Build Security Into Your .NET Application

The latest release of dotTEST (10.4.1) introduced significant enhancements to help development organizations deliver secure and reliable .NET applications. Read on to learn more about building security into .NET software.

As discussed in the recently-released SANS Institute report, 2018 Secure DevOps: Fact or Fiction?, many organizations are bound by constraints around privacy and access (e.g. GDPR, PCI, PII), federal regulations, and mandated oversight. With these boundaries, to ensure a successful DevSecOps strategy, it is critical to integrate automated security testing into development workflows:

Continuous vulnerability scanning can be (and should be) embedded into automated build/deployment pipelines in continuous integration and continuous delivery to catch problems as soon as they are introduced.

– 2018 Secure DevOps: Fact or Fiction?

The report also highlights that over 50% of organizations surveyed consider existing legacy applications as risky, making up over 14% of breaches — with a significant number of applications leveraging .NET (over 30% of respondents).

The newest release of dotTEST focuses on helping organizations mitigate the business risks inherent in today’s applications, addressing these challenges with expanded static analysis capabilities and the introduction of a new Security Compliance Pack that brings compliance reporting for OWASP, CWE, and UL-2900 to .NET development teams.

Expanded support for security standards

This release expands Parasoft’s support for the most important .NET security standards with complete support for the OWASP Top 10 and the broadest support for CWE in the industry. This comprehensive support enables teams to build security into their software quality process, executing deep code analysis directly within Visual Studio, as well as a part of the CI/CD pipeline through the command-line interface and CI plugins (available for Jenkins, Bamboo, TeamCity and Azure DevOps).

Looking at OWASP Top 10, for example, Parasoft’s comprehensive support helps users achieve compliance with the recommendation by enforcing security from the start of development and throughout the software lifecycle by:

• Out-of-the-box policy / test configurations that are fully configurable.
• Execution from within the IDE and via the CI/CD process to help quickly locate the vulnerability earlier in the SDLC.
• Guidance on how to fix the vulnerabilities with supported documentation and training material.
• Compliance dashboards, widgets, and reports that implement the OWASP risk assessment framework.
• Application vulnerability correlation (AVC) with real-time compliance metrics that show how well you are doing at achieving compliance with OWASP.

If your team is looking at the CWE Top 25 for security guidance, then Prasoft’s policy-driven approach helps your organization reach the security goals while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability.

In line with our support for OWASP Top 10, Parasoft’s out-of-the-box CWE mappings mean that users don’t have to waste time trying to figure out what checkers are for which CWEs when configuring, and when fixing, users will always inherently know which CWE being worked on because the static analysis checker names tell you.

Reporting to demonstrate compliance

In addition to new rules and configurations, the Security Compliance Pack includes new Compliance Reporting for both OWASP and CWE that includes:

1. Compliance Overview – providing a summary of compliance status against each weakness.
2. Weakness Detection Plan – providing a configurable framework for assigning static analysis violations to specific weaknesses.
3. Deviation Report – providing detailed reporting for auditing of violation exceptions (i.e. suppressions).

Example compliance report for OWASP

Dashboard and workflows to facilitate the road to compliance

The Security Compliance Pack also introduces new OWASP and CWE specific dashboards and widgets that help organizations streamline the process of efficiently achieving (and maintaining) compliance. Mapping static analysis violations to OWASP’s Risk Scoring and CWE’s Technical Impact and Development Concepts enables organizations to understand the level of risk in association with the standards, along with where exactly the risk lies. Parasoft also provides a streamlined workflow to navigate and prioritize the violations to ensure that the team works most effectively.

Widgets showing OWASP Compliance and Violations, categorized by Risk

Widgets showing CWE Compliance and Violations categorized by Development Concepts and Technical Impact

TL;DR

Many of today’s enterprise systems are built on top of the .NET platform, so it is critical for these applications to be reliable and secure for businesses to succeed. The recent release of Parasoft dotTEST introduces the key capabilities needed to help .NET development teams ensure that their applications are reliably secure.

By Mark Lambert

VP of Products at Parasoft, Mark is responsible for ensuring that Parasoft solutions deliver real value to the organizations adopting them. Mark has been with Parasoft since 2004, working with a broad cross-section of Global 2000 customers, from specific technology implementations to broader SDLC process improvement initiatives.