Co-Sponsored by:   Latest Features  • WCF and REST  • LINQed & Layered  • Visual Studio 2008 Options  • ASP.NET 2.0 Reporting  • Build Community with a Discussion Forum: Part II Article Rating Rate this article on a scale from 0 to 5 5 Best 4   3   2   1   0 Worst Email Tell a friend about this article!

asp:review

DevPartner SecurityChecker 2.0

Better Protection, Still a Hefty Price

By Mike Riley

When I reviewed Compuware’s initial release of SecurityChecker more than a year ago I was impressed by the utility’s potential power and simplicity, but annoyed by its Visual Studio 2003 IDE restriction, its lack of an online update service for rules, and its shocking price tag. With the latest 2.0 release, Compuware has addressed two of these three criticisms — though not perfectly. The product is now designed to identify security problems with applications written in either the 1.1 or 2.0 versions of the .NET Framework, and has an adjusted pricing model for named users that is more reasonable for individual developers than its more expensive concurrent-user model. However, the lack of an online update service to keep the security rule set as up to the minute as possible is still vacant in the product, although Compuware product managers assure me that this capability is coming in a future SecurityChecker release.

Figure 1: Using the product is as simple as setting a few options and clicking the Start Analysis button.

Besides the .NET 2.0 and integrated Visual Studio 2005 support (the new version continues to support Visual Studio 2003’s IDE, as well), SecurityChecker 2.0 now sports improved discovery map capabilities, 30 new integrity analysis rules, and reduced false-positive security alerts. The new analysis rules include several hot security concerns, such as cross-site scripting attacks that can be used to invalidate ASP.NET validation procedures, and HTTP header vulnerability identification (especially those attack vectors that compromise embedded cookie data). The most interesting new analysis category is for assessing Google hacks. These include hidden pages picked up by the search engine, as well as configuration details, error and log-in pages that can be indexed by Google, and other powerful search engine spiders, potentially exposing logic and configuration details that black-hat hackers can use to gain access to unintended and/or unauthorized portions of your application.

Figure 2: Wow — 450 vulnerabilities identified in Microsoft’s TimeTracker starter project for Visual Studio (available from MSDN), although many of these resulted from running the application on the local admin account with debugging turned on.

The discovery map views now display HTTP request/response details, as well as a list of all the pages visited during the discovery process, making it much easier to discern the pages that SecurityChecker traversed during its analysis phase.

Figure 3: The Vulnerabilities tab provides information that is both important and educational.

The product is still quite easy to use out of the box, walking developers through its three-phase approach:

• discovery (manual or automatic compile-time, run-time, integrity review).
• analysis (visual reporting of identified vulnerabilities ranked by severity, along with explanations of the problem identified — this is great for educating, as well as informing developers of code security concerns).
• advisor (further educating developers of the problem with links to additional details on the Computer Emergency Response Team [CERT], Microsoft Developer Network [MSDN], and the Open Web Application Security Project [OWASP]).

The intuitive 1-2-3 step tabbed interface (1: Discovery; 2: Summary; 3: Vulnerabilities) hasn’t changed from the 1.0 release — and for good reason; its simplicity masks the power under the hood. The latest release also continues to impress with its automated code-sweeping identification of potential security problems, reiterating its value whenever a problem is identified. While manual code reviews are the status quo for many .NET developers, doing such on thousands of lines of code from a distributed development team is a daunting task. Considering all the dependencies and code variations between assemblies, manually checking such a configuration isn’t a task I would eagerly sign up for. However, using SecurityChecker, such an assignment would be part of any testing process. In fact, I would like to see Compuware couple SecurityChecker with its other DevPartner products in the future, so I can run my standard code analysis, unit testing, performance, and security checks in a single automated run, reporting the metrics, highlighting the anomalies, and calling out significant security concerns, all in a single review.

Figure 4: Discovery maps now include HTTP request/response details.

So is the new version worth the price of admission and ready for prime time? Almost. While existing SecurityChecker licensees will want to upgrade to this version as soon as they start working within the Visual Studio 2005 environment, newcomers may want to wait until another rev of the product before taking the plunge. In addition to the forthcoming security rule auto-update capability, Compuware should consider a tiered pricing model for developers interested in security analysis but unable to pay the expensive cost of entry. In the meantime, SecurityChecker will continue to be a necessary purchase for any demanding, code security-conscious .NET development organization.

Mike Riley is an advanced computing professional specializing in emerging technologies and new development trends. He also is a contributing editor for asp.netPRO. Readers may contact Mike at mailto:mike@mikeriley.com.

Rating: ééé

Web Site: http://www.compuware.com/products/devpartner/securitychecker.htm

Price: US$4,000 per named user; US$12,000 per concurrent user (includes one-year maintenance contract)