Compuware aims for hacker-proof ASP.Net applications

DevPartner SecurityChecker finds holes in ASP.Net code but lacks integration features

Driven by a constant stream of well-publicized and highly disconcerting breaches, the demand for software security has spawned numerous tools that analyze code bases and search for any vulnerabilities that a cracker could potentially exploit.

I’ve examined several of these tools in the past year, including Fortify Software’s Source Code Analysis Suite 3.0 and Secure Software’s CodeAssure Suite 2.0. Both of these code security products are very good, but they share a common defect: They do not analyze Web applications that run on Microsoft’s .Net environment. The only product that can currently do that is Compuware’s DevPartner SecurityChecker 1.0.

The SecurityChecker tool analyzes applications in several ways, providing source-code verification, run-time analysis, and integrity checking. The last of these processes attempts to break client-facing Web pages by using typical forms of attack, such as buffer overruns and entry of malicious values into forms.

I found SecurityChecker complete, effective, and highly configurable, albeit limited strictly to .Net languages. It is pricey and lacks some necessary integration features; but for sites using IIS and ASP.Net, it is the only solution for securing apps -- and it does a good job at that.

Intense Analysis
SecurityChecker installs as a plug-in to Microsoft Visual Studio .Net 2003, the only version of the IDE currently supported. It occupies a slot on the principal menu bar, from which its various activities are launched. (Technically speaking, the software can be run from the command line, although doing this is complex and somewhat convoluted.)

When launched from Visual Studio, SecurityChecker creates a discovery map of the software by spidering all the pages in a project, beginning with the initial page. Various options allow you to broaden or narrow page ranges, enter passwords, or specify form data so as to generate dynamically created Web pages.

After the discovery map has been drawn, SecurityChecker performs three security tests, each typically run at a different point in the development process. The first, source-code analysis, is performed on the basis of user-selected rules. The product comes with more than 300 rules ready to go, operating on the four principal languages found in a Microsoft Web project: C#, Visual Basic .Net, ASP.Net, and HTML.

A simple and straightforward check-box UI makes it easy to select the rules that should be applied to each application. Configurations from specific runs can be saved to disk and be rerun later, without having to respecify all the options.

The source checking generates a sorted list of errors ranked by type or severity. The intuitive display also presents a detailed explanation of each problem and its solution, as well as references to other sources of relevant resolution and repair information -- a very useful feature.

The second type of analysis is performed at run time. SecurityChecker looks for dangerous conditions, such as excessive use of process privilege, access to privileged files, incorrect use of the system registry, and straightforward operational problems. These problems are reported in the same error display as the source-code analysis results, and all errors can be placed in a report, the format of which can be modified within the console’s limitations.

Three’s a Charm
Integrity analysis is the third and final type of analysis the solution performs, and it’s the most involved. SecurityChecker tests the application’s overall security by automating hacks. For example, it replays SQL injection, buffer overflows, and cross-site scripting attacks. It then reports the results.

SecurityChecker also verifies error messages from bad data input to make sure the application doesn’t give away useful information to a potential attacker -- such as reporting that the log-in is correct but the password is invalid, which would reveal to a hacker that the attempted log-in handle is valid. This feature is important in ensuring your application’s security and, to my knowledge, unique to SecurityChecker.

Compuware wisely recommends that source-code analysis be run frequently so that security problems are caught before they are baked into an application. Run-time testing, the company suggests, should be performed as various units approach the testing stage. And integrity analysis should be undertaken after any work unit has been completed and during debugging.

I do, however, think that integrity analysis should be performed more frequently than Compuware recommends. Even though it takes more time, running this test as part of the standard development cycle will undoubtedly close most known holes in application security. Combine the complete set of analyses with a program of regular operating system updates, and you’re likely to have strong, tamper-resistant applications.

Console Consolations
Although SecurityChecker allows users to format reports in a variety of ways and even create custom reports, it doesn’t have a true manager’s console. Tracking bug counts from week to week and tying them to specific releases and events is not part of the package, unfortunately.

The absence of this feature, which is standard on competing packages, means that managers must track this data manually -- something only the most determined managers will make time for.

The package is missing a few other features and has some other quirks, as well. For one, it cannot run at the same time as any other tool in the DevPartner family, and turning one Compuware product off in order to run another is not a particularly easy task.

In addition, SecurityChecker does not export bug details or problem reports into a format that can be consumed by bug-tracking systems, nor does it work with code coverage testing tools -- a frustrating oversight that limits its usefulness in enterprise applications. Finally, the package tends to run slowly, especially when running all three analyses.

These problems are not grave, and they do not detract from the fact that Compuware’s DevPartner SecurityChecker 1.0 software does provide superior analysis of code security problems and is unique in that it handles .Net applications. However, at a cost of $12,000 per seat, you quite rightly would expect to get a better-integrated package with management features.

InfoWorld Scorecard
Configurability (20.0%)
Value (10.0%)
Language support (10.0%)
Performance (10.0%)
Integration (15.0%)
Accuracy (35.0%)
Overall Score (100%)
Compuware DevPartner SecurityChecker 1.0 9.0 7.0 8.0 7.0 6.0 9.0 8.1