DRIVEN BY A CONSTANT stream of well-publicized and highly disconcerting breaches, the demand for software security has spawned numerous tools that analyze code bases and search for any vulnerabilities that a cracker could potentially exploit.

I've examined several of these tools in the past year, including Fortify Software's Source Code Analysis Suite 3.0 (infoworld.com/ 2453) and secure Software's CodeAssure Suite 2.0 (infoworld.com/3209). Both of these code security products are very good, but they share a common defect: They do not analyze Web applications that run on Microsoft's .Net environment. The only product that can currently do that is Compuware's DevPartner securityChecker 1.0.

The securityChecker tool analyzes applications in several ways, providing sourcecode verification, run-time analysis, and integrity checking. The last of these processes attempts to break client-facing Web pages by using typical forms of attack, such as buffer overruns and entry of malicious values into forms.

I found securityChecker complete, effective, and highly configurable, albeit limited strictly to .Net languages. It is pricey and lacks some necessary integration features; but for sites using US and ASP.Net, it is the only solution for securing apps - and it does a good job at that.

Intense Analysis

SecurityChecker installs as a plug-in to Microsoft Visual Studio .Net 2003, the only version of the IDE currently supported. It occupies a slot on the principal menu bar, from which its various activities are launched. (Technically speaking, the software can be runfrom the...