DevPartner SecurityChecker 1.0

asp:review

DevPartner SecurityChecker 1.0

Protection at a Price

By Mike Riley

With the ease of .NET development comes the responsibilityof knowing that any site with a .aspx Web page extension can potentially becomea beacon for malicious hackers. Microsoft technologies have been maligned bythe computer security community and especially by Microsoft s competitors forthe company s lapses and oversights in past development practices. This intensescrutiny, coupled with high-profile vulnerabilities, has caused Microsoft to reorganizearound the security improvement mantra; these practices will manifestthemselves more succinctly with the release of the .NET 2.0 Framework.

Figure 1: Developers can select thetype of analysis to be performed from the QuickStart tab.

However, it s a different story for those developersrelying heavily on the 1.1 version with its known security issues. Only bystaying abreast of the latest secure coding best practices, and reviewing andcorrecting code whenever new vulnerabilities are discovered, can ASP.NETapplications be as water tight as possible. In the real world, most developersare already under intense pressure to release functional applications orquickly repair problems occurring in day-to-day break/fix scenarios. In doingso, unless the developer fully understands the scope and impact that such hastymodification might imbue, entropic weaknesses can erode even the most secureinitial releases.

Managing Vulnerabilities

Recognizing this concern, Compuware has released theirfirst attempt at automating code security reviews for the ASP.NET developmentmarket. Part of the DevPartner family, SecurityChecker 1.0 represents one ofthe first security assessment tools specifically targeting the needs of theASP.NET community. SecurityChecker sports a clean interface, for whichCompuware s tools are known, making it immediately accessible and ready forcode analysis as soon as it s installed.

Figure 2: The summary view reportson the types and severity of vulnerabilities identified in the ASP.NET codebeing analyzed.

SecurityChecker can execute three types of analysis(Compile-time, Run-time, and Integrity) and report on five types ofvulnerabilities (application integrity, deployment, execution errors, insecurecoding practices, and security context issues). Executing any of the three typesof analysis results in a Discovery Map table indicating which .aspx pages wereanalyzed and a summary of vulnerabilities identified. Levels of severity thenclassify these vulnerabilities into critical, important, moderate, andinformational categories. Drilling down into these items provides a detailedexplanation of the problem, as well as recommended code modifications and alink back to the actual offending source code and the call stack associatedwith it. A typical security workflow begins with a compile-time analysis,providing a review of source code, HTML, and web.config vulnerabilities. Run-timeanalysis can be set to automatically discover and execute against all .aspx pagesin that application or only those visited by the developer (this is also knownas manual discovery).

SecurityChecker can also generate reports in XML formatwith varying degrees of detail. XML reports can be viewed with the product sassociated XSLT stylesheet or via a custom stylesheet created by users. Unfortunately,this release of SecurityChecker does not support other report output formatssuch as HTML or Microsoft Word documents.

Limitations

As is often the case in a 1.0 release, there are a coupleof limitations that users will hope to have rectified in future releases. First,the product cannot be used simultaneously with DevPartner 7.2 s ASP.NET workerprocess because the identical process is monitored by SecurityChecker. Althoughby no means a showstopper, this does require the deactivation of one of theseproducts to execute an error-free run. Hopefully Compuware can develop somesort of proxy mechanism by which both code and security analysis can occur in asingle step.

Figure 3: SecurityChecker providesdetailed explanations of vulnerabilities and offers best practicerecommendations to repair the problems identified by its rules engine.

Also, because this product targets the .NET 1.1 Framework,it will only run within the Visual Studio.NET 2003 environment, and will onlyanalyze code written for the 1.1 Framework. It will also only analyzeapplications executed locally. Although this might cause angst in someteam-oriented development environments, it actually promotes better security practicesbecause it prevents SecurityChecker from becoming simply another black hathacker vulnerability scanning tool. It is possible to make SecurityChecker jumpthrough hoops to be mutated into such a role; however, one can t get very farwithout access to the application s source code.

Most disappointing is the lack of an online securityupdate mechanism by which Compuware could provide ASP.NET developers with thelatest secure coding practices and rule sets, much the way anti-virusapplications receive signature updates whenever new viruses are identified. Infact, developers cannot even customize or add to the rules embedded in theproduct. This is a major oversight which hopefully will be corrected in thenear future. As it stands, SecurityChecker s code scanner represents a snapshotin time, disconnected from Microsoft s own security bulletins.

Conclusion

SecurityChecker receives high marks for its ease of useand clean integration into the DevPartner and Visual Studio.NET 2003environment. Unfortunately, it stumbles out of the gate with its limitedframework support, lack of automatic security updates, rules editor, andexorbitant price. This is not a tool that most ASP.NET developers will be ableto afford; its price point suggests use by Fortune 500 financial and healthcarebusinesses for whom privacy and data integrity are paramount. Perhaps as SecurityCheckerevolves, Compuware will address the product s shortcomings and success storieswill percolate to prove its expensive license fee worthwhile.

Mike Rileyis an advanced computing professional specializing in emerging technologies andnew development trends. He also is a contributing editor for asp.netPRO. Readers may contact Mike at mailto:[email protected].

Rating:

Web Site: http://www.compuware.com/products/devpartner/securitychecker.htm

Price: US$12,000per concurrent user (includes one-year maintenance contract)

At a Glance

The Good

The Bad