Do developers care about code security? This question, I believe, is still open to debate. I wrote this article to solicit feedback from both developers and security experts. Would you help me with that? I’ll explain why this topic interests me. I’m working on PVS-Studio. Our tool detects both coding…

In this article, we’re going to discuss the CVE-2020–36620 vulnerability and see how a NuGet package for converting string to enum can make a C# application vulnerable to DoS attacks. Imagine a server application that interacts with a user. In one of the scenarios, the application receives data from the…

Here we'll discuss how SAST solutions find security flaws. I'll tell you about different and complementary approaches to detecting potential vulnerabilities, explain why each of them is necessary, and how to turn theory into practice. SAST (Static Application Security Testing) is used to find security defects without executing an application…

Overtaking Python, C++ became the TIOBE’s language of 2022. It outscored Rust, C#, Go and others by a large margin. Don’t you find this weird? Well, let’s figure this out. The rating we’re talking about is based on the TIOBE index. …

.NET 7 has been released! It’s time for us to dig into its source code and start looking for errors and strange code fragments. In this article, you’ll see comments on our findings from the .NET developers. After all, they know the platform code better than anyone else. Buckle up! …

In this note I’ll share with you some tips on how to easily start using PVS-Studio. Let’s explore these two use cases: when you try the analyzer for the first time and when you integrate it into your project. Trying PVS-Studio for the first time? View the most interesting warnings So, what do I expect when running the analyzer on a…

Suppose we need to sort the collection by multiple keys. In C#, we can do this with the help of OrderBy().OrderBy() or OrderBy().ThenBy(). But what is the difference between these calls? To answer this question, we need to delve into the source code. The article has three chapters: Background. For…

Use static analysis regularly, not just before releases… The earlier you find errors, the cheaper they are to fix… You probably heard this a hundred times. Today we’ll answer the “Why?” question once again. An error from the Akka.NET project will assist us. The error We’ll start with a task…

Vulnerabilities produce enormous reputational and financial risks. That’s why many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we’re going to discuss SAST — one of the SSDLC components. SAST (static application security testing) is used to search for security defects…