Reviews

Review: DevPartner SecurityChecker

• By Mike Gunderloy
• January 5, 2005

DevPartner SecurityChecker 1.0
Starting at $12,000 per concurrent user
Compuware
Detroit, Michigan
(313)227-7300
www.compuware.com

The Internet, as we all know by now, is a wild and wooly place full of Bad People. If you take your average naive good-enough-for-internal-use ASP.NET application and turn it loose on a public server, the chances are all too good that your server will shortly be 0wn3d by a batch of script kiddies who will fill all of the available drive space with pictures that you would rather not have your boss or mother see.

There are several ways to avoid this problem. First, every developer should be trying to acquire and improve their knowledge of secure coding practices (not just for Web applications, but for all applications). But it's not realistic to suppose that all of us can have all security knowledge on tap all the time. That's where DevPartner SecurityChecker comes in. If you're writing an ASP.NET application, it can look over your shoulder and tell you when you're doing something dangerous, tell you how to fix the problem, and nag you until you do.

The process is pretty simple. When you install SecurityChecker, it integrates directly with Visual Studio .NET (2003 only - a future version should support Visual Studio 2005). You can start a new session from a toolbar button or menu choice, which opens the SecurityChecker interface as a new document within VS.NET. At this point you can choose which types of analysis to perform: compile-time (which performs a static code analysis), run-time (which looks at executing code), or integrity (which performs attacks) - or all three if you'd like. You can also decide whether to check only pages that you visit (which lets you lead SecurityChecker through a browser session to show it what to check) or to use a spider to try to find everything in your application. One nice touch is that you can save the list of visited pages (called a discovery map) for reuse in the future.

Once you've touched all the pages you want to check, you close your browser and SecurityChecker goes to work. This is the point where you'll want to grab lunch or work on another computer; the analysis phase basically eats all your CPU and can take quite a while for an extensive application. You do get a nicely updated display of what's going on, and it's easy to abort the analysis if you need to.

The end result is a pretty graph that shows you how many vulnerabilities were found by both severity and category. You can drill down into any of these - everything is hyperlinked - to get more detail. Each vulnerability comes with a detailed explanation that shows up in a separate window. These explanations are excellent mini-tutorials, and end with suggested repairs and notes on where to find more information. Finally, every instance of every vulnerability is linked to the line of source code where it was spotted, so a double-click will take you right to what you need to fix.

SecurityChecker is also quite configurable. If you're performing an automatic discovery, you can specify values to use when filling in form fields, which will help the spider visit more pages. You can also add additional HTTP headers to be sent with each request. You can also decide which of the 350+ vulnerabilities you'd like to skip checking for; some of them are unlikely to apply to a particular application. For example, if you know you're not loading any signed XML you don't need to worry about preserving whitespace to keep the has constant. Remember, though, that if you turn some checks off you need to review this when you move to a different application.

Compuware has done an excellent job with this one; it's well-polished, and works right out of the box. With reports available as HTML, it should be relatively easy to integrate into a process that keeps track of build quality as well. Unless you are an absolute super-coder, it will probably spot enough problems with your code to make you glad you started using it. You can request a 14-day evaluation copy by visiting the Compuware Web site.