DevPartner SecurityChecker is targeted to developers or security administrators, and allows them to analyze ASP.NET code (Visual C# .NET and Visual Basic .NET are supported) for potential security vulnerabilities during the code development cycle. The tool provides both white and black box testing methodologies; with the white box testing algorithms able to report the exact source code responsible for the noted vulnerability.

The product leads developers or security administrators through three phases of application vulnerability management: The Discovery phase, the Analysis phase, and the Advisor phase.

During the Discovery phase, the user identifies to the tool what aplications or portions of the application should be tested; such discovery can be automated (where a start page is provided and the tool spiders the site to determine the remaining pages of the application) or manual, wherein the user can "walk through" the individual pages they wish to be tested. These "Discovery Maps" can also be created manually and/or edited after they are created to narrow the application testing to just those portions desired by the tester.

In the Analysis phase, the program scans for, notes and reports all vulnerabilities discovered in the mapped application. Three distinct scanning methodologies can be employed individually or in any combination to test the application:

- Compile-time analysis, wherein the actual source code itself is examined directly for known security-related errors. Compile-time analysis can be run against the application as soon as it can be compiled

- Runtime analysis, wherein factors not present until the application is actually run are considered (such as use of excessive privileges, unsafe file access, or incorrect registry access) and environmental issues such as weak DB server security configuration, incorrect use of impersonation, or insecure use of the cryptography APIs are examined. Runtime analysis can be processed against the application from the time it is able to be executed

- Integrity analysis, black-box testing that launches known attacks against the application to determine its susceptibility to them

As a result of the Analysis Phase, the user can view the resulting found vulnerabilities in summary or detail form, automatically sorted by severity (critical, important, moderate or informational) and category (security context, insecure coding practices, execution errors or application integrity and/or deployment issues). Customized XML-based reporting is also possible; and both the compile-time and runtime analysis methods report the actual source code responsible for the vulnerability.

Finally, in the Advisor phase, the end user is provided with information relating to the vulnerability; information that both explains the potential security violation present as well as potential remediation steps leading to its correction.

Key new features in the latest DevPartner SecurityChecker release include:

- Visual Studio 2005 integration (to go with the product's existing Visual Studio .NET 2003 integration)

- Over 30 new Integrity Analysis rules, including the searching for configuration, comments, or other sensitive information that may unknowingly appear in pages and be indexed by search engines; searching for hidden debug information that could be potentially unlocked by a hacker; searching for HTTP header-based vulnerabilities such as cookie security; and testing for cross-site scripting attacks that specifically target the circumvention of ASP.NET validation

DevPartner SecurityChecker is available now; pricing begins at $12,000 per concurrent user (volume discounts are available).

Contact Compuware for further information.