As an application developer, security is likely top of mind – and for good reason. The frequency and impact of cyber attacks against software vulnerabilities continue rising dramatically year after year. Ensuring code is secure is a challenging but critical responsibility we all share.
Thankfully, the latest release of Visual Studio provides new tools that make building safer applications easier than ever before. In this comprehensive guide, we‘ll cover all of the major security enhancements packaged in Visual Studio 2019. Read on to see how Microsoft equips developers to meet the threats of today – and tomorrow…
The Stark Reality of Insecure Code
Before diving into the security goodies, it‘s important to establish context on why coding vulnerabilities introduce so much risk.
As you well know, mistakes like input validation errors, race conditions, injection flaws, and cryptographic weaknesses frequently crop up even in software built by the most skilled engineers. Frankly, humans make errors – especially when managing the complexity inherent in modern applications.
Attackers aggressively scan for these security gaps and exploit them ruthlessly after discovery. In fact, the MITRE CVE database tracked over 17,000 vulnerabilities in commercial and open source software components last year alone!
Worryingly, the volume of harmful attacks successfully targeting such coding mistakes continues rising every year. The 2022 Verizon Data Breach Investigations Report noted software vulnerabilities play a role in 82% of breaches analyzed. The cyber threat landscape grows more dangerous by the day.
Security Superpowers in Visual Studio 2019
So how does Microsoft equip developers to meet these threats head on? By baking cutting edge security capabilities directly into Visual Studio 2019!
Safe coding best practices are now surfaced through IntelliCode – This AI engine reviews code contextually to warn about deprecated APIs, unvalidated inputs, cryptographic weaknesses, and other unsafe practices. Over time, detection grows more advanced and personalized based on your projects.
End-to-end encryption secures Live Share collaboration – As developers flock to Live Share for improved teamwork, data protections ensure no sensitive source code or credentials leak during these remote sessions. Granular access controls even let administrators limit live editing. Peace of mind extends to security professionals.
Managed code reviews allow probing pull requests for vulnerabilities before merging – No need to download from your git host and configure local runtimes to inspect proposed code changes anymore thanks to this feature. Debug any pull request with a click after others finish reviewing to catch issues in a natural workflow.
In total, Microsoft invested thousands of developer hours re-architecting aspects of Visual Studio specifically intended to make generating secure code easier across the entire software lifecycle.
IntelliCode – An AI Sidekick for Safe Coding
IntelliCode stands out as an anchor point of Microsoft‘s security focus in Visual Studio 2019. This AI-powered coding assistant serves up contextually relevant recommendations as you work in your preferred programming language.
An embedded knowledge graph populated by deep learning algorithms reviews current code snippets for dangerous patterns. When risky constructions like unvalidated inputs or SQL injection vulnerabilities appear, warnings surface through Visual Studio‘s interface.
Over time, IntelliCode personalizes to your unique weaknesses for more customized safe coding guidance tailored to how you build applications specifically.
Thomas Ko, a Principal Cloud Developer Advocate at Microsoft, discussed the genesis of IntelliCode from the company‘s broader AI for Good initiatives saying:
"We fundamentally believe that artificial intelligence tools like IntelliCode should empower developers to code more ethically and safely in addition to increasing productivity. Surfacing security recommendations contextually in real-time untaps this possibility in a way we‘ve never seen before. Codifying and democratizing best practices unlocks exciting potential."
Application security teams rejoice too! Now developers get coached to avoid introducing dangerous vulnerabilities from the start before getting dinged in downstream audits and penetration testing activities. Over time, this should result in more secure code requiring less expensive patching late in development cycles.
Modern software engineering depends more than ever on developers collaborating continuously. Architectural patterns like microservices drive complexity exponentially higher requiring tight integration across functional teams.
Visual Studio Live Share spins up secure collaborative coding sessions with a click for debugging issues or reviewing code in real-time. Users can instantly share context from integrated development environments without dangerous data leakage or exposing attack surfaces.
How does Microsoft achieve this? Data always flows through trusted Live Share servers rather than directly peer-to-peer. Strict host controls enable administrators to limit functionality based on their security requirements. Different policies can restrict whether guests have read-only or full write access. Certain types of particularly sensitive projects can even disable Live Share entirely.
End-to-end encryption ensures no transmitted code, credentials, or conversations leak during sessions. The development team at Microsoft focused maniacally on securing Live Share recognizing that barriers to adoption would crop up immediately if any weakness surfaced.
Hundreds of thousands of developers now rely on Live Share daily without worry according to Head PM Tony Vitucci:
"Enforcing security best practices around encrypted data transmission and granular access controls unlocks innovation in how teams build software together. Trusted collaboration leads to more secure applications."
Managed Code Reviews – Vetting Pull Requests
Code reviews already play an indispensable role at most shops by providing peer validation of changes before integration into central repositories. Modern git-based methodologies rely on pull requests to propose and discuss optimizations in an isolated fashion before merging code.
In the past, thoroughly reviewing dynamic application code meant downloading pull requests locally then configuring runtime dependencies to debug behavior. Clunky and time consuming! Developers often took shortcuts potentially allowing vulnerabilities through.
Visual Studio 2019 removes all friction with managed code reviews. Click any pull request message directly within the IDE to immediately evaluate proposed changes in system-managed sandbox environments. Debug to your heart‘s content in isolated containers without tainting your machine or wasting hours setting up.
The outcome? Significantly more rigorous inspection of PR code changes to catch functional defects AND security issues like injection attack surfaces. Less escapes downstream reducing eventual patching costs.
Principal Security PM Chad Roberts explained their motivations:
"We strongly believe the pull request workflow offers a last line of defense for catching security issues before release. Optimizing this workflow removes excuses for anyone not thoroughly vetting contributions. Incrementally improving security posture happens one merged PR at a time.”
Bottom Line
Visual Studio 2019 makes a giant leap forward in integrating security deeply into the inner development loop. Too often, dangerous vulnerabilities creep in during initial coding leading to costly rework down the road.
With AI-powered real time guidance, encrypted collaboration, and simplified code review workflows – Microsoft delivers tooling that inherently guides engineers towards safer practices all while increasing productivity.
Upgrading teams today unlocks immediate security wins now while investing in a foundation for long term application security maturation as well. Equipped with Visual Studio 2019, developers can code both faster and more securely right from their preferred IDE. What more motivation could you need for upgrading?
