Application Security Audit of an .NET Web Application?

Question

Anyone have suggestions for security auditing of an .NET Web Application?

I\'m interested in all options. I\'d like to be able to have something agnostically probe my a

Answer 1

Anyone in your situation has the following options available:

1. Code Review,
2. Static Analysis of the code base using a tool,
3. Dynamic Analysis of the application at run time.

Mitchel has already pointed out the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (static analysis tool, to be used in development) and PTA (that performs analysis of the application as test cases are executed during testing).

However, no tool is perfect and you can end up with false positives (fragments of your code base although not vulnerable will be flagged) and false negatives. Only a code review could solve such problems. Code reviews are expensive - not everyone in your organization would be capable of reviewing code with the eyes of a security expert.

To begin, with one can start with OWASP. Understanding the principles behind security is highly recommended before studying the OWASP Development Guide (3.0 is in draft; 2.0 can be considered stable). Finally, you can prepare to perform the first scan of your code base.