I recently downloaded and started playing around with Compuware's
Security Checker offering. I have to admit that I had/have some high
hopes for this thing. Anything that will highlight potential security
problems in a project in a way that is easy/quick to use is a definite
plus.
After using it a short while I think maybe my expectations were too
high. So before I talk about the app let me list what I thought:
There would be a stand alone app to run
It would check both ASP.NET and standard projects
It would work ( okay maybe this one isn't fair )
After getting a number of ODBC timeouts on the Compuware site while
trying to download the app the installation went fairly smoothly. It
did seem like it needlessly gave me too many options. It asked me to
install the prerequisites, but then wouldn't install them unless I
agreed to each one. That seemed sort of redundant. If the app won't
work without the prerequisites then it should be a simple yes install
them or no don't. Maybe that is just me though.
After installing I went to Start->All
Programs->Compuware….->InfoCenter.
Well truthfully I was looking for
an .EXE to launch but InfoCenter wasn't it. I don't know why I assumed
there was some stand-alone version, but I did. So my first thought
when it wasn't there was that the installation didn't work right.
Maybe I screwed up the prerequisites? I ran it again and again it
installed with no errors. Interestingly enough it didn't say this
product was already installed. Once more all there was under All
Programs was InfoCenter. About this time a light clicked on and I
launched the IDE. Sure enough there was the application.
We have a number of ongoing projects most of which are web based in
some way shape or fashion and most of which are rather large. I loaded
up the only one I had currently built/deployed to my dev box and
(about 3 minutes later) when it finished loading I clicked the
Security Checker Icon.
It promptly blew up with an error dialog. Looking at the Event Viewer I saw:
Type: InfraManager boundary of exception type:
System.ArgumentException Exception Information:
Message:
The path is not of a legal form.
Not exactly a helpful error. I spent some time trying to figure out
what the problem was—no dice. Eventually I gave up and fired up a very
simple one page ASP.NET app. Security checker loaded fine and did the
analysis. I got a surprising number of results back for my one page.
Next I decided to try a different application. I got the code, built
the site, verified it worked and then launched the IDE. Immediately I
noticed that the Security Checker icons were all disabled. It took me
a moment to figure out why. When the team setup this web application
they decided to make it a class library instead of a web app. Fritz
Onion posted a how to about this a long time back. It seems that even
though the app is an ASP.NET application Security Checker refused to
understand it. Undoubtedly because of the project type wasn't a web
application.
A bit discouraged I sent this info off to Compuware and they were very
good about getting back to me. A technical help person asked for a lot
of information (most of which I wasn't willing to give) and said she
would be forwarding everything to the engineers. So far I haven't
heard anything back (and don't honestly expect to).
So where does that leave me? I still have high expectations for this
application. Unfortunately it isn't going to make any short list of
must have tools for me anytime soon. Hopefully when the VS2005 version
comes out most of my issues will cease to exist and I can reevaluate
the tool. Till then we will continue to provide our security the "old
fashioned" way.