Product Reviews

Quick Look: AppScan

Keep security in mind during the development process.

There were quite a few products that work within the VS .NET shell announced at the VSLive! Conference in February. One of these, AppScan DE, offers support for developers concerned with security in ASP.NET applications. I had a chance to see a pre-release build in action and chat a bit with the Sanctum folks about what the product can do and where it's heading.

The idea of AppScan DE is to help the average developer become more security conscious, and help them fix potential security holes before they're exposed. While some people can keep up with all the different ways that their Internet applications can be compromised, from SQL injection attacks to cross-site scripting, these are dark arts to many other developers. AppScan DE has built-in knowledge of hundreds of attacks, and can scan your code to find vulnerabilities.

To use AppScan DE, you create a new AppScan Project in your ASP.NET solution. Then it goes off and analyzes the code, testing it for vulnerabilities. If any are found, you get a list of what's wrong, together with jumps to the affected code, explanations of the problem, and extensive remediation suggestions. Tests are kept in the project tree, so at any point you can go back and see where things were historically. There's also an ability to record and playback business processes, so you can focus on particular parts of your application. One nice touch is an automatic interface to form fields, so that it can fill in plausible data as it rolls through your application. Of course you can customize the plausible data to your own needs, so even supplying a legitimate test user and password is quite easy.

All in all, this looks like a good alternative to having a security expert do constant code reviews (though I'd still want to get the expert involved somewhere along the line), and will help push security knowledge out into the wider developer community. Sanctum is also planning to release an auditing/QA tool at mid year that will extend some of this intelligence to auditing Web Services.

AppScan DE will be generally available March 17, with a $1,499 retail price and a roughly $1,000 per seat promotional price.

About the Author

Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.


comments powered by Disqus

Subscribe on YouTube