C# Security Vulnerabilities and Language Overview

What is C#?

First appearing in 2000, C# (pronounced see-sharp) is a general-purpose, object-oriented programming language developed by Microsoft from within their .NET initiative. Later, C# was approved as a standard by ECMA (an international non-profit standards organization for information and communication systems) and ISO (International Organization for Standardization).

Anders Hejlsberg, the lead architect of C#

In Stack Overflow’s 2016 Developer Survey, C# ranked as the fourth most popular technology with slightly over 30% of the respondents using it to development, a 0.7% decline from the 2015 results.

In terms of what C# is not, the lead architect, Anders Hejlsberg, has responded to allegations of C# being a copy of Java by saying that C# is “not a Java clone” and is “much closer to C++” in its design.

The name “C sharp” was inspired by the musical notation where “sharp” indicates that the note is a semitone higher in pitch, although the symbol for sharp (♯) is slightly different than the “pound sign” characters on most keyboards as the horizontal lines reach upwards.

Stack Overflow’s 2016 Developer Survey language rankings

Why Was C# Initially Created?

In early 1999, Anders Hejlsberg was working with a team at Microsoft on a new language which he referred to as COOL (C-like Object Oriented Language). When the .NET project was announced in July 2000, COOL had been renamed to C# and the class libraries and ASP.NET runtime had been ported to C# after being originally written in a managed code compiler system known as Simple Managed C (SMC) during the development of the .NET framework.

The following C# Design Goals are were published in ECMA’s 4th Edition of their C# Language Specification which was released in June 2006.

  • The C# language is intended to be a simple, modern, general-purpose, object-oriented programming language.
  • The language, and implementations thereof, should provide support for software engineering principles such as strong type checking, array bounds checking, detection of attempts to use uninitialized variables, and automatic garbage collection. Software robustness, durability, and programmer productivity are important.
  • The language is intended for use in developing software components suitable for deployment in distributed environments.
  • Portability is very important for source code and programmers, especially those already familiar with C and C++.
  • Support for internationalization is very important.
  • C# is intended to be suitable for writing applications for both hosted and embedded systems, ranging from the very large that use sophisticated operating systems, down to the very small having dedicated functions.
  • Although C# applications are intended to be economical with regard to memory and processing power requirements, the language was not intended to compete directly on performance and size with C or assembly language.

Microsoft’s Developer Network notes that in addition to basic object-oriented principles, C# accelerates software development through a number of forward-thinking language constructs including:

  • Encapsulated method signatures called delegates, which enable type-safe event notifications.
  • Properties, which serve as accessors for private member variables.
  • Attributes, which provide declarative metadata about types at run time.
  • Inline XML documentation comments.
  • Language-Integrated Query (LINQ) which provides built-in query capabilities across a variety of data sources.

Who uses C#?

Of the 2.2 million feedback events left by the 40 million monthly visitors to Stack Overflow, C# projects received 41,624 feedback counts in January 2016. A trending list of C# projects on GitHub can be found here.

As it was developed by Microsoft, C# can be found in nearly all their products and, thanks to the part it plays in the .NET framework, C# is often used in applications alongside ASP. C# is quite active in video game development by Windows and Xbox.

Companies developing with C# according to Siftery.com

C#’s flexibility as a language makes it great for a wide variety of applications and can be found in Unity apps, mobile apps (Xamarin), desktop apps and many more.

Microsoft also notes that C# also interoperates with other languages across a diversity of platforms with legacy data, by virtue, with the following features:

  • Full interoperability support through COM+ 1.0 and .NET Framework services with tight library-based access.
  • XML support for wWeb-based component interaction.
  • Versioning to provide ease of administration and deployment.

C# Security Vulnerabilities

High-Risk C# Security Vulnerabilities:

Alongside SQL Injections (SQLi), Command Injections and Cross Site Request Forgery, which affect most contemporary programming languages, C# applications also face threats from:

Securing your C# Code

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst C# testing solutions as not only the solution which will keep your C# code free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.

When vulnerabilities are detected in the C# code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.