Reviews

Review: CAS/Tester

• By Mike Gunderloy
• April 9, 2004

CAS/Tester
$399
Desaware
Campbell, California
(408) 377-4770
www.desaware.com

The .NET Framework includes a very rich security framework. Applications can state the permissions that they require, and system or machine administrators can decide what permissions a piece of code is allowed. There's been plenty written about how the pieces fit together, but as a developer, how do you test your code under common permission scenarios? That's where CAS/Tester comes in.

That's where CAS/Tester comes in. Running as a standalone application or as an add-in to either VS .NET 2002 or VS .NET 2003, it will launch your application under a whole bunch of different permission sets (about 80 of them by default) to see what happens. When it's done poking your application with this permissions stick, you get back a nicely-formatted report showing which combinations of permissions (if any) caused your application to throw an exception, and where the exceptions occurred. Armed with this information, you can engage in some defensive programming to make sure that your code exits gracefully if it can't get sufficient permissions to run.

You can let CAS/Tester just instantiate an object for testing, or you can specify a particular method that should be fired off in every test. But things don't stop there. There's also a scripting language that lets you specify functions that CAS/Tester should call, or even to adjust the permission sets that get tested. You'll also find helper functions to do things like click buttons, so you can get some sense of GUI security without having to write your own unmanaged code to click the buttons. Everything is also callable from the command line, making it possible to integrate CAS/Tester into an automated build process.

If you've never worked with .NET's Code Access Security before, you may be shocked at the number of ways that CAS/Tester can find to provoke an exception out of your application. And remember, any of these permission sets could be set by a machine administrator. It's up to you to catch and respond to security issues, rather than just letting your code crash. To see what I mean, you can download a trial version from the Desaware Web site.