ASP.NET tool upgrade: Compuware releases SecurityChecker 2.5

By Jennette Mullaney, Assistant Editor 26 Jul 2006 | SearchSoftwareQuality.com

Digg This!     StumbleUpon     Del.icio.us

Compuware has released an updated version of its ASP.NET security analysis tool, DevPartner SecurityChecker 2.5.

Among the new features are automated downloadable updates, a Team Integration System, improved reporting capabilities and 14 new vulnerability rules for the analyzers. Notably, the five new rules added to the integrity analyzer (a penetration tester) help protect software from the burgeoning business of Google hacking.

Ken Cowan, Compuware DevPartner Product Line Manager, explains that the integrity analyzer rules were included because of developments within the hacking community. "[Hackers] spread their own best practices," says Cowan, and "Google hacks are simply another mechanism for a hacker to find the information."

The SecurityChecker run-time analyzer has five new rules that cover encryption, insecure coding and configuration. The compile-time analyzer, a static analysis tool which can be employed at the earliest stages of software development, also comes equipped with a new set of rules that check for insecure practices and configuration weaknesses.

The Team Integration System is a new component within the Microsoft Visual Studio Team System. It is meant to foster communication between the Quality Assurance department and the developers -- two groups that have not traditionally worked together.

Cowan offers one example of how the Integration System can work, "the DevPartner SecurityChecker analysis will indicate the line of code with the error. The QA analyst, generally speaking, will not be interested in source line detail, but by including that data in the defect report, the developer can go straight to the source of the problem and quickly fix it."

Application security tools Featured Topic: App security tools What's in your security toolbox? Compuware updates ASP.NET security tool

Another innovation in SecurityChecker 2.5 is enhanced reporting capability. There are two new reports, one categorizing vulnerabilities based upon the OWASP Top Ten vulnerabilities list and another categorizing upon "accepted industry classification." This second report includes popular flaws such as SQL injection, cross-site scripting (XSS) and buffer overflow.

Through an additional new feature called Terminal Services, a user can run a SecurityChecker session on a remote server along with the ASP.NET application being analyzed. This is for cases when the user does not have a local copy of Microsoft's IIS or the Visual Studio integrated development environment (IDE).

For those who are new to application security, the product also comes with a security assessment service. "The service provides a trained Compuware professional to perform an on-site analysis of your application security, which enables you to determine how much risk you have of a successful attack," according to Cowan.

The DevPartner SecurityChecker 2.5 is available and costs $4,200 per named user and $12,600 per concurrent user.

Tags: Software security testing and techniques,  Software testing tools and frameworks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing and techniques Web server weaknesses you don't want to overlook Using firewalls for software testing: Pros and cons Beating software's cross-site scripting, authentication problems Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Software testing tools and frameworks Performance testing tools - Commercial, less expensive and free Software Testing Ezines New IBM Rational, Tivoli integrated tools pair development with IT STPCon: Do reality checks on performance test products, panelists advise Demo: Using WebGoat, a free software testing tool Getting answers about OpenSTA script problems Defining core software regression tests Selecting the best tool for stress and load testing Required prerequisites for performance testing Surgient 7's self-provisioning promises software testers quick IT resource access

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary JUnit  (SearchSoftwareQuality.com) NUnit  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary