|
There is a variety of tools out there that can help find and eliminate vulnerabilities in Web applications such as ASP.NET applications, but it is important to remember that these tools only represent a fraction of an effective application security program. Relying only on tools rather than focusing on improving the software development life cycle leads to a false sense of security as automated scanning tools are limited in the types of vulnerabilities they can find.
For example, both black box and white box scanning tools as mentioned in your question are excellent at finding technical flaws in applications, but are also largely powerless to find logical flaws in applications. Technical flaws tend to be caused by improper input handling and are typified by vulnerabilities such as buffer overflows, SQL injection and cross-site scripting (XSS). Logical application flaws deal with topics such as authentication and authorization schemes as well as problems in application logic that can cause the exposure of sensitive assets.
Results from researchers such as Gary McGraw as well as the results of Microsoft's recent security push find that vulnerabilities tend to be roughly equally split between these classes. An application security program based solely on automated tools will therefore miss at least half of the vulnerabilities in the applications they evaluate.
That being said, assessment tools are a valuable component of an overall application security program. There are a number of black box scanning tools available on the market. Some leaders include SPI Dynamics, Watchfire, Acunetix, Cenzic and NT Objectives. Licensing models and prices for these tools vary and they can be rather expensive. Unfortunately there aren't a large number of open source alternatives at the current time. The best is probably the early stage Beretta project from the Open Web Application Security Project (OWASP).
There is a wide array of white-box assessment tools. Fortify is a market leader and works across a number of platforms, and Compuware's Security Checker is an offering in the ASP.NET security space. There are a variety of freeware and open source tools as well. Many are focused on C and C++ which are languages rarely used to build Web-based applications. However there are some Web-environment-applicable code scanning tools as well such as FxCop.
There are a number of excellent resources for programmers looking to learn about secure software development techniques. I highly recommend Writing Secure Code by Michael Howard and David LeBlanc as well as Gary McGraw's new book, Software Security: Building Security In. There are many resources available online as well. Check out the resources from OWASP - specifically their Guide Project.
More information: |
