Welcome Guest Search | Active Topics | Sign In | Register

Essential Objects Product Support Forum » All Products » Feature Request & Feedbacks » Secured code development

Secured code development Options
Previous Topic · Next Topic
ruk
Posted: Wednesday, May 31, 2017 1:33:38 PM
Rank: Advanced Member
Groups: Member

Joined: 5/15/2017
Posts: 48
I'm wondering what secured coding practices being used to ensure the EO WebBrowser code base is secured.

Microsoft has plenty of resource on developing secured code. They have best practice guidelines and supporting tools. More information can be found here https://www.microsoft.com/en-us/SDL/process/implementation.aspx.

The code developed in our organization follows the secured coding practices similar to the Microsoft. This is important for us since the code is deployed to critical systems.

Wondering what kind of secured practices and tools followed in EO to ensure security. For example, are you using BinSkim tool, static code analysis related to security etc.?
Back to top
 
eo_support
Posted: Thursday, June 1, 2017 10:41:57 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,080
Hi,

We follow the same basic steps as outlined there. Our products consists of two major components: the unmanaged code and the managed code. For the umananged code, the absolute majority of it is Chromium browser engine --- we do NOT perform security analysis on that part because not only the source code is wide open online and being scrutinized daily by numerous companies/individuals, but also it is not practical for us to perform security analysis on a project of such scale. For the very small amount of changes we made (in order to seamlessly integrate with .NET), we mainly rely on compiler and thorough code review and testing. The objective here is not only for security issues, but also for other issues such as performance.

For managed part we use FxCop. This part however has a lower priority over the unmanaged part from security point of view because the browser engine is contained in the unmanaged part (run in a separate process) and the managed code is merely a "driver" of the engine. So in theory as long as the engine is secured, it is not possible for the driver to introduce a breach --- any possible breach must occur inside the browser engine.

Having that said, there are always areas in the .NET side that can be improved ---- the most recently SecureString suggestion made by you is one example. Those issues are addressed as they are brought to us.

Hope this helps.

Thanks!
Back to top
 


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.