Tool for .NET developers takes drudgery out of security
[February 11, 2003] - At this week's VSLive in San Francisco, security specialist Sanctum Inc.
announced an automated security testing suite for application developers.
AppScan Developer Edition (DE) 1.5 can integrate with Microsoft's Visual Studio
The software seeks to meet dual needs: To improve security of apps created in
the .NET environment and to ease the task of developers who must increasingly
build bottom-up secure apps. AppScan DE performs unit tests on Web applications
from within the IDE. Configuration settings are used by AppScan to learn the
logic of the app, build custom tests and evaluate the app's response to each
test. Developers are thus relieved from writing their own test cases. AppScan's
evaluations include tips for fixing flaws -- and the software also tests to
ensure that fixed flaws don't spawn new security holes. It tests C#, C++, VB and
Sanctum CTO Steve Orrin walked Programmers Report through a debugging session
with AppScan. The types of identified entry points for nefarious hacks included
accepting hazardous characters that SQL injection probes thrive upon, outrange
parameters and holes that beckon to purveyors of cross-site scripting ploys.
We asked Orrin for an overall take-away tip for programming for security. He
said to watch for hidden fields. ''Hidden fields are insecure. They are usually
there so marketing people, for example, don't have to come back to developers to
change the application,'' he said. He added that there are means to create
equivalents of such fields without 'embedding' them in the delivered code.
For other Programmers Report articles, please go to http://www.adtmag.com/article.asp?id=6265