Third-party tool helps in securing ASP

By Jack Vaughan 13 Apr 2005 | SearchVB.com

Digg This!     StumbleUpon     Del.icio.us

Developers producing Web-facing apps in the new .NET world moved to ASP, the avenue to the Web view. But, when they did, the security attack surface grew considerably. Some learned the hard way and informally shared their experiences with colleagues. A recent software tool introduction formally focuses on the problem of analyzing vulnerabilities and managing risk in the ASP.NET environment.

The tool, known as DevPartner SecurityChecker and available from Compuware Corp., might really be described as a combination of tools and methodologies. Among the objectives of the software is to implement best practices, said John Carpenter, Compuware's DevPartner SecurityChecker product manager.

"There is a large educational component to the package," he noted. That's because the product provides expert advice on ASP.NET vulnerabilities.

In effect, DevPartner SecurityChecker is a security analysis tool that locates chinks in a program's armor through a unique combination of static analysis, run-time analysis and integrity analysis (which is akin to attack simulation). The advice in DevPartner SecurityChecker comes in the form of suggested steps to repair a vulnerability and links to more information on the problem. In fact, the Compuware crew came up with various rules for "safe ASP" based on considerable engineering research.

What are the types of mistakes programmers make when coding in an era of nefarious hacking? They are not that different in ASP than in other areas.

"There are all sorts of errors they make," Carpenter said. "There's enabling debugging … leaving back doors open ... having tracing enabled. That is something that static analysis will quickly find," he said.

Moving along down the highway to trouble, there are excessive account use and private account use. Those are "good pickings" for a run-time analyzer, indicated Carpenter.

Finally, there are the now-familiar demons of cross-site scripting, SQL injections, buffer overflows, parameter tampering and command injections. All of which, said Carpenter, can be malleable to integrity analyzers.

Development for security may be moving into a new era. As break-in tools become widely and freely available on the Internet, hackers do not need the same level of skills they required in the past to get in the game. Yet those tools, in combination, of course, may allow increasingly grandiose hacks. Tools that counter the break-in tools and embed knowledge of faults may be just what the doctor ordered.

Tags: ASP.NET development tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT ASP.NET development tools Embarcadero RAD Studio 2010 How to use jQuery to solve Javascript browser compatibility problems Microsoft webcast series previews new Visual Studio 2010 features Visual Studio's IntelliSense for jQuery doesn't autocomplete correctly Dundas Map for .NET kicks up geographic visualization Use PHP with Visual Studio to create Web sites VB code: Internet application downloads Set of ASP.NET controls addresses data entry Spring.NET 1.1 brings AOP to .NET development ComponentArt adds editor, spell checker to ASP.NET UI tool

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ASP.NET  (SearchWinDevelopment.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary