First Looks
DevPartner SecurityChecker 2.0: Secure ASP.NET Web Sites
Compuware's DevPartner SecurityChecker analyzes for most known Web site attacks, is easy and intuitive to use, and is highly customizable.
Application security is mind-numbingly hard to get right.
It remains too easy to design and build insecure applications, even with all the tools Microsoft has built into Visual Studio .NET. Microsoft is making large strides in the area of application security, but the task is monumental, and much work remains to be done—from both a tools and user-instruction perspective. All the security functions in the world won't help you if your users don't take advantage of them properly.
Compuware's DevPartner SecurityChecker 2.0 is an automated tool that helps you address security issues in your ASP applications by helping you find known security problems in ASP.NET 1.1 and 2.0 sites. One minus with the SecurityChecker 2.0 is that it doesn't support ASP.NET version 1.0 sites (see Figure).
SecurityChecker is a Visual Studio add-in that Compuware has implemented as a designer tool that you use to analyze a site using static code analysis, run-time analysis, and integrity analysis. The product is highly customizable, and you can customize it to fit your development style and the needs of your build system. The only glaring limitation is that you can't customize the set of almost 400 analysis rules, other than to disable the use of selected rules for a particular project.
The result of an analysis you perform using SecurityChecker is a list of vulnerabilities, as well as a nice explanation of each problem. You also get a summation that tells you where to go for more information, a summary of the security context under which the code is running, and—for code problems—the ability to jump directly to the problem code. SecurityChecker doesn't fix anything, but it provides all the information you need to fix problems yourself.
The changes from version 1.0 to version 2.0 are more evolutionary than revolutionary, enhancing the product to make it more versatile and better at spotting security problems. Besides integration with VS 2005, the biggest enhancement in version 2.0 is the new analysis rules. Most interesting among them are the rules that detect the potential Google hacks; things that allow sensitive configurations and other useful information to be indexed by Google and therefore discoverable by an attacker. I suspect that few companies make any attempt to eliminate these kinds of problems in their rush to deploy applications.
Other new analysis rules detect the possibility of forcing the app to go into trace or debug mode, which can expose sensitive debugging information; vulnerabilities in HTTP headers, and cross-site scripting vulnerabilities that bypass ASP.NET validation features. It would take a lot of time and effort to find these kinds of problems manually in a large Web site. Version 2.0 also makes discovery maps for run-time analysis more useful and reusable, and reduces the number of false positives found.
Compuware also cites the ability to create and manage discovery maps, where the tool now captures HTTP requests and response information, displaying them along with any Web application and exploration errors detected during the discovery process. SecurityChecker also includes a new view that presents a simplified list of all pages visited during the discovery process. And SecurityChecker includes new checks with respect to SQL injections, parameter tampering, and cross-site scripting that reduces the number of false positives when reviewing for these kinds of vulnerabilities. Reducing false positives is critical from a developer's perspective, because each one can potentially send you off on a wild goose chase, chasing down a problem that never existed in the first place.
An automated tool will never be a replacement for good, old-fashioned threat analysis, code reviews, and penetration testing. There is no substitute for the in-depth, considered analysis that people are capable of. But SecurityChecker can catch many mistakes that have led to successful attacks, and can do so in a way that saves you considerable amounts of time in tracking down what would otherwise be hard-to-find bugs and vulnerabilities. In that vein, it is well worth the stiff cost for protecting large e-commerce sites.
DevPartner SecurityChecker 2.0
Compuware
Web: www.compuware.com
Phone: 800.521.9353
Price: $12,000 (concurrent user), $4,000 (named user)
Quick Facts: Automated security analysis tool for ASP.NET.
Pros: Analyzes for most known Web site attacks, easy and intuitive to use, highly customizable.
Cons: Doesn't work with .NET 1.0 sites, can't customize fixed set of analysis rules, and expensive per user.
About the Author
Don Kiely is a senior technology consultant in Fairbanks, Alaska. When he isn't writing software, he's writing about it, speaking about it at conferences, and training developers in it. Reach him at [email protected].