Compuware aims for hacker-proof ASP.Net applications
DevPartner SecurityChecker finds holes in ASP.Net code but lacks integration features
Three’s a Charm
Integrity analysis is the third and final type of analysis the solution performs, and it’s the most involved. SecurityChecker tests the application’s overall security by automating hacks. For example, it replays SQL injection, buffer overflows, and cross-site scripting attacks. It then reports the results.
SecurityChecker also verifies error messages from bad data input to make sure the application doesn’t give away useful information to a potential attacker -- such as reporting that the log-in is correct but the password is invalid, which would reveal to a hacker that the attempted log-in handle is valid. This feature is important in ensuring your application’s security and, to my knowledge, unique to SecurityChecker.
Compuware wisely recommends that source-code analysis be run frequently so that security problems are caught before they are baked into an application. Run-time testing, the company suggests, should be performed as various units approach the testing stage. And integrity analysis should be undertaken after any work unit has been completed and during debugging.
I do, however, think that integrity analysis should be performed more frequently than Compuware recommends. Even though it takes more time, running this test as part of the standard development cycle will undoubtedly close most known holes in application security. Combine the complete set of analyses with a program of regular operating system updates, and you’re likely to have strong, tamper-resistant applications.
Although SecurityChecker allows users to format reports in a variety of ways and even create custom reports, it doesn’t have a true manager’s console. Tracking bug counts from week to week and tying them to specific releases and events is not part of the package, unfortunately.
The absence of this feature, which is standard on competing packages, means that managers must track this data manually -- something only the most determined managers will make time for.
The package is missing a few other features and has some other quirks, as well. For one, it cannot run at the same time as any other tool in the DevPartner family, and turning one Compuware product off in order to run another is not a particularly easy task.
In addition, SecurityChecker does not export bug details or problem reports into a format that can be consumed by bug-tracking systems, nor does it work with code coverage testing tools -- a frustrating oversight that limits its usefulness in enterprise applications. Finally, the package tends to run slowly, especially when running all three analyses.
These problems are not grave, and they do not detract from the fact that Compuware’s DevPartner SecurityChecker 1.0 software does provide superior analysis of code security problems and is unique in that it handles .Net applications. However, at a cost of $12,000 per seat, you quite rightly would expect to get a better-integrated package with management features.
Read more about applications in InfoWorld's Applications Channel.