SecureObjects is one of the easiest ways to check your Web application for a myriad of security problems, and it helps you fix the problems that it finds. SecureObjects integrates completely with the Visual Studio .NET IDE, so you don't have to worry about any kludges. In fact, you can do everything you need with one specialized control and a toolbar. Really, it's that easy.

The version of SecureObjects I tested only works with Visual Studio .NET 2003. Company representatives assured me that a version of Visual Studio .NET 2005 is already under construction and should appear shortly after Visual Studio .NET 2005 appears on the market.

Working with Forms

The tutorial makes things look almost too easy, so I first constructed five test applications that started working with the forms portion of the software. The applications included a hello world scenario (just to see what SecureObjects would do), a simple display page with a database back-end, a data entry application, a server monitoring application that included PInvoke features, and a database application that relies on a live feed from a Web service. SecureObjects found every error in each form that I created. (I purposely avoided scenarios described in the "A Few Caveats" section of this review, because the vendor has already said that these scenarios don't work.)

Using the Secure Form Wizard is painless. Simply open the form you want to check and click the Secure Form Wizard button on the toolbar; it automatically checks your form for you. Figure 1 shows how the wizard locates every possible security risk and displays a list.

This doesn't mean the software takes over. You have the option of not applying security for a particular control. For example, I cleared the check next to txtOutput before I proceeded, because I know that the control is read-only and that the viewer can't even see it during the initial form display. It would have been nice if SecureObjects had detected the read-only state of this control, though, and left it out of the list.

Figure 1: The wizard automatically finds all of the controls that require security on a form.

The next step of the wizard (Figure 2) shows which controls receive validation and lets you choose the validation type. I wish that the drop down list box on this form showed all of the validations that SecureObjects provides, but it doesn't. Let's just say there are quite a few — more than I care to list in this review. You can choose from a wide variety of selections that include everything from an American Express credit entry to a number of date and time formats. The list even includes items such as a military ID.

Figure 2: Choose the type of verification you want to use for a particular field as a next step.

Let's assume that you don't find the verification pattern you need. You can always click Advanced, follow a few steps for creating a new pattern based on an existing entry, and add this new pattern to the list that SecureObjects supports. In other words, even if SecureObjects doesn't have the verification pattern you need today, it will have it tomorrow.

You repeat the verification pattern step for each control on a form that requires validation.

Your validation options when using the Microsoft validators end at the verification pattern step. When using SecureObjects, however, you move on to another step, shown in Figure 3. SecureObjects is one of only two or three products that I've seen that make use of the Windows security log as a native feature. Every time someone creates a security breach, you can log it to the event log, and look for patterns later.

Figure 3: Use event log entries to record actions that SecureObjects performs to keep your Web site secure.

Based on my tests, the best option in this list of the typical Web site is Log Only Security Messages to the Windows Event Log. The Log All Events to the Windows Event Log tends to fill up the log too quickly with meaningless information. Most developers won't want to take the time to write their own custom logging feature, and ignoring the logging option is simply a waste of a great security feature.

The final step is a summary page that tells you precisely what SecureObjects will add to your application. I really like this feature, and the fact that SecureObjects makes it easy to remove entries you don't want later. Overall, this is a very well designed wizard and helps you use the product quickly.

Of course, most developers won't want to secure a large project by opening one page at a time. Fortunately, you can perform this task more easily. Simply highlight the project entry in Solution Explorer, and click the Analyze Project button on the SecureObjects toolbar. What you receive is a Task List entry, like the one shown in Figure 4, that shows all of the pages that contain entries you need to validate. Double clicking the entry starts the Secure Form Wizard for that page.

Figure 4: Check all of the pages at once and SecureObjects will provide a list of tasks for you.