Quick Look: AppScan
Keep security in mind during the development process.
There were quite a few products that work within the VS .NET shell announced
at the VSLive! Conference in February. One of these, AppScan DE, offers
support for developers concerned with security in ASP.NET applications.
I had a chance to see a pre-release build in action and chat a bit with
the Sanctum folks about what the product can do and where it's heading.
The idea of AppScan DE is to help the average developer become more security
conscious, and help them fix potential security holes before they're exposed.
While some people can keep up with all the different ways that their Internet
applications can be compromised, from SQL injection attacks to cross-site
scripting, these are dark arts to many other developers. AppScan DE has
built-in knowledge of hundreds of attacks, and can scan your code to find
To use AppScan DE, you create a new AppScan Project in your ASP.NET solution.
Then it goes off and analyzes the code, testing it for vulnerabilities.
If any are found, you get a list of what's wrong, together with jumps
to the affected code, explanations of the problem, and extensive remediation
suggestions. Tests are kept in the project tree, so at any point you can
go back and see where things were historically. There's also an ability
to record and playback business processes, so you can focus on particular
parts of your application. One nice touch is an automatic interface to
form fields, so that it can fill in plausible data as it rolls through
your application. Of course you can customize the plausible data to your
own needs, so even supplying a legitimate test user and password is quite
All in all, this looks like a good alternative to having a security expert
do constant code reviews (though I'd still want to get the expert involved
somewhere along the line), and will help push security knowledge out into
the wider developer community. Sanctum is also planning to release an
auditing/QA tool at mid year that will extend some of this intelligence
to auditing Web Services.
AppScan DE will be generally available March 17, with a $1,499 retail
price and a roughly $1,000 per seat promotional price.
Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.