Checks to help Windows coders

Developers get new vulnerability spotting options

Software developers working with Windows systems will have new options to tighten security and spot vulnerabilities in their code following the release of two new offerings from software giant Compuware.

John Carpenter, product manager for Compuware’s DevPartner SecurityChecker tools, said the updates include support for the recently released Microsoft Visual Studio 2005. Carpenter said, “This release is about remaining current with Visual Studio, which was updated by Microsoft late last year.” The Microsoft update included major enhancements to the .Net 2.0 Framework.

Carpenter said, “We’re announcing two things, DevPartner SecurityChecker 2.0 and our Security Assessment Service. SecurityChecker 2.0 includes three analysis modules. One does compile time analysis, and another performs runtime analysis, which is totally unique to SecurityChecker. It hooks into the application at runtime and checks for vulnerabilities as the application actually executes. The third module does integrity analysis, usually called penetration testing.”

Carpenter added that this third module can check for an application’s vulnerability to cross-site scripting attacks by trying to inject code into the application. “We can find dot-Net-specific bugs relating to Windows security settings, and also more general web application vulnerabilities,” he added.

Such tools should be popular with corporate application developers, as experts say around 75 percent of hacker attacks target applications rather than the network or server infrastructure.

Compuware’s Security Assessment Service is likely to appeal to smaller firms with fewer specialist security developers on staff. “We are also going to be offering our customers a Security Assessment for ASP.Net applications for organisations that feel they require specific expertise,” said Carpenter.

The service combines Compuware professional services with SecurityChecker 2.0 and includes a security assessment and use of the three analysis modules. “Our consultant will then deliver a detailed report to the customer so that they can investigate and correct vulnerabilities, to secure their application against attack,” added Carpenter.