We do not use security specific analysis or testing in our development process. This is mostly because NServiceBus runs on top of existing messaging infrastructure and we do not add additional security functionality on top of that (except for our message property encryption package. We recommend to levarage a transport’s security features if necessary.
As for the endpoint processes, NServiceBus runs as a .NET process and inherits all potential security risks by the platform (e.g. the .NET Framework). Notice that NServiceBus endpoints do not require elevated privileges.
We use static code analysis but not with an explicit focus on security vulnerabilities. However, we have several customers and vendors of security related code analysis solutions to analyse our code base without any issues detected so far.
As part of our deployment process, NuGet packages are run against a malware scanner before being published to NuGet.
is that information sufficient?