DevPartner SecurityChecker 1.0
Protection at a Price
By Mike Riley
With the ease of .NET development comes the responsibility of knowing that any site with a .aspx Web page extension can potentially become a beacon for malicious hackers. Microsoft technologies have been maligned by the computer security community and especially by Microsoft s competitors for the company s lapses and oversights in past development practices. This intense scrutiny, coupled with high-profile vulnerabilities, has caused Microsoft to reorganize around the security improvement mantra; these practices will manifest themselves more succinctly with the release of the .NET 2.0 Framework.
Figure 1: Developers can select the type of analysis to be performed from the QuickStart tab.
However, it s a different story for those developers relying heavily on the 1.1 version with its known security issues. Only by staying abreast of the latest secure coding best practices, and reviewing and correcting code whenever new vulnerabilities are discovered, can ASP.NET applications be as water tight as possible. In the real world, most developers are already under intense pressure to release functional applications or quickly repair problems occurring in day-to-day break/fix scenarios. In doing so, unless the developer fully understands the scope and impact that such hasty modification might imbue, entropic weaknesses can erode even the most secure initial releases.
Recognizing this concern, Compuware has released their first attempt at automating code security reviews for the ASP.NET development market. Part of the DevPartner family, SecurityChecker 1.0 represents one of the first security assessment tools specifically targeting the needs of the ASP.NET community. SecurityChecker sports a clean interface, for which Compuware s tools are known, making it immediately accessible and ready for code analysis as soon as it s installed.
Figure 2: The summary view reports on the types and severity of vulnerabilities identified in the ASP.NET code being analyzed.
SecurityChecker can execute three types of analysis (Compile-time, Run-time, and Integrity) and report on five types of vulnerabilities (application integrity, deployment, execution errors, insecure coding practices, and security context issues). Executing any of the three types of analysis results in a Discovery Map table indicating which .aspx pages were analyzed and a summary of vulnerabilities identified. Levels of severity then classify these vulnerabilities into critical, important, moderate, and informational categories. Drilling down into these items provides a detailed explanation of the problem, as well as recommended code modifications and a link back to the actual offending source code and the call stack associated with it. A typical security workflow begins with a compile-time analysis, providing a review of source code, HTML, and web.config vulnerabilities. Run-time analysis can be set to automatically discover and execute against all .aspx pages in that application or only those visited by the developer (this is also known as manual discovery).
SecurityChecker can also generate reports in XML format with varying degrees of detail. XML reports can be viewed with the product s associated XSLT stylesheet or via a custom stylesheet created by users. Unfortunately, this release of SecurityChecker does not support other report output formats such as HTML or Microsoft Word documents.
As is often the case in a 1.0 release, there are a couple of limitations that users will hope to have rectified in future releases. First, the product cannot be used simultaneously with DevPartner 7.2 s ASP.NET worker process because the identical process is monitored by SecurityChecker. Although by no means a showstopper, this does require the deactivation of one of these products to execute an error-free run. Hopefully Compuware can develop some sort of proxy mechanism by which both code and security analysis can occur in a single step.
Figure 3: SecurityChecker provides detailed explanations of vulnerabilities and offers best practice recommendations to repair the problems identified by its rules engine.
Also, because this product targets the .NET 1.1 Framework, it will only run within the Visual Studio.NET 2003 environment, and will only analyze code written for the 1.1 Framework. It will also only analyze applications executed locally. Although this might cause angst in some team-oriented development environments, it actually promotes better security practices because it prevents SecurityChecker from becoming simply another black hat hacker vulnerability scanning tool. It is possible to make SecurityChecker jump through hoops to be mutated into such a role; however, one can t get very far without access to the application s source code.
Most disappointing is the lack of an online security update mechanism by which Compuware could provide ASP.NET developers with the latest secure coding practices and rule sets, much the way anti-virus applications receive signature updates whenever new viruses are identified. In fact, developers cannot even customize or add to the rules embedded in the product. This is a major oversight which hopefully will be corrected in the near future. As it stands, SecurityChecker s code scanner represents a snapshot in time, disconnected from Microsoft s own security bulletins.
SecurityChecker receives high marks for its ease of use and clean integration into the DevPartner and Visual Studio.NET 2003 environment. Unfortunately, it stumbles out of the gate with its limited framework support, lack of automatic security updates, rules editor, and exorbitant price. This is not a tool that most ASP.NET developers will be able to afford; its price point suggests use by Fortune 500 financial and healthcare businesses for whom privacy and data integrity are paramount. Perhaps as SecurityChecker evolves, Compuware will address the product s shortcomings and success stories will percolate to prove its expensive license fee worthwhile.
Mike Riley is an advanced computing professional specializing in emerging technologies and new development trends. He also is a contributing editor for asp.netPRO. Readers may contact Mike at mailto:[email protected].
Price: US$12,000 per concurrent user (includes one-year maintenance contract)
At a Glance
- Extensive security code analysis.
- Detailed recommendations of secure coding best practices.
- Easy to use.
- Only analyzes .NET 1.1 Framework ASP.NET code.
- Report export limited to XML output.
- No auto-update service or manual editing of the rules database for code rules/practices for newly discovered vulnerabilities.
- Very expensive.