The following article originally appeared on SearchVB.com.
Developers producing Web-facing apps in the new .NET world moved to ASP, the avenue to the Web view. But, when they did, the security attack surface grew considerably. Some learned the hard way and informally shared their experiences with colleagues. A recent software tool introduction formally focuses on the problem of analyzing vulnerabilities and managing risk in the ASP.NET environment.
The tool, known as DevPartner SecurityChecker and available from Compuware Corp., might really be described as a combination of tools and methodologies. Among the objectives of the software is to implement best practices, said John Carpenter, Compuware's DevPartner SecurityChecker product manager.
"There is a large educational component to the package," he noted. That's because the product provides expert advice on ASP.NET vulnerabilities.
In effect, DevPartner SecurityChecker is a security analysis tool that locates chinks in a program's armor through a unique combination of static analysis, run-time analysis and integrity analysis (which is akin to attack simulation). The advice in DevPartner SecurityChecker comes in the form of suggested steps to repair a vulnerability and links to more information on the problem. In fact, the Compuware crew came up with various rules for "safe ASP" based on considerable engineering research.
What are the types of mistakes programmers make when coding in an era of nefarious hacking? They are not that different in ASP than in other areas.
"There are all sorts of errors they make," Carpenter said. "There's enabling debugging ... leaving back doors open ... having tracing enabled. That is something that static analysis will quickly find," he said.
Moving along down the highway to trouble, there are excessive account use and private account use. Those are "good pickings" for a run-time analyzer, indicated Carpenter.
Finally, there are the now-familiar demons of cross-site scripting, SQL injections, buffer overflows, parameter tampering and command injections. All of which, said Carpenter, can be malleable to integrity analyzers.
Development for security may be moving into a new era. As break-in tools become widely and freely available on the Internet, hackers do not need the same level of skills they required in the past to get in the game. Yet those tools, in combination, of course, may allow increasingly grandiose hacks. Tools that counter the break-in tools and embed knowledge of faults may be just what the doctor ordered.
More information from SearchWindowsSecurity.com
Topic: Get expert technical advice on secure scripting techniques in this topics section
Ask the Expert: Roberta Bragg explains why you may have trouble accessing SQL Server using ASP.NET
White Paper: Find out how .NET networking classes can help you track and report server attacks
