tags:

views:

495

answers:

6
+2  Q: 

Application Security Audit of an .NET Web Application?

Anyone have suggestions for security auditing of an .NET Web Application?

I'm interested in all options. I'd like to be able to have something agnostically probe my application for security risks.

EDIT:

To clarify, the system has been designed with security in mind. The environment has been setup with security in mind. I want an independent measure of security, other than - 'yeah it's secure'... The cost of having someone audit 1M+ lines of code is probably more expensive than the development. It looks like there really isn't a good automated/inexpensive approach to this yet. Thanks for your suggestions.

The point of an audit would be to independently verify the security that was implemented by the team.

BTW - there are several automated hack/probe tools to probe applications/web servers, but i'm a bit concerned about whether they are worms or not...

A: 

One of the first things that I have started to do with our internal application is use a tool such as Fortify that does a security analysis of your code base.

Otherwise, you might consider enlisting the services of a third-party company that specializes in security to have them test your application

Mitchel Sellers  2008-12-10 00:28:31
+2  A: 

Anyone in your situation has the following options available:

  1. Code Review,
  2. Static Analysis of the code base using a tool,
  3. Dynamic Analysis of the application at run time.

Mitchel has already pointed out the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (static analysis tool, to be used in development) and PTA (that performs analysis of the application as test cases are executed during testing).

However, no tool is perfect and you can end up with false positives (fragments of your code base although not vulnerable will be flagged) and false negatives. Only a code review could solve such problems. Code reviews are expensive - not everyone in your organization would be capable of reviewing code with the eyes of a security expert.

To begin, with one can start with OWASP. Understanding the principles behind security is highly recommended before studying the OWASP Development Guide (3.0 is in draft; 2.0 can be considered stable). Finally, you can prepare to perform the first scan of your code base.

Vineet Reynolds  2008-12-11 20:36:08
A: 

Testing and static analysis is a very poor way to find security vulnerabilities, and is really a method of last resort if you haven't thought of security throughout the design and implementation process.

The problem is that you are now trying to enumerate all of the ways your application could fail, and deny those (by patching), rather than trying to specify what your application should do, and prevent everything that isn't that (by defensive programming). Since your application probably has infinite ways to go wrong and only a few things that it is meant to do, you should take an approach of 'deny by default' and allow only the good stuff.

Put it another way, it's easier and more effective to build in controls to prevent whole classes of typical vulnerabilities (for examples, see OWASP as mentioned in other answers) no matter how they may arise, than it is to go looking for which specific screwup some version of your code has. You should be trying to evidence the presence of good controls (which can be done), rather than the absence of bad stuff (which can't).

If you get somebody to review your design and security requirements (what exactly are you trying to protect against?), with full access to code and all details, that will be more valuable than some kind of black box test. Because if your design is wrong then it won't matter how well you implemented it.

frankodwyer  2008-12-15 15:32:34
+1  A: 

Best Thing to do:

  • Hiring a security guy for source code analysis
  • Second best thing to do hiring a security guy / pentesting company for black-box analysis

Following tools will help :

  • Static Analysis Tools Fortify / Ounce Labs - Code Review
  • Consider solutions such as HP WebInspects's secure object (VS.NET addon)
  • Buying a blackbox application scanner such as Appscan, WebInspect, Hailstorm, Acunetix

Hiring some security specialist is so much better idea (will cost more though) because they won't only find injection and technical issues where an automated tool might find, they will also find all logical issues as well.

dr. evil  2008-12-15 15:40:14
A: 

We have used Telus to conduct Pen Testing for us a few times and have been impressed with the results.

Gord  2008-12-15 15:59:09
A: 

May I recommend you contact Artec Group, Security Compass and Veracode and check out their offerings...

jm04469  2009-05-16 23:51:09

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security