Driven by a constant stream of well-publicized and highly disconcerting breaches, the demand for software security has spawned
numerous tools that analyze code bases and search for any vulnerabilities that a cracker could potentially exploit.
Compuware DevPartner SecurityChecker 1.0
Compuware, compuware.com
|
 Very Good 8.1 |
|
| criteria |
score |
weight |
| Accuracy |
9 |
35% |
 |
| Configurability |
9 |
20% |
|
| Integration |
6 |
15% |
|
| Language support |
8 |
10% |
|
| Performance |
7 |
10% |
|
| Value |
7 |
10% |
|
|
|
Cost:
$12,000 per concurrent user; includes one-year upgrade subscription
Platforms:
Windows 2000, XP, or Windows Server 2003 with IIS 5.0 or later, running .Net framework 1.1 or later; Visual Studio .Net 2003
Bottom Line:
Compuware’s DevPartner SecurityChecker 1.0 is a very good security-analysis engine for ASP.Net applications. It’s highly configurable
and offers helpful explanations of problems, along with useful recommendations for resolving them. It would benefit from better
integration with other application development tools, a true management console, and somewhat faster execution.
|
|
About our Reviews and Scoring Methodology
|
|
|
|
I’ve examined several of these tools in the past year, including Fortify Software’s Source Code Analysis Suite 3.0 and Secure Software’s CodeAssure Suite 2.0. Both of these code security products are very good, but they share a common defect: They do not analyze Web applications
that run on Microsoft’s .Net environment. The only product that can currently do that is Compuware’s DevPartner SecurityChecker
1.0.
The SecurityChecker tool analyzes applications in several ways, providing source-code verification, run-time analysis, and
integrity checking. The last of these processes attempts to break client-facing Web pages by using typical forms of attack,
such as buffer overruns and entry of malicious values into forms.
I found SecurityChecker complete, effective, and highly configurable, albeit limited strictly to .Net languages. It is pricey
and lacks some necessary integration features; but for sites using IIS and ASP.Net, it is the only solution for securing apps
-- and it does a good job at that.
Intense Analysis
SecurityChecker installs as a plug-in to Microsoft Visual Studio .Net 2003, the only version of the IDE currently supported.
It occupies a slot on the principal menu bar, from which its various activities are launched. (Technically speaking, the software
can be run from the command line, although doing this is complex and somewhat convoluted.)
When launched from Visual Studio, SecurityChecker creates a discovery map of the software by spidering all the pages in a
project, beginning with the initial page. Various options allow you to broaden or narrow page ranges, enter passwords, or
specify form data so as to generate dynamically created Web pages.
After the discovery map has been drawn, SecurityChecker performs three security tests, each typically run at a different point
in the development process. The first, source-code analysis, is performed on the basis of user-selected rules. The product
comes with more than 300 rules ready to go, operating on the four principal languages found in a Microsoft Web project: C#,
Visual Basic .Net, ASP.Net, and HTML.
A simple and straightforward check-box UI makes it easy to select the rules that should be applied to each application. Configurations
from specific runs can be saved to disk and be rerun later, without having to respecify all the options.
The source checking generates a sorted list of errors ranked by type or severity. The intuitive display also presents a detailed
explanation of each problem and its solution, as well as references to other sources of relevant resolution and repair information
-- a very useful feature.
The second type of analysis is performed at run time. SecurityChecker looks for dangerous conditions, such as excessive use
of process privilege, access to privileged files, incorrect use of the system registry, and straightforward operational problems.
These problems are reported in the same error display as the source-code analysis results, and all errors can be placed in
a report, the format of which can be modified within the console’s limitations.
Three’s a Charm
Integrity analysis is the third and final type of analysis the solution performs, and it’s the most involved. SecurityChecker
tests the application’s overall security by automating hacks. For example, it replays SQL injection, buffer overflows, and
cross-site scripting attacks. It then reports the results.
SecurityChecker also verifies error messages from bad data input to make sure the application doesn’t give away useful information
to a potential attacker -- such as reporting that the log-in is correct but the password is invalid, which would reveal to
a hacker that the attempted log-in handle is valid. This feature is important in ensuring your application’s security and,
to my knowledge, unique to SecurityChecker.
Compuware wisely recommends that source-code analysis be run frequently so that security problems are caught before they are
baked into an application. Run-time testing, the company suggests, should be performed as various units approach the testing
stage. And integrity analysis should be undertaken after any work unit has been completed and during debugging.
I do, however, think that integrity analysis should be performed more frequently than Compuware recommends. Even though it
takes more time, running this test as part of the standard development cycle will undoubtedly close most known holes in application
security. Combine the complete set of analyses with a program of regular operating system updates, and you’re likely to have
strong, tamper-resistant applications.
Console Consolations
Although SecurityChecker allows users to format reports in a variety of ways and even create custom reports, it doesn’t have
a true manager’s console. Tracking bug counts from week to week and tying them to specific releases and events is not part
of the package, unfortunately.
The absence of this feature, which is standard on competing packages, means that managers must track this data manually --
something only the most determined managers will make time for.
The package is missing a few other features and has some other quirks, as well. For one, it cannot run at the same time as
any other tool in the DevPartner family, and turning one Compuware product off in order to run another is not a particularly
easy task.
In addition, SecurityChecker does not export bug details or problem reports into a format that can be consumed by bug-tracking
systems, nor does it work with code coverage testing tools -- a frustrating oversight that limits its usefulness in enterprise
applications. Finally, the package tends to run slowly, especially when running all three analyses.
These problems are not grave, and they do not detract from the fact that Compuware’s DevPartner SecurityChecker 1.0 software
does provide superior analysis of code security problems and is unique in that it handles .Net applications. However, at a
cost of $12,000 per seat, you quite rightly would expect to get a better-integrated package with management features.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
