The .NET Platform
Development Tools
COM & COM+
Data Access
Web Development
XML Technologies
Windows Servers
Wireless & Mobile
Security issues
Design & Process
Career Development
Analysis & Comment
Disposable Objects
We found this book useful!
You are not logged in: login here to access all areas.
Compuware responds to VSTS
At first sight much of the functionality promised by Microsoft's forthcoming Visual Studio 2005 Team System (VSTS) would seem to compete head-on with products such as Compuware's DevPartner suite. We have yet to see how this pans out, but we can gain some insight from Compuware's recent launch of two new DevPartner products in SecurityChecker and Fault Simulator. Matt Nicholson was at the launch in December 2004.
Author: Matt Nicholson
Last updated: Feb 2005
The appearance of Microsoft’s Visual Studio Team System (VSTS) on the skyline has implications for the market in which companies such as Compuware operate. At first sight, much of the functionality promised for VSTS, such as its code profiling and testing tools, would seem to pitch it head-on with products like Compuware’s DevPartner suite. On the other hand, the extensibilty offered by VSTS potentially brings new opportunities for companies like Compuware, with a new environment in which their tools can operate. DevPartner SecurityChecker 1.0 Potential vulnerabilities are grouped according to serverity, ranging from ‘critical’ to ‘informational’, and category, such as ‘insecure coding practices’, ‘execution errors’ or ‘deployment issues’. Checking can be conducted in three phases. First of all, SecurityChecker can check the source code itself, looking for known patterns. Secondly, SecurityChecker can monitor the application as it is running, looking for instances where, for example, a file is opened with read/write access when the application may only need read access. It won’t actually check what permissions have actually been set, but it will highlight the potential problem. Other potential vulnerabilities checked at this stage are the handling of SQL commands and the use of impersonation. Finally, SecurityChecker will actively replay a series of known attacks against your application, looking for weaknesses such as poor error handling or pages vulnerable to parameter tampering, buffer overflow, SQL injection attacks and the like. DevPartner Fault Simulator 1.0 Fault Simulator will simulate a wide range of faults, such as lack of disk space or network failure, without disrupting the debugging environment or affecting the operating system, and will record how your program responds as the simulation proceeds. It will also save the results so they can be reviewed at a later time.
We have yet to see how it pans out as VSTS is not scheduled for release until the middle of the year, and much of its architecture seems still undecided. However we can gain some insight from latest tools in the Compuware’s DevPartner suite, namely SecurityChecker and Fault Simulator which were announced in Amsterdam in December 2004. We talked to product manager Rob Straight at the event, but first let?s look at the products themselves.
Security is becoming ever more important, particularly for larger organisations, and development teams are increasingly accepting that security needs to be an integral and indeed central part of the development process, from application design through coding to testing and deployment. As Dominic Baier of Developmentor explained at the launch, security of the operating system itself, and on the transport and network layers, has improved considerably thanks to initiatives such as Windows XP SP2, to the extent that (to quote John Pescatore of The Gartner Group), “Today over 70 per cent of attacks against a company’s network come at the application layer, not the network or system layer.”
Which is where DevPartner SecurityChecker comes in. This is a rules-based code checker that runs from within the Visual Studio .NET 2003 environment in much the same way as current DevPartner products. Versions for Visual Studio 2005 and Visual Studio Team System will follow as they are released. As it stands, SecurityChecker will only assess ASP.NET projects – it is not designed for use with Windows Forms or Win32 applications.
Run SecurityChecker and it will check your current project at compile time for code that could be vulnerable to attack, or could provide potential attackers with more information than you intend. For example, it will highlight instances of debug=”true” and suggest you remove the entry or explicitly set debug=”false”. What this version will not do is give you the facility to auto-correct such faults.
Compuware is pricing SecurityChecker at £8,525 (eur 14,175) per concurrent user. This contrasts with £4,900 (eur 8,150) for DevPartner Studio Professional Edition and £2,350 (eur 3,900) for Boundschecker, both of which are also available for just £1,650 (eur 2,725) and £800 (eur 1,300) for a single named user licence. Volume discounts are available but SecurityChecker clearly represents a considerable investment for smaller development teams. That said, it does pack a great deal of specialist expertise.
Fault Simulator does very much what it says on the box: it simulates faults so you can test your error handling routines. Error handling code can’t really be tested without subjecting the application to the faults that would trigger the error handling code, which can be difficult in a real-world situation. As a result, many error handling routines are not tested at all.
This is where Fault Simulator comes in. Like SecurityChecker it is fully integrated into the Visual Studio environment, although it can be run as a standalone application targeting your program as it executes, or from the command line for automated testing.
DevPartner Fault Simulator costs £4,275 (eur 7,100) for a concurrent user licence, and volume discounts are available. Again, there is no single named user licence option.
Click here for our Privacy Statement. Copyright © Matt Publishing. All rights reserved. No part of this site may be reproduced without the prior consent of the copyright holder.
