of analysis depth, you can establish a robust system for enforcing architectural compliance throughout the development lifecycle. This proactive approach ensures that your software adheres to its intended design, leading to a more maintainable and reliable codebase in the long run.

Complementary Tools for a Holistic Code Quality Approach

Static code analysis backed into the IDE & C/CD pipelines are foundational elements for enforcing architectural best practices within your .NET projects. However, a well-rounded code quality strategy encompasses a broader range of considerations. Here are some complementary tools you can integrate with your CI/CD pipeline to address various aspects of code quality:

Security-Focused Tools:

• SAST (Static Application Security Testing) tools: These tools analyze code to identify potential security vulnerabilities.
• SCA (Software Composition Analysis) tools:
  These tools scan your codebase for known third-party library vulnerabilities.
  Check this blog post for deeper insights.

By incorporating these tools alongside static code analysis, you can significantly enhance your security posture.

Best Practices and Code Style Enforcement:

• NDepend: offers advanced code analysis capabilities, including code metrics, dependency visualization, and rule-based code inspections. It integrates seamlessly with CI/CD pipelines for .NET development.

By incorporating these complementary tools alongside static code analysis and SonarQube, you can establish a comprehensive approach to code quality that safeguards your .NET projects from security vulnerabilities, promotes code maintainability, and fosters a well-structured codebase.

Let’s Get Our Hands Dirty

Don’t be intimidated by the idea of creating your own static code analyzer , it’s more approachable than it may seem at first glance. The process is relatively simple.

• Create a new Analyzer with Code Fix (.NET Standard) project, and you'll have a working sample right off the box.

The real challenge lies in translating your analysis logic into Roslyn syntax, but even that can be made easier with the help of tools like GitHub Copilot. While Copilot won’t provide a complete, ready-to-use solution, it can guide you through the process and suggest code snippets to build upon. You’ll likely still need to refine and debug Copilot’s suggestions, but it can streamline the development process significantly.

So don’t hesitate — roll up your sleeves and dive into creating your very own static code analyzer! With the right tools and a bit of persistence, you’ll be analyzing code like a pro in no time.

Conclusion: Building a Strong Code Foundation

Enforcing architectural best practices and fostering a culture of code quality are essential for building secure, maintainable, and well-structured software. By leveraging static code analysis and CI/CD guards like SonarQube, plus a strategic selection of complementary tools, you can establish a robust system for safeguarding your .NET projects throughout the development lifecycle.

This proactive approach yields significant benefits:

• Reduced Architectural Drift: Explicitly defined architectural rules baked into the development process prevent deviations from the intended design.
• Enhanced Code Security: SAST and SCA tools proactively identify and mitigate security vulnerabilities.
• Improved Code Maintainability: Consistent code style, best practice enforcement, and code duplication reduction lead to cleaner, more maintainable code.
• Faster Development Cycles: Catching issues early in the development process minimizes rework and accelerates delivery timelines.

By prioritizing code quality, you empower your development team to deliver high-performing, reliable applications that meet the evolving needs of your organization, and ship faster.

Welcome to F# Weekly,

A roundup of F# content from this past week:

News

• Rust for Fsharpers and F# for Rustaceans
• Migration From Giraffe to Oxpecker
• Secure your container build and publish with .NET 8 – .NET Blog (microsoft.com)
• The Journey to Accessible Apps: Keyboard Accessibility and .NET MAUI – .NET Blog (microsoft.com)

Recently, @isaac_abraham , the author of nice Get Programming with F#, released another awesome book: F# in Action. When my @ManningBooks editors offered me a chance to review it, I considered this a great opportunity to learn something new.

When I first embarked on the F#… pic.twitter.com/FCdtfehf3r

— Alexander Granin (@graninas) May 1, 2024

Videos

• How to make HTTP Requests with an Authorization Bearer Token in F# using FsHttp (youtube.com)
• Make calculator with f# (youtube.com)
• On .NET Live: Supercharging Blazor SSR with htmx (youtube.com)
• The New Collection Access Feature of C# 13 (youtube.com)
• The Only .NET Scheduler You Should Be Using! (youtube.com)

Blogs

• F# Nullness support | Compositional IT (compositional-it.com)
• StringBuffer – An F# string builder (simonreynolds.ie)
• How to make HTTP Requests with an Authorization Bearer Token in F# using FsHttp (hamy.xyz)
• What is Fable? – Ada Beat

F# vNext

• Tracking issue for remaining AssemblyBuilder.Save work in .NET 9 · Issue #92975 · dotnet/runtime · GitHub
• Add `dotnet tool update –all` option · Issue #10130 · dotnet/sdk · GitHub

Isaac was brave enough to explore an unfinished feature in the making and tease #fsharp users a little, while helping with testing and giving general feedback when doing so.

Thanks, this help was highly appreciated! https://t.co/9yh2tWI6St

— Tomáš Grošup (@tomasgrosup) May 3, 2024

Highlighted projects

• ken-okabe/vanfs: VanFS: 1:1 bindings from F# to VanJS (an ultra-lightweight , zero-dependency , and unopinionated Reactive UI framework based on pure vanilla JavaScript and DOM without React/JSX) + WebComponents + micro FRP
• fabulous-dev/Fabulous.Avalonia: Declarative UIs for Avalonia with F# and MVU, using Fabulous

My prog. languages work with C# generics, F#, C#/F# async programming and the simplicity of types, functions and data still have my heart, as do my ongoing responsibilities as F# language design approver. But right now I'm getting to be an applied researcher again, and loving it.

— Don Syme (@dsymetweets) April 30, 2024

That’s all for now. Have a great week.

If you want to help keep F# Weekly going, click here to jazz me with Coffee!

 

Last November, we launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products.

Since then, the threat landscape has continued to rapidly evolve, and we have learned a lot. The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack from last July, and the Midnight Blizzard attack we reported in January, underscore the severity of the threats facing our company and our customers.

Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust. We must and will do more.

We are making security our top priority at Microsoft, above all else—over all other features. We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape.

We will mobilize the expanded SFI pillars and goals across Microsoft and this will be a dimension in our hiring decisions. In addition, we will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.

Below are details to demonstrate the seriousness of our work and commitment.

Expansion of SFI approach and scope

We have evolved our security approach, and going forward our work will be guided by the following three security principles:

1. Secure by design: Security comes first when designing any product or service.
2. Secure by default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
3. Secure operations: Security controls and monitoring will continuously be improved to meet current and future threats.

We are further expanding our goals and actions aligned to six prioritized security pillars and providing visibility into the details of our execution:

1. Protect identities and secrets

Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization. As part of this, we are taking the following actions:

• Protect identity infrastructure signing and platform keys with rapid and automatic rotation with hardware storage and protection (for example, hardware security module (HSM) and confidential compute).
• Strengthen identity standards and drive their adoption through use of standard SDKs across 100% of applications.
• Ensure 100% of user accounts are protected with securely managed, phishing-resistant multifactor authentication.
• Ensure 100% of applications are protected with system-managed credentials (for example, Managed Identity and Managed Certificates).
• Ensure 100% of identity tokens are protected with stateful and durable validation.
• Adopt more fine-grained partitioning of identity signing keys and platform keys.
• Ensure identity and public key infrastructure (PKI) systems are ready for a post-quantum cryptography world.

2. Protect tenants and isolate production systems

Protect all Microsoft tenants and production environments using consistent, best-in-class security practices and strict isolation to minimize breadth of impact. As part of this, we are taking the following actions:

• Maintain the security posture and commercial relationships of tenants by removing all unused, aged, or legacy systems.
• Protect 100% of Microsoft, acquired, and employee-created tenants, commerce accounts, and tenant resources to the security best practice baselines.
• Manage 100% of Microsoft Entra ID applications to a high, consistent security bar.
• Eliminate 100% of identity lateral movement pivots between tenants, environments, and clouds.
• 100% of applications and users have continuous least-privilege access enforcement.
• Ensure only secure, managed, healthy devices will be granted access to Microsoft tenants.

3. Protect networks

Protect Microsoft production networks and implement network isolation of Microsoft and customer resources. As part of this, we are taking the following actions:

• Secure 100% of Microsoft production networks and systems connected to the networks by improving isolation, monitoring, inventory, and secure operations.
• Apply network isolation and microsegmentation to 100% of the Microsoft production environments, creating additional layers of defense against attackers.
• Enable customers to easily secure their networks and network isolate resources in the cloud.

4. Protect engineering systems

Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure. As part of this, we are taking the following actions:

• Build and maintain inventory for 100% of the software assets used to deploy and operate Microsoft products and services.
• 100% of access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.
• 100% of source code that deploys to Microsoft production environments is protected through security best practices.
• Secure development, build, test, and release environments with 100% standardized, governed pipelines and infrastructure isolation.
• Secure the software supply chain to protect Microsoft production environments.

5. Monitor and detect threats

Comprehensive coverage and automatic detection of threats to Microsoft production infrastructure and services. As part of this, we are taking the following actions:

• Maintain a current inventory across 100% of Microsoft production infrastructure and services.
• Retain 100% of security logs for at least two years and make six months of appropriate logs available to customers.
• 100% of security logs are accessible from a central data lake to enable efficient and effective security investigation and threat hunting.
• Automatically detect and respond rapidly to anomalous access, behaviors, and configurations across 100% of Microsoft production infrastructure and services.

6. Accelerate response and remediation

Prevent exploitation of vulnerabilities discovered by external and internal entities, through comprehensive and timely remediation. As part of this, we are taking the following actions:

• Reduce the Time to Mitigate for high-severity cloud security vulnerabilities with accelerated response.
• Increase transparency of mitigated cloud vulnerabilities through the adoption and release of Common Weakness Enumeration™ (CWE™), and Common Platform Enumeration™ (CPE™) industry standards for released high severity Common Vulnerabilities and Exposures (CVE) affecting the cloud.
• Improve the accuracy, effectiveness, transparency, and velocity of public messaging and customer engagement.

These goals directly align to our learnings from the Midnight Blizzard incident as well as all four CSRB recommendations to Microsoft and all 12 recommendations to cloud service providers (CSPs), across the areas of security culture, cybersecurity best practices, auditing logging norms, digital identity standards and guidance, and transparency.

We are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars, in order to drive security holistically and break down traditional silos. The pillar leaders are working across engineering Executive Vice Presidents (EVPs) to drive integrated, cross-company engineering execution, doing this work in waves. These engineering waves involve teams across Microsoft Azure, Windows, Microsoft 365, and Security, with additional product teams integrating into the process weekly.

While there is much more to do, we’ve made progress in executing against SFI priorities. For example, we’ve implemented automatic enforcement of multifactor authentication by default across more than one million Microsoft Entra ID tenants within Microsoft, including tenants for development, testing, demos, and production. We have eliminated or reduced application targets by removing 730,000 apps to date across production and corporate tenants that were out-of-lifecycle or not meeting current SFI standards. We have expanded our logging to give customers deeper visibility. And we recently announced a significant shift on our response process: We are now publishing root cause data for Microsoft CVEs using the CWE™ industry standard.

Adhering to standards with paved paths systems

Paved paths are best practices from our learned experiences, drawing upon lessons such as how to optimize productivity of our software development and operations, how to achieve compliance (such as Software Bill of Materials, Sarbanes-Oxley Act, General Data Protection Regulation, and others), and how to eliminate entire categories of vulnerabilities and mitigate related risks. A paved path becomes a standard when adoption significantly improves the developer or operations experience or security, quality, or compliance.

With SFI, we are explicitly defining standards for each of the six security pillars, and adherence to these standards will be measured as objectives and key results (OKRs).

Driving continuous improvement

The Secure Future Initiative empowers all of Microsoft to implement the needed changes to deliver security first. Our company culture is based on a growth mindset that fosters an ethos of continuous improvement. We continually seek feedback and new perspectives to tune our approach and progress. We will take our learnings from security incidents, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale.

Instituting new governance

We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting.

Microsoft is implementing a new security governance framework spearheaded by the Chief Information Security Officer (CISO). This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing SFI, managing risks, and reporting progress directly to the Senior Leadership Team. Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.

Finally, given the importance of threat intelligence, we are bringing the full breadth of nation-state actor and threat hunting capabilities into the CISO organization.

Instilling a security-first culture

Culture can only be reinforced through our daily behaviors. Security is a team sport and is best realized when organizational boundaries are overcome. The engineering EVPs, in close coordination with SFI pillar leaders, are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors. These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers. Through this process of bottom-to-top and end-to-end problem solving, security thinking is ingrained in our daily behaviors.  

Ultimately, Microsoft runs on trust and this trust must be earned and maintained. As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job number one for us.

The post Security above all else—expanding Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.

Posted by Paris Hsu – Product Manager, Android Studio

Android Studio Jellyfish (2023.3.1) is making waves with its official stable release! 🪼🌊 Dive into cutting-edge AI features like Gemini in Android Studio, seamless Google services integrations like Android Device Streaming, and much more. All designed to supercharge your Android development to build next-generation, high-quality apps. Surf below to learn more about all the updates, product quality improvements, and new features across your key flows in Android Studio Jellyfish, and download the latest stable version today to try them out!

Develop

Gemini in Android Studio: stable, and now available in 200+ countries!

Today, Gemini in Android Studio is available in over 200+ countries and territories, including a new set of countries in Europe. Thanks to all of the valuable feedback you’ve provided us over the last year, we’re excited to bring Gemini in Android Studio (formerly Studio Bot) into this stable release of Android Studio, as your AI-powered development companion in Android Studio, ready to level up your productivity. Ask your Android development questions and get help instantly: whether it’s to generate code, find resources, or explain best practices, Gemini in Android Studio is here to save you valuable time. Plus, it integrates seamlessly with your workflow:

• Chat: Get code samples and questions answered
• AI code completion: Intelligent suggestions as you type
• Error analysis: Understand Logcat and Build errors with ease
• Smart actions: Streamline tasks with powerful shortcuts

Onboard and then opt-in with the built-in AI privacy controls, and learn more about how the current capabilities of Gemini in Android Studio can accelerate your development workflow.