Compuware has released an updated version of its ASP.NET security analysis tool, DevPartner SecurityChecker 2....
Among the new features are automated downloadable updates, a Team Integration System, improved reporting capabilities and 14 new vulnerability rules for the analyzers. Notably, the five new rules added to the integrity analyzer (a penetration tester) help protect software from the burgeoning business of Google hacking.
Ken Cowan, Compuware DevPartner Product Line Manager, explains that the integrity analyzer rules were included because of developments within the hacking community. "[Hackers] spread their own best practices," says Cowan, and "Google hacks are simply another mechanism for a hacker to find the information."
The SecurityChecker run-time analyzer has five new rules that cover encryption, insecure coding and configuration. The compile-time analyzer, a static analysis tool which can be employed at the earliest stages of software development, also comes equipped with a new set of rules that check for insecure practices and configuration weaknesses.
The Team Integration System is a new component within the Microsoft Visual Studio Team System. It is meant to foster communication between the Quality Assurance department and the developers -- two groups that have not traditionally worked together.
Cowan offers one example of how the Integration System can work, "the DevPartner SecurityChecker analysis will indicate the line of code with the error. The QA analyst, generally speaking, will not be interested in source line detail, but by including that data in the defect report, the developer can go straight to the source of the problem and quickly fix it."
Another innovation in SecurityChecker 2.5 is enhanced reporting capability. There are two new reports, one categorizing vulnerabilities based upon the OWASP Top Ten vulnerabilities list and another categorizing upon "accepted industry classification." This second report includes popular flaws such as SQL injection, cross-site scripting (XSS) and buffer overflow.
Through an additional new feature called Terminal Services, a user can run a SecurityChecker session on a remote server along with the ASP.NET application being analyzed. This is for cases when the user does not have a local copy of Microsoft's IIS or the Visual Studio integrated development environment (IDE).
For those who are new to application security, the product also comes with a security assessment service. "The service provides a trained Compuware professional to perform an on-site analysis of your application security, which enables you to determine how much risk you have of a successful attack," according to Cowan.
The DevPartner SecurityChecker 2.5 is available and costs $4,200 per named user and $12,600 per concurrent user.