Compuware Corp. has announced the general availability of Compuware DevPartner SecurityChecker 2.0, which is a suite of tools for analyzing and repairing security problems in ASP.NET Web applications. The
Run-time analysis includes the ability to find things like excessive account privileges. Compile-time analysis, meanwhile, finds things like debugging being left enabled by the developer or inheritance threats. The integrity analysis, sometimes called penetration testing, is good at finding holes for cross-site scripting attacks, SQL injection attacks, parameter tampering and buffer overflow.
While a number of companies offer tools for integrity and compile-time analysis, Compuware says this is the only tool that does run-time analysis. Being able to run the analyses simultaneously also provides tighter security, said Ken Cowan, DevPartner Product Line Manager, Compuware.
"The interesting thing about the two white box modes [run-time and compile-time analysis] is we can find bugs specific to using .NET framework technologies and bugs in how you are using Windows features," Cowan said. "For example, if you are opening a file for read/write access and only reading, you can change the mode so someone cannot change the file. Those two technologies minimize the attack surface. If someone does get in somehow, they will not be able to do as much damage."
Tight integration with the Visual Studio development interface makes it easy to check code while programming. When the SecurityChecker finds a vulnerability, the user can double click on it, and the checker takes a user to the line of source code where the vulnerability was found. The user does not have to search the application to find the problem.
The white box tools also make it possible to find security bugs sooner in the software development life cycle, where they are far cheaper to fix. "In particular with security bugs, when you find something early, the developer learns not to make the same mistake again," Cowan noted.
Other important enhancements in SecurityChecker 2.0 include the following:
Initially, the license does not include access to security updates, although Compuware plans to do so in the future. "The thing about application security is that it is not like the virus world, where there are new vulnerabilities popping up every day. The urgency is not as great," said John Carpenter, DevPartner SecurityChecker Product Manager, Compuware.
The list price for SecurityChecker 2.0 is $12,000 per concurrent user. Cowan said this is generally sufficient for the average software development team.