Sanctum AppScan DE 1.7

asp:review

Sanctum AppScan DE 1.7

This second version offers a host of new features,improvements, and conveniences.

By Ken McNamee

The first step in securing your Web site against those whowould harm either you or your customers is to know how vulnerable you are. Thesecond step is to fix those vulnerabilities. AppScan Developer Edition (DE)from Sanctum can significantly aid you during both of those steps by scouringyour Web site for known weak points that a hacker can use to gain access toyour server, your data, or even your customer's identities.

AppScan DE provides an easy, automated way to continuallyverify that the code you write does not leave your Web site vulnerable to thesetypes of malicious attacks. It can be used as a stand-alone tool or integrateddirectly into Visual Studio .NET, 2002 and 2003. In VS .NET integration mode,AppScan is project-based, which is very convenient because the configurationfor the security unit testing is saved inside the solution for the Webapplication. It's a small detail and I don't normally like using plug-ins, butin this case the AppScan plug-in makes it easier to run the security testsoften, which is always a good thing.

The first step to using AppScan is to add an AppScanproject to your Web application's solution. You can then configure the projectif the Web application uses Forms authentication or NTLM authentication bysetting the username, password, or domain if required. Other options includesetting how many levels deep AppScan searches for vulnerabilities and theoption to send attacks that can actually damage the site rather than justsimulate. Once configured, you can run the AppScan project and it willintelligently probe your Web application's pages for dozens of knownvulnerabilities and display a report showing what it discovered.

Probably AppScan's most surprising feature is the amountand quality of security information that it provides after each unit test isrun. Figure 1 displays a typical unit test report in the AppScan Visual Studio.NET plug-in. This report tells you which vulnerabilities were most serious,exactly where they occurred, how to reproduce them, and how to fix them. Inaddition, you can read a good deal of detailed background information on thevulnerability, including links to Microsoft Knowledge Base articles, TechNetbulletins, and CERT advisories. The only negative here is that the attackinformation is not filtered to specifically ASP.NET, so you may have to wadethrough some text that would make more sense to JSP or Perl developers.

Figure 1. AppScan provides specific,relevant information about the vulnerabilities it discovers and volumes ofinformation explaining how best to fix them.

AppScan is an outstanding product; I recommend it foranyone who develops public Internet applications. It is nearly impossible forthe average ASP.NET developer to be able to match AppScan's tenacity in probinga Web application for vulnerabilities. This type of security unit testingshould be a mandatory step in every Web development shop.

Rating:

Web Site: http://www.sanctuminc.com

Price: $1,495

Ken McNamee is an independent consultant who works withcompanies in need of highly scalable data-driven Web applications. And who doesn'tneed one of those these days? Before this, he led a team of developers inre-architecting the Home Shopping Network's e-commerce site, HSN.com, to 100percent ASP.NET with C#. E-mail  him at [email protected].

Tell us what you think! Please send any comments aboutthis article to [email protected].Please include the article title and author.