SecurityChecker takes a long time to complete analysis



SecurityChecker takes a long time to complete analysis. How can I reduce the Analysis time?


This article pertains to all versions of Security Checker.

Several factors contribute to the analysis time:

Application Size

The size of your application is a determining factor in how long the analysis will take. If you have many projects within your solution, consider analyzing each project separately. You can do this by manually navigating the application using Manual discovery, or by modifying a discovery map to only analyze certain pages within the application.

For information on using either of these methods, see the following online help topics:

  • What is Discovery
  • Using Discovery Maps.

For more detailed information, see the Advanced Use chapter in the Understanding DevPartner SecurityChecker book (or pdf).

Number of ASP.NET pages being analyzed

If your application contains many pages, consider using Manual discovery and limiting the session to specific pages.

Number of functions on each page

If there are data grids on the pages of your application, integrity analysis (specifically) will take a long time to run. To effectively analyze the application it is important to test for vulnerabilities in the grid. Be advised that this will take time.

Automatic or Manual discovery

Because Automatic discovery is designed to test all aspects of your application, it will take a long time on large applications. Consider using Manual discovery to limit the parts of the application analyzed, or consider running each type of analysis (Compile-time, Run-time, and Integrity) individually.

Automatic Discovery Settings

If running with the default settings is producing long analysis times, you can reconfigure the Automatic discovery settings. These settings may have an affect on the analysis time.

Use the SecurityChecker Settings dialog to reconfigure the settings. Open the settings dialog from the SecurityChecker menu: SecurityChecker > Settings > Discovery Map. In the Automatic Discovery Map” section there are Link Visitation Limit, Crawl Depth and Maximum Links per Page settings.

By default, the values are:

Link Visitation Limit 2 visits

Crawl Depth 10 levels

Maximum Links per Page - 25

By decreasing the values of these settings, analysis time will be shortened. Most often, it is the Crawl Depth setting that has the most affect.

Type of analysis being run

There are 3 types of analysis that can be run in SecurityChecker; Compile Time analysis, Run Time analysis, and Integrity analysis.

Compile time analysis is the quickest to complete.

Run time analysis generally does not take long to complete.

However, because SecurityChecker Integrity analysis simulates extensive attacks on your application, this type of analysis can take a while to complete.

If all 3 analysis types are selected, the session will take longer to complete. If the application being analyzed is large, running only 1 session type at a time will reduce the time to complete the analysis.

The total number of Vulnerabilities / Rules being analyzed

By default, all of the Rules are selected to be checked during a SecurityChecker session. If you are reusing a discovery map you can select only certain Vulnerability categories and Severities to be used in the next session. Selecting one severity or category per session will reduce the analysis time.

Old KB# 11156
Comment List
Related Discussions