DevPartner SecurityChecker: Secure ASP.NET Sites
Compuware's DevPartner SecurityChecker scrutinizes your ASP.NET 1.1 applications. Plus a first look at C-Sharpener For VB.
It's difficult to comprehend the number and type of vulnerabilities in a typical application until you've had one of your apps scrutinized for security problems. Compuware's DevPartner SecurityChecker addresses this problem by providing an automated security scanner for ASP.NET 1.1 applications. I was astonished by the number of problems it found in even simple apps (see Figure 1).
The tool is a VS.NET 2003 add-in that works on the currently loaded solution. Running an analysis is as simple as selecting New Session from the SecurityChecker menu item, selecting a few options, and starting the analysis. You can opt to have the tool analyze pages manually as you work through your app, or run a spider through all the links it discovers from your start page.
SecurityChecker performs three types of analysis, each of which is appropriate during different stages of development. Compile Time Analysis scans the app's source code and configuration files, looking for known security problems. Run Time Analysis verifies that the app is not using excessive privileges, accessing protected resources, or doing other things that can compromise server security. Integrity Analysis replays known security attacks, testing fields, links, and pages for problems such as cross-site scripting, SQL injection, and buffer overflows.
Running all three analyses on even a small site can take some time, as SecurityChecker runs through its gamut of tests. The command-line version might be more appropriate for use with automated build systems when you can let it run overnight.
SecurityChecker comes with 362 rules rated as critical, important, moderate, and informational. You can't add to or edit the list, but you can suppress rules for a session to ignore problems you don't care about, speed up checking, and prevent false positives. Overall, I found the tool surprisingly flexible for tailoring the analysis to what I was most concerned about checking.
The product is expensive, which probably explains the annoying licensing system needed. You must install a licensing server and provide the IP address, host name and ID, and other information to Compuware to get a license file. The documentation consists of a 50-page manual, both in printed and PDF form, and online help. The documentation is terse, but I didn't encounter any questions or problems that I couldn't find the answer for.
SecurityChecker is a powerful tool for analyzing the security vulnerabilities of an ASP.NET app, with a wonderfully simple and usable user interface that helps you focus on each problem.
DevPartner SecurityChecker 1.0
Phone: 800-521-9353; 313-227-7300
Quick Facts: Automated, comprehensive security analysis for ASP.NET apps.
Pros: Easy interface; lots of configuration options; comprehensive information about problems found.
Cons: Expensive; unchangeable set of rules checked.
Simplify Conversion Projects
by Don Kiely
The fundamental similarity between all .NET languages created, almost overnight, a class of tools that endeavor to convert code reliably from one language to another. C-Sharpener For VB from Elegance Technologies is one of these tools.
C-Sharpener works either as a VS.NET snap-in or command-line tool. The VS.NET add-in consists of a four-step wizard that lets you select a source project in the currently open solution, decide where to save the C# project, and choose which options you want to use. Options include putting VB comments in the C# project, typecasting when necessary, and preserving the intermediate XML files used during conversion. You also have the option to send conversion statistics to the company. The command-line version provides the same options, but requires an XML configuration file.
Conversion of my test projects, including one with more than 100,000 lines of code, took several minutes. C-Sharpener presents a nice, five-step status dialog that lets you know where it is in the process (see Figure 1). You can't cancel the conversion process once you start it. Once the conversion process finishes, C-Sharpener presents statistics about the conversion as well as the number of TRANSERROR and TRANSWARNING comments it added to the code to indicate places requiring attention. It provides information about any serious problems and lets you report issues to the company.
Elegance Technologies acknowledges that there are limitations to converting code from one language to another, even for languages that have a familial relationship, such as .NET languages. C-Sharpener includes a 12-page Limitations and Workarounds paper that explains what the tool can't handle. For example, if the VB code was written with option explicit off, it is likely that you have a lot of variables that won't translate easily to C#. It also can't do much about unstructured error handling (On Error statements), because .NET's structured exception handling changes the logical structure of a procedure.
Beyond these documented limitations, I discovered that it also does not handle With blocks. But it's an omission that is easy enough to fix manually. It also doesn't handle interface property overrides so they can compile. But this is the sort of thing that you wouldn't expect a conversion tool to handle well, anyway. Another problem is that the translation wizard doesn't save conversion options between each invocation. There aren't that many options, though, so this is a mild annoyance.
No conversion tool can convert 100 percent of non-trivial code projects. C-Sharpener does a decent job of doing the bulk of the hard work, making it easy for you to do the manual cleanup. It features a reasonable price tag and a clean, easy-to-use interface, which makes the product a fine way to get started on a conversion project.
C-Sharpener For VB 1.4
Quick Facts: VB.NET-to-C# conversion tool.
Pros: Simple interface; reasonable quality of converted code; good price.
Cons: Minor conversion issues.
Don Kiely is a senior technology consultant in Fairbanks, Alaska. When he isn't writing software, he's writing about it, speaking about it at conferences, and training developers in it. Reach him at [email protected].