Product Reviews

Quick Look: AppScan

Keep security in mind during the development process.

There were quite a few products that work within the VS .NET shell announced at the VSLive! Conference in February. One of these, AppScan DE, offers support for developers concerned with security in ASP.NET applications. I had a chance to see a pre-release build in action and chat a bit with the Sanctum folks about what the product can do and where it's heading.

The idea of AppScan DE is to help the average developer become more security conscious, and help them fix potential security holes before they're exposed. While some people can keep up with all the different ways that their Internet applications can be compromised, from SQL injection attacks to cross-site scripting, these are dark arts to many other developers. AppScan DE has built-in knowledge of hundreds of attacks, and can scan your code to find vulnerabilities.

To use AppScan DE, you create a new AppScan Project in your ASP.NET solution. Then it goes off and analyzes the code, testing it for vulnerabilities. If any are found, you get a list of what's wrong, together with jumps to the affected code, explanations of the problem, and extensive remediation suggestions. Tests are kept in the project tree, so at any point you can go back and see where things were historically. There's also an ability to record and playback business processes, so you can focus on particular parts of your application. One nice touch is an automatic interface to form fields, so that it can fill in plausible data as it rolls through your application. Of course you can customize the plausible data to your own needs, so even supplying a legitimate test user and password is quite easy.

All in all, this looks like a good alternative to having a security expert do constant code reviews (though I'd still want to get the expert involved somewhere along the line), and will help push security knowledge out into the wider developer community. Sanctum is also planning to release an auditing/QA tool at mid year that will extend some of this intelligence to auditing Web Services.

AppScan DE will be generally available March 17, with a $1,499 retail price and a roughly $1,000 per seat promotional price.

About the Author

Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.