DevPartner SecurityChecker 2.5 does just that for ASP.NET sites

DevPartner includes a SecurityChecker component, which scans ASP.NET application source code to find known security problems. This lets organizations identify insecure coding practices, and pinpoint the method in which (and the line of code on which) such things are detected, using a compile time analyzer to drive scanning, detection, and reporting.

DevPartner Security Checker works through runtime code in three different operational phases:

More on .NET application testing Reference: Testing and Debugging Learning Guide Book Excerpt: Test and debug an ASP.NET app: Chp. 4 of Murach's ASP.NET 2.0 Web Programming with C# 2005

• Discovery, in which a developer leads the software through a project using manual discovery, or the product performs its own automatic discovery routines to work its way through an entire application on its own.
• Analysis, in which the software displays and issues a high-level graph along with reports of application vulnerability details, including location, description of the vulnerability and related source code, where applicable.
• Advice, in which the software provides detailed remediation advice on how to repair vulnerabilities, including links to additional Web-based information from trusted resources, as well as additional context information around whatever security issues may be involved.

The focal elements under DevPartner Security Checker's hood include a compile-time analyzer, a run-time analyzer and an integrity analyzer, each of which operates at different times during the development cycle and helps to provide ongoing security checks throughout the process. The integrity analyzer is really a penetration testing tool that attempts to use known techniques to subvert or compromise existing application code, whereas the other two analyzers scan code at compile time or at run time looking for patterns of code or behavior that match known vulnerabilities.

This tool is available for purchase for Windows XP and Windows 2000 platforms, with Vista support slated for some time in 2007, for a price of $4,200 per named user (includes a one-year update and technical support subscription). Additional discounts for volume purchase are available through Compuware. See the DevPartner Security Checker product page for additional information.

Ed Tittel is a writer and trainer whose interests include XML and development topics, along with IT Certification and information security. E-mail etittel@techtarget.com with comments, questions, or suggested topics or tools to review. Cool tools rule!

Rate this Tip To rate tips, you must be a member of SearchWinDevelopment.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT .NET Framework Web application security Security interoperability with .NET/WSE and WebLogic Workshop 8.1 On ASP.NET AJAX testing and debugging tools Ajax security holes and how to fill them Need Web services security? Dig into WSE 3.0 for Microsoft .NET VSLive: Membership and security in ASP.NET apps Test and debug an ASP.NET app: Chp. 4 of Murach's ASP.NET 2.0 Web Programming with C# 2005 Compuware updates ASP.NET security tool Learning Guide: Top 10 most critical Web application security vulnerabilities How to build secure ASP.NET applications How to build secure ASP.NET applications Application Testing and Security Advanced Windows Debugging Book Chapter and Podcast Book excerpt: Advanced Windows Debugging Book excerpt: Pragmatic unit testing in C# with NUnit Security interoperability with .NET/WSE and WebLogic Workshop 8.1 How to avoid regression bugs while adding new features NDepends: How you look at code Ten ways to unit test your .NET code On ASP.NET AJAX testing and debugging tools Beginning Windows CardSpace development Generate RSA public and private keys, export to XML RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.