Static Code Analysis and Custom FxCop Rules for Enterprise ASP.Net Development

Over the last couple months I've been doing a bit of work with FxCop and Static Code Analysis.  If you remember playing with FxCop back in the day, it was a cool tool to check for possible design, localization, performance, and security issues with your .Net code.  But, for most of us, that's where things stopped, playing with a cool tool and then forgetting about it.  Sure, Microsoft built it into VS 2005 as Visual Studio Code Analysis, but still most developers forget about it, and never turn it on.  Well, I've been on a Continuous Integration kick for over a year now (with CruiseControl.Net or TFS 2008, depending on the client), and it is easy to an things like FxCop and NDepend to your build process.  Yes, there are a lot of pre-built rules out there, but for most of us, some of the rules are extremely valuable, but some are just annoying, and there are still a lot of personal best practices that you have developed over the years that don't have rules. 

Well, that is where writing your own FxCop rules can come in handy.  It isn't the easiest thing to work with, since there is no official documentation of Microsoft.Cci (which is the heart and soul of FxCop).  But, Jason Kresowaty has created some helpful documentation (although not complete by any means), and he also created the extremely helpful Introspector tool to go along with spelunking assemblies using the introspection object model.  After writing a couple of my own custom rules, I figured I should poke around and see if anyone has released some FxCop rule libraries, checking out CodePlex and SourceForge, but I didn't find any.  I did find one blog post by Richard Banks on a great WCF FxCop rule example, EnsureFaultContractsAreDeclared, and sure, the Patterns & Practices team releases custom rules as part of their Software Factories, but I thought that there would be more out there.  It seems like something that would be perfect for groups like ASP Insiders, Sharepoint MVPs, Connected Systems MVPs, etc. and they could band together and come up with some good rules to go along with all the best practices we seem to come up with.

So, I'll try to start this thing rolling, and try to put together a bunch of rules around best practices for building Enterprise-ready ASP.Net applications.  But I can't do it alone, so I'm asking the community to help me out, and either leave their own ASP.Net rules as comments, or post them up on their blog (if you have one, and link back to this post).  I'll document them, and if we get enough traction, I'll start up a CodePlex project where we can coordinate this.  Here's an example:

Rule: EnsureAspSessionVariablesAreSerializable
Name - Asp.Net Session variables must be marked serializable
Description: All session variables must be marked serializable if you will be using a SessionStateMode other than inproc
Resolution: Mark the variable to be stored in session with the Serializable attribute

I'm sure others have similar rules, that they use implicitly, and I'd like to gather them up, put them into rule libraries and then publish them on CodePlex.