Geek Answers Handbook

.NET Web Application Application Security Audit?

Does anyone have any suggestions for verifying the security of a .NET web application?

I'm interested in all the options. I would like something to agnostically examine my application for security risks.

EDIT:

To clarify, the system was designed with security in mind. The environment has been configured with security in mind. I want an independent security measure other than “yes, it's safe” ... The cost of someone checking lines of 1M + code is probably more expensive than development. It seems that at the moment there is no good automated / inexpensive approach. Thanks for your suggestions.

The audit point will be an independent security audit, which was implemented by the team.

BTW - there are several automated hacking / sensing tools for sensing applications / web servers, but it bothers me a bit whether they are worms or not ...

+3
source share
6 answers

The best thing:

  • Hiring a security guy to analyze source code
  • The second best thing is to hire a defender / penetrating guy to analyze the black boxes.

The following tools will help:

  • Static Analysis Tools Strengthen / Ounce Labs - Code Review
  • Consider solutions such as the HP WebInspects protected object (VS.NET add-on)
  • Buying a Blackbox app scanner like Netsparker, Appscan, WebInspect, Hailstorm, Acunetix or the free version of Netsparker

Hiring some security professionals is a much better idea (it will cost more) because they will not only find injections and technical problems, where they can find an automatic tool, but they will also find all the logical problems.

+3
source

Any user in your situation has the following features:

  • Code review
  • Static code base analysis with a tool,
  • Dynamic analysis of the application at runtime.

Mitchell has already indicated the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (the static analysis tool that will be used during development) and PTA (which performs the analysis of the application as test cases during testing).

However, no tool is perfect, and you can get false positives (fragments of your code base, although not vulnerable, will be marked) and false negatives. Only code analysis can solve such problems. Code reviews of the road - not everyone in your organization will be able to view the code through the eyes of a security expert.

Let's start with what you can start with OWASP. Understanding the principles of security principles is strongly recommended before reading the OWASP Development Guide (3.0 in the project, 2.0 can be considered stable). Finally, you can prepare for the first scan of your code base .

+2
source

One of the first things I started to do with our internal application was to use a tool like Fortify, which performs a security analysis of your code base.

Otherwise, you may consider engaging the services of a third-party security company to test their application.

0
source

Testing and static analysis is a very bad way to find security vulnerabilities, and in fact it is a last resort method if you did not think about security throughout the design and implementation process.

The problem is that now you are trying to list all the ways in which your application can fail and refuse them (by fixing it), rather than trying to indicate what your application should do and prevent everything that’s wrong (defensive programming). Since your application probably has endless ways to go wrong and there are only a few things that it should do, you should take a “deny by default” approach and allow only good things.

In other words, it’s easier and more efficient to create controls to prevent entire classes of typical vulnerabilities (for example, see OWASP, as indicated in other answers) no matter how they may arise, than to look for what specific disgust is some version of your code. You should try to prove that there is good control (which can be done), and not the absence of bad things (which cannot).

If you ask someone to review your design and security requirements (what exactly are you trying to protect against?), With full access to the code and all the details, this will be more valuable than any black box test. Because if your design is wrong, it doesn't matter how well you implemented it.

0
source

We used Telus to conduct portability testing for us several times and were impressed with the results.

0
source

May I recommend that you contact Artec Group , Security Compass and Veracode and check their offers ...

0
source

More articles:


All Articles