Hacker Proof ASP.NET Applications with SecurityChecker 1.0 {2}

by Antonio M
The author of this article talks about a Microsoft plug-in called SecurityChecker 1.0 by
Compuware’s DevPartner. This plugin pretty much verify your source-code, a run-time analysis
and integrity checking. This particular plug-in is for Microsoft Visual Studio .Net 2003
at the time. The way this plug-in works is it can make a “discovery map” of all your web pages
and connect them similar to a spider-web. Once the discovery map has been made there are
three security tests that can be run. The first test is an analysis of the actual source-code
which the user can select over 300 pre-selected rules to test for with in the source-code.
Their are 4 primary languages that can be tested and they include C#, Visual Basic.NET, ASP.NET
and HTML. Once your source checking has been completed you will get a list of errors ranked
by based on the error severity. There is also the ability to get a detailed explanation of
each error and as well as its solution. The second test is an analysis that is done during
run-time. During this test the plug-in will look for an excessive use of process privilege,
access to privileged files, incorrect use of the system registry and any operational problems.
These errors will also be shown up on a listed report similar to that of the source-code analyses.
On the third test, which is an Integrity analysis, this will test the applications overall
security. In doing so it will pretty much try to atomattically hack your application.
It does this by entering multiple SQL injections, cross-scripting attacks and buffer overflows.
It can also verify any of your error messages that you have made for you application. All of these
errors during integrity analysis is of course put in a list just like the previous reports.
There are of course some downside or new features that can be implemented with this plug-in and
that is it can not run all three tests simultaneously at the same time. If they were to ever
come out with a new upgrade they should try to implement this new feature. Not to mention their
is a pretty big price to pay to use such a feature. It costs about “$12,000 per concurrent user”.
To sum it all up, the author explains how it is a really useful plug-in and is highly configurable
and how it is a very good security analysis engine for ASP.NET applications. read more...