Application Security Audit of an .NET Web Application?

Question

Anyone have suggestions for security auditing of an .NET Web Application?

I\'m interested in all options. I\'d like to be able to have something agnostically probe my a

Answer 1

Anyone in your situation has the following options available:

1. Code Review,
2. Static Analysis of the code base using a tool,
3. Dynamic Analysis of the application at run time.

Mitchel has already pointed out the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (static analysis tool, to be used in development) and PTA (that performs analysis of the application as test cases are executed during testing).

However, no tool is perfect and you can end up with false positives (fragments of your code base although not vulnerable will be flagged) and false negatives. Only a code review could solve such problems. Code reviews are expensive - not everyone in your organization would be capable of reviewing code with the eyes of a security expert.

To begin, with one can start with OWASP. Understanding the principles behind security is highly recommended before studying the OWASP Development Guide (3.0 is in draft; 2.0 can be considered stable). Finally, you can prepare to perform the first scan of your code base.

Answer 2

Testing and static analysis is a very poor way to find security vulnerabilities, and is really a method of last resort if you haven't thought of security throughout the design and implementation process.

The problem is that you are now trying to enumerate all of the ways your application could fail, and deny those (by patching), rather than trying to specify what your application should do, and prevent everything that isn't that (by defensive programming). Since your application probably has infinite ways to go wrong and only a few things that it is meant to do, you should take an approach of 'deny by default' and allow only the good stuff.

Put it another way, it's easier and more effective to build in controls to prevent whole classes of typical vulnerabilities (for examples, see OWASP as mentioned in other answers) no matter how they may arise, than it is to go looking for which specific screwup some version of your code has. You should be trying to evidence the presence of good controls (which can be done), rather than the absence of bad stuff (which can't).

If you get somebody to review your design and security requirements (what exactly are you trying to protect against?), with full access to code and all details, that will be more valuable than some kind of black box test. Because if your design is wrong then it won't matter how well you implemented it.

Answer 3

We have used Telus to conduct Pen Testing for us a few times and have been impressed with the results.

Answer 4

May I recommend you contact Artec Group, Security Compass and Veracode and check out their offerings...

Answer 5

Best Thing to do:

• Hiring a security guy for source code analysis
• Second best thing to do hiring a security guy / pentesting company for black-box analysis

Following tools will help :

• Static Analysis Tools Fortify / Ounce Labs - Code Review
• Consider solutions such as HP WebInspects's secure object (VS.NET addon)
• Buying a blackbox application scanner such as Netsparker, Appscan, WebInspect, Hailstorm, Acunetix or free version of Netsparker

Hiring some security specialist is so much better idea (will cost more though) because they won't only find injection and technical issues where an automated tool might find, they will also find all logical issues as well.

Answer 6

One of the first things that I have started to do with our internal application is use a tool such as Fortify that does a security analysis of your code base.

Otherwise, you might consider enlisting the services of a third-party company that specializes in security to have them test your application