Tool for .NET developers takes drudgery out of security

[February 11, 2003] - At this week's VSLive in San Francisco, security specialist Sanctum Inc. announced an automated security testing suite for application developers. AppScan Developer Edition (DE) 1.5 can integrate with Microsoft's Visual Studio .NET.

The software seeks to meet dual needs: To improve security of apps created in the .NET environment and to ease the task of developers who must increasingly build bottom-up secure apps. AppScan DE performs unit tests on Web applications from within the IDE. Configuration settings are used by AppScan to learn the logic of the app, build custom tests and evaluate the app's response to each test. Developers are thus relieved from writing their own test cases. AppScan's evaluations include tips for fixing flaws -- and the software also tests to ensure that fixed flaws don't spawn new security holes. It tests C#, C++, VB and J# code.

Sanctum CTO Steve Orrin walked Programmers Report through a debugging session with AppScan. The types of identified entry points for nefarious hacks included accepting hazardous characters that SQL injection probes thrive upon, outrange parameters and holes that beckon to purveyors of cross-site scripting ploys.

We asked Orrin for an overall take-away tip for programming for security. He said to watch for hidden fields. ''Hidden fields are insecure. They are usually there so marketing people, for example, don't have to come back to developers to change the application,'' he said. He added that there are means to create equivalents of such fields without 'embedding' them in the delivered code.

For other Programmers Report articles, please go to


Upcoming Events


Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.