finding security holes

[Keith G Hicks]

Does anyone know of any good software out there that can be used for testing
websites for security holes such (but not only) as sql injection? I know MS
has a tool for asp that can find sql injection problems but I could not get
it to work on my asp.net project. And I'm looking for something a bit more
complete.

Thanks,

Keith

 

[Cowboy \(Gregory A. Beamer\)]

One free tool is TAM (Threat Analysis and Modeling Tool) -
http://www.microsoft.com/downloads/...78-9DAF-4E96-B7D1-944703479451&displaylang=en

There is an Enterprise version of this tool. This is the lite version.

Microsoft also has another tool called SPIDER. I am not sure how to get this
tool, however.

There are numerous code profilers out there that you can use. Most are
focused on performance, however. Compuware does have a security checker,
which I believe is part of DevPartner Studio.

Another direction to go is one of the code checkers. Some, like Code It
Right, have security rules built in. The same is true of free tools like Fx
Cop.
http://www.microsoft.com/downloads/...70-f281-4fb0-aba1-d59d7ed09772&DisplayLang=en

For a more hands on approach, Microsoft has a patterns tool called Guidance
Explorer (http://www.codeplex.com/guidanceExplorer). This is not a tool that
necessarily finds bad code, however, it is more a tool that gives you
guidance, so it is not precisely what you are looking at.

Hope this helps!