Go back to blog listing

Build Security Into Your .NET Application

dot-test-01
The latest release of dotTEST (10.4.1) introduced significant enhancements to help development organizations deliver secure and reliable .NET applications. Read on to learn more about building security into .NET software.

As discussed in the recently-released SANS Institute report, 2018 Secure DevOps: Fact or Fiction?, many organizations are bound by constraints around privacy and access (e.g. GDPR, PCI, PII), federal regulations, and mandated oversight. With these boundaries, to ensure a successful DevSecOps strategy, it is critical to integrate automated security testing into development workflows:

Continuous vulnerability scanning can be (and should be) embedded into automated build/deployment pipelines in continuous integration and continuous delivery to catch problems as soon as they are introduced.

- 2018 Secure DevOps: Fact or Fiction?

The report also highlights that over 50% of organizations surveyed consider existing legacy applications as risky, making up over 14% of breaches -- with a significant number of applications leveraging .NET (over 30% of respondents).

The newest release of dotTEST focuses on helping organizations mitigate the business risks inherent in today’s applications, addressing these challenges with expanded static analysis capabilities and the introduction of a new Security Compliance Pack that brings compliance reporting for OWASP, CWE, and UL-2900 to .NET development teams.

Expanded support for security standards

This release expands Parasoft’s support for the most important .NET security standards with complete support for the OWASP Top 10 and the broadest support for CWE in the industry. This comprehensive support enables teams to build security into their software quality process, executing deep code analysis directly within Visual Studio, as well as a part of the CI/CD pipeline through the command-line interface and CI plugins (available for Jenkins, Bamboo, TeamCity and Azure DevOps).

Reporting to demonstrate compliance

In addition to new rules and configurations, the Security Compliance Pack includes new Compliance Reporting for both OWASP and CWE that includes:

  1. Compliance Overview - providing a summary of compliance status against each weakness.
  2. Weakness Detection Plan - providing a configurable framework for assigning static analysis violations to specific weaknesses.
  3. Deviation Report - providing detailed reporting for auditing of violation exceptions (i.e. suppressions).

dotTEST Security Image 5

Example compliance report for OWASP

Dashboard and workflows to facilitate the road to compliance

The Security Compliance Pack also introduces new OWASP and CWE specific dashboards and widgets that help organizations streamline the process of efficiently achieving (and maintaining) compliance. Mapping static analysis violations to OWASP’s Risk Scoring and CWE’s Technical Impact and Development Concepts enables organizations to understand the level of risk in association with the standards, along with where exactly the risk lies. Parasoft also provides a streamlined workflow to navigate and prioritize the violations to ensure that the team works most effectively.

 

OWASP Compliance Widgets

Widgets showing OWASP Compliance and Violations, categorized by Risk

 

CWE Compliance Widgets

Widgets showing CWE Compliance and Violations categorized by Development Concepts and Technical Impact

TL;DR

Many of today’s enterprise systems are built on top of the .NET platform, so it is critical for these applications to be reliable and secure for businesses to succeed. The recent release of Parasoft dotTEST introduces the key capabilities needed to help .NET development teams ensure that their applications are reliably secure.

Stay up to date