Our team recognizes the importance of security, but have yet to find reliable solutions that match the speed of our development process. That's where Puma Scan comes into the picture.
I work in a development shop where we rely on Continuous Integration (CI) and Continuous Deployment (CD) to deliver changes quickly to our customers. Our team recognizes the importance of security, but have yet to find reliable solutions that match the speed of our development process. We have run a few static scanners, but none have provided quality results to the software engineers fast enough to keep up. I was recently at a conference where a speaker presented on the Puma Scan static scanner and wanted to give it a try.
When you go to the Puma Scan website, you’ll notice different versions of the scanner. These include a Community Edition, Professional End User Edition, and a Server Edition. I wanted to test the scanner, so I used the Professional End User Trial License. I registered, confirmed my email, and in minutes had a 30-day trial license. Easy…In order to run the scanner, you’ll need to install the Visual Studio Extension. You can easily do this by going to “Tools / Extensions and Updates”, search the online marketplace for “Puma Scan Professional” and then install the extension. For what it’s worth, I’m running Visual Studio 2017 Enterprise.
When you sign up for the trial and validate your email, a license file will be available to download from the portal. To get things up and running, move the license file in the appdata directory for Visual Studio. The default location is listed below (on Windows 10 at least):
I missed this initially when I did the install and was wondering why I wasn’t getting any analyzer results. I had to go back and RTM (read the manual). By default, Visual Studio does not enable full solution analysis to improve performance. As described in the Installation Documents, enable full solution analysis, and boom, live security analysis of my code!!!
And now the real reason I wanted to try out Puma; I’ve used other security scanners before and I never remembered to run the scanner. Furthermore, I could never remember HOW to run the scanner. Running lengthy, awkward scans before I could commit code was just… FRUSTRATING. Seeing the Puma Scan demo a the conference made it look easy. Once installed, I tried writing some insecure code (screenshot below). You can see a request parameter being concatenated into a SQL statement. The Puma Scan analyzers warned me by underlining the code. In my own environment. As I was coding. COOL!
Fixing The Unresolved Metadata Reference Exception