A new package from Sanctum, released in March, will help active server pages .Net development teams catch security problems during the development process. AppScan Developer Edition 1.5—a new product despite the version number—is a customized version of the AppScan Web application security scanner I last reviewed in the middle of last year. Its been redesigned as a plug-in for Microsofts current Visual Studio .Net 2002 and upcoming Visual Studio .Net 2003 development tools.
AppScan Developer Edition works by walking through the pages in a Web application (any Web application, not just ASP.Net applications, can be scanned) to determine HTML form variables and overall structure, then exhaustively checks the site for security problems. It tries to find application errors (which are often easy to turn into security holes) by submitting cross-site scripting attacks, by trying to overflow input buffers, and by manipulating HTML parameters and cookies.
Possible problems are presented from within Visual Studio, along with general advice and example code describing how to fix the problem.
The software is priced at $995 until Aug. 1 and $1,495 thereafter. More information can be found at www.sanctuminc.com.