Compuware updates ASP.NET security tool |
 |
By George Lawton, Contributor
30 Jan 2006 | SearchSoftwareQuality.com |
|
|
Compuware Corp. has announced the general availability of Compuware DevPartner SecurityChecker 2.0, which is a suite of tools for analyzing and repairing security problems in ASP.NET Web applications. The tool consists of components for integrity analysis, compile-time analysis and run-time analysis. The product will make its debut at VSLive! 2006 in San Francisco.
Run-time analysis includes the ability to find things like excessive account privileges. Compile-time analysis, meanwhile, finds things like debugging being left enabled by the developer or inheritance threats. The integrity analysis, sometimes called penetration testing, is good at finding holes for cross-site scripting attacks, SQL injection attacks, parameter tampering and buffer overflow.
While a number of companies offer tools for integrity and compile-time analysis, Compuware says this is the only tool that does run-time analysis. Being able to run the analyses simultaneously also provides tighter security, said Ken Cowan, DevPartner Product Line Manager, Compuware.
"The interesting thing about the two white box modes [run-time and compile-time analysis] is we can find bugs specific to using .NET framework technologies and bugs in how you are using Windows features," Cowan said. "For example, if you are opening a file for read/write access and only reading, you can change the mode so someone cannot change the file. Those two technologies minimize the attack surface. If someone does get in somehow, they will not be able to do as much damage."
Tight integration with the Visual Studio development interface makes it easy to check code while programming. When the SecurityChecker finds a vulnerability, the user can double click on it, and the checker takes a user to the line of source code where the vulnerability was found. The user does not have to search the application to find the problem.
The white box tools also make it possible to find security bugs sooner in the software development life cycle, where they are far cheaper to fix. "In particular with security bugs, when you find something early, the developer learns not to make the same mistake again," Cowan noted.
Other important enhancements in SecurityChecker 2.0 include the following:
Full integration with Visual Studio 2005 and .NET Framework 2.0.
Thirty new integrity analysis rules. Some of the most significant include a rule that searches for Google hacks, in which an attacker can look for pages like login.asp that could be easy to penetrate. Another rule looks at the ability to force an application into debug mode, which would reveal information about it. There is also a rule for finding cross-site scripting attack vulnerabilities that circumvent the ASP.NET validation procedure.
Improvements to the discovery map, which uses a new view with simplified lists of pages discovered during the process.
A security assessment service based around SecurityChecker, in which Compuware consultants will analyze your applications for you.
Initially, the license does not include access to security updates, although Compuware plans to do so in the future. "The thing about application security is that it is not like the virus world, where there are new vulnerabilities popping up every day. The urgency is not as great," said John Carpenter, DevPartner SecurityChecker Product Manager, Compuware.
The list price for SecurityChecker 2.0 is $12,000 per concurrent user. Cowan said this is generally sufficient for the average software development team.
|
|
|
|
