posted on Tuesday, January 25, 2005 9:28 PM
by
davidboschmans
SecurityChecker complaints
Tim Weaver is definitely not happy with DevPartner SecurityChecker 1.0, Compuware's new product designed to detect security issues in ASP.NET applications. Me too, I had some issues, though not the ones Tim is complaining about. Anyone listening from Compuware technical support?
Here are some tips if you're struggling with the performance of SecurityChecker.
SecurityChecker takes a long time to complete analysis. How can I reduce the Analysis time?
Several factors contribute to the analysis time:
Application Size – How many projects are there in the Solution
The size of your application is a determining factor in how long the analysis will take. If you have many projects within your solution, consider analyzing each project separately. You can do this by manually navigating the application using Manual discovery, or by modifying a discovery map to only analyze certain pages within the application.
Number of ASP.NET pages being analyzed
If your application contains many pages, consider using Manual discovery and limiting the session to specific pages.
Number of functions on each page being analyzed
If there are data grids on the pages of your application, integrity analysis (specifically) will take a long time to run. To effectively analyze the application it is important to test for vulnerabilities in the grid. Be advised that this will take time.
Automatic or Manual discovery
Because Automatic discovery is designed to test all aspects of your application, it will take a long time on large applications. Consider using Manual discovery to limit the parts of the application analyzed, or consider running each type of analysis (Compile-time, Run-time, and Integrity) individually.
Automatic Discovery Session Settings
If running with the default settings is producing long analysis times, you can reconfigure the Automatic discovery settings. These settings may have an affect on the analysis time.
Use the SecurityChecker Settings dialog to reconfigure the settings. Open the settings dialog from the SecurityChecker menu:SecurityChecker -> Settings -> Discovery Map.In the “Automatic Discovery Map” section there are “Link Visitation Limit”, “Crawl Depth” and “Maximum Links per Page” settings.
By default, the values are:
Link Visitation Limit – 2 visits
Crawl Depth – 10 levels
Maximum Links per Page - 25
By decreasing the values of these settings, analysis time will be shortened. Most often, it is the Crawl Depth setting that has the most affect.
Type of Analysis being run
There are 3 types of analysis that can be run in SecurityChecker; Compile Time analysis, Run Time analysis, and Integrity analysis.
Compile time analysis is the quickest to complete.
Run time analysis generally does not take long to complete.
However, because SecurityChecker Integrity analysis simulates extensive attacks on your application, this type of analysis can take a while to complete.
If all 3 analysis types are selected, the session will take longer to complete. If the application being analyzed is large, running only 1 session type at a time will reduce the time to complete the analysis.
The total number of Vulnerabilities / Rules being analyzed
By default, all of the Rules are selected to be checked during a SecurityChecker session. If you are reusing a discovery map you can select only certain Vulnerability categories and Severities to be used in the next session. Selecting one severity or category per session will reduce the analysis time.