Compuware aims for hacker-proof ASP.Net applications
DevPartner SecurityChecker finds holes in ASP.Net code but lacks integration features
Driven by a constant stream of well-publicized and highly disconcerting breaches, the demand for software security has spawned numerous tools that analyze code bases and search for any vulnerabilities that a cracker could potentially exploit.
I’ve examined several of these tools in the past year, including Fortify Software’s Source Code Analysis Suite 3.0 and Secure Software’s CodeAssure Suite 2.0. Both of these code security products are very good, but they share a common defect: They do not analyze Web applications that run on Microsoft’s .Net environment. The only product that can currently do that is Compuware’s DevPartner SecurityChecker 1.0.
The SecurityChecker tool analyzes applications in several ways, providing source-code verification, run-time analysis, and integrity checking. The last of these processes attempts to break client-facing Web pages by using typical forms of attack, such as buffer overruns and entry of malicious values into forms.
I found SecurityChecker complete, effective, and highly configurable, albeit limited strictly to .Net languages. It is pricey and lacks some necessary integration features; but for sites using IIS and ASP.Net, it is the only solution for securing apps -- and it does a good job at that.
SecurityChecker installs as a plug-in to Microsoft Visual Studio .Net 2003, the only version of the IDE currently supported. It occupies a slot on the principal menu bar, from which its various activities are launched. (Technically speaking, the software can be run from the command line, although doing this is complex and somewhat convoluted.)
When launched from Visual Studio, SecurityChecker creates a discovery map of the software by spidering all the pages in a project, beginning with the initial page. Various options allow you to broaden or narrow page ranges, enter passwords, or specify form data so as to generate dynamically created Web pages.
After the discovery map has been drawn, SecurityChecker performs three security tests, each typically run at a different point in the development process. The first, source-code analysis, is performed on the basis of user-selected rules. The product comes with more than 300 rules ready to go, operating on the four principal languages found in a Microsoft Web project: C#, Visual Basic .Net, ASP.Net, and HTML.
A simple and straightforward check-box UI makes it easy to select the rules that should be applied to each application. Configurations from specific runs can be saved to disk and be rerun later, without having to respecify all the options.
The source checking generates a sorted list of errors ranked by type or severity. The intuitive display also presents a detailed explanation of each problem and its solution, as well as references to other sources of relevant resolution and repair information -- a very useful feature.
The second type of analysis is performed at run time. SecurityChecker looks for dangerous conditions, such as excessive use of process privilege, access to privileged files, incorrect use of the system registry, and straightforward operational problems. These problems are reported in the same error display as the source-code analysis results, and all errors can be placed in a report, the format of which can be modified within the console’s limitations.