Sanctum AppScan DE 1.7
This second version offers a host of new features, improvements, and conveniences.
By Ken McNamee
The first step in securing your Web site against those who would harm either you or your customers is to know how vulnerable you are. The second step is to fix those vulnerabilities. AppScan Developer Edition (DE) from Sanctum can significantly aid you during both of those steps by scouring your Web site for known weak points that a hacker can use to gain access to your server, your data, or even your customer's identities.
AppScan DE provides an easy, automated way to continually verify that the code you write does not leave your Web site vulnerable to these types of malicious attacks. It can be used as a stand-alone tool or integrated directly into Visual Studio .NET, 2002 and 2003. In VS .NET integration mode, AppScan is project-based, which is very convenient because the configuration for the security unit testing is saved inside the solution for the Web application. It's a small detail and I don't normally like using plug-ins, but in this case the AppScan plug-in makes it easier to run the security tests often, which is always a good thing.
The first step to using AppScan is to add an AppScan project to your Web application's solution. You can then configure the project if the Web application uses Forms authentication or NTLM authentication by setting the username, password, or domain if required. Other options include setting how many levels deep AppScan searches for vulnerabilities and the option to send attacks that can actually damage the site rather than just simulate. Once configured, you can run the AppScan project and it will intelligently probe your Web application's pages for dozens of known vulnerabilities and display a report showing what it discovered.
Probably AppScan's most surprising feature is the amount and quality of security information that it provides after each unit test is run. Figure 1 displays a typical unit test report in the AppScan Visual Studio .NET plug-in. This report tells you which vulnerabilities were most serious, exactly where they occurred, how to reproduce them, and how to fix them. In addition, you can read a good deal of detailed background information on the vulnerability, including links to Microsoft Knowledge Base articles, TechNet bulletins, and CERT advisories. The only negative here is that the attack information is not filtered to specifically ASP.NET, so you may have to wade through some text that would make more sense to JSP or Perl developers.
Figure 1. AppScan provides specific, relevant information about the vulnerabilities it discovers and volumes of information explaining how best to fix them.
AppScan is an outstanding product; I recommend it for anyone who develops public Internet applications. It is nearly impossible for the average ASP.NET developer to be able to match AppScan's tenacity in probing a Web application for vulnerabilities. This type of security unit testing should be a mandatory step in every Web development shop.
Web Site: http://www.sanctuminc.com
Ken McNamee is an independent consultant who works with companies in need of highly scalable data-driven Web applications. And who doesn't need one of those these days? Before this, he led a team of developers in re-architecting the Home Shopping Network's e-commerce site, HSN.com, to 100 percent ASP.NET with C#. E-mail him at [email protected].
Tell us what you think! Please send any comments about this article to [email protected]. Please include the article title and author.