Embed Size (px)
Citation preview
Building More Secure Building More Secure ApplicationsApplications
Dave GloverDave GloverDeveloper Solutions SpecialistDeveloper Solutions SpecialistMicrosoft AustraliaMicrosoft AustraliaBlog: Blog: http://blogs.msdn.com/dgloverhttp://blogs.msdn.com/dglover
Graham Elliott Graham Elliott Architectural Technology SpecialistArchitectural Technology SpecialistMicrosoft AustraliaMicrosoft [email protected]@microsoft.com
ARC215
AgendaAgenda
The Importance of Application SecurityThe Importance of Application Security
Addressing Application SecurityAddressing Application Security
Security Principles to Live BySecurity Principles to Live By
Tools and ResourcesTools and Resources
Next StepsNext Steps
Q&AQ&A
The Importance of Application SecurityThe Importance of Application Security
The Gartner Group states: The Gartner Group states: "Today over 70% of attacks against a "Today over 70% of attacks against a
company's Web site or Web application company's Web site or Web application come at the 'Application Layer' not the come at the 'Application Layer' not the Network or System layer."Network or System layer."
Microsoft Developer Research:Microsoft Developer Research: ""64 percent of developers are not confident 64 percent of developers are not confident
in their ability to write secure in their ability to write secure applicationsapplications""
Understanding The AttackersUnderstanding The Attackers
Author
Script-Script-KiddieKiddie
HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal,Cyberpu
nk
Thief, Booster, Fence,
Classic Criminals
Spy,Terrorist
Mal-Tech Trespasser
National Interest,National Interest,ChaosChaos
Steal Something Steal Something of Value / assetsof Value / assets
Personal Fame,Personal Fame,To Embarrass,To Embarrass,To WinTo Win
CuriosityCuriosity
NothingNothingAnyone
Un-Un-intentionalintentional
Disgruntled Employee
Example Threats Against The ApplicationExample Threats Against The Application
ThreatThreat ExamplesExamples
SQL injectionSQL injection Inc DROP TABLE in text typed into an input fieldInc DROP TABLE in text typed into an input field
Cross-site scriptingCross-site scripting Using malicious client-side script to steal cookiesUsing malicious client-side script to steal cookies
Hidden-field Hidden-field tamperingtampering
Maliciously changing the value of a hidden fieldMaliciously changing the value of a hidden field
EavesdroppingEavesdropping Using a packet sniffer to steal passwords and Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connectionscookies from traffic on unencrypted connections
Session hijackingSession hijacking Using a stolen session ID cookie to access Using a stolen session ID cookie to access someone else's session statesomeone else's session state
Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to pose Using a stolen forms authentication cookie to pose as another useras another user
Information Information disclosuredisclosure
Allowing client to see a stack trace when an Allowing client to see a stack trace when an unhandled exception occursunhandled exception occurs
Addressing Application SecurityAddressing Application Security
GrahamGraham
Holistic Approach to SecurityHolistic Approach to Security
Port blockingPort blockingFilteringFilteringEncryptionEncryption
Port blockingPort blockingFilteringFilteringEncryptionEncryption
Spoofed packets, etc.Spoofed packets, etc.Spoofed packets, etc.Spoofed packets, etc.
NetworkNetwork
Defend the networkDefend the network
UpdatesUpdatesIIS hardeningIIS hardeningACLsACLsCASCASLoggingLoggingLeast privilegeLeast privilegeAccount Account managementmanagement
UpdatesUpdatesIIS hardeningIIS hardeningACLsACLsCASCASLoggingLoggingLeast privilegeLeast privilegeAccount Account managementmanagement
Buffer overflows, illicit paths, etc. Buffer overflows, illicit paths, etc. Buffer overflows, illicit paths, etc. Buffer overflows, illicit paths, etc.
HostHost
Defend the hostDefend the host
ValidationValidationHashingHashingEncryptionEncryptionSecrets Mgt.Secrets Mgt.Cookie Mgt.Cookie Mgt.Session Mgt.Session Mgt.Error handlingError handling
ValidationValidationHashingHashingEncryptionEncryptionSecrets Mgt.Secrets Mgt.Cookie Mgt.Cookie Mgt.Session Mgt.Session Mgt.Error handlingError handling
SQL injection, XSS, input tampering, etc.SQL injection, XSS, input tampering, etc.SQL injection, XSS, input tampering, etc.SQL injection, XSS, input tampering, etc.
ApplicationApplication
Defend the applicationDefend the application
Holistic Approach ChallengesHolistic Approach Challenges
Attacker needs to understand only one security issue
Defender needs to secure all entry points
Attacker has unlimited time
Defender works with time and cost constraints
Attacker needs to understand only one security issue
Defender needs to secure all entry points
Attacker has unlimited time
Defender works with time and cost constraintsAttackers vs. Defenders
Architects, developers and management think that security does not add any business value
Addressing security issues just before a product is released is very expensive
Architects, developers and management think that security does not add any business value
Addressing security issues just before a product is released is very expensive
Security As an Afterthought
Do I need security
…
Secure systems are more difficult to use
Complex and strong passwords are difficult to remember
Users prefer simple passwords
Secure systems are more difficult to use
Complex and strong passwords are difficult to remember
Users prefer simple passwordsSecurity vs. Usability
The Paradigm Shift…The Paradigm Shift…
Security is not about being “buzzword Security is not about being “buzzword compliant”compliant”
Simply “looking for bugs” doesn’t Simply “looking for bugs” doesn’t make software securemake software secure
You must reduce the chance defects You must reduce the chance defects are entered into the design and codeare entered into the design and code
Requires executive commitment and Requires executive commitment and investmentinvestment
Requires process improvementRequires process improvement
Requires educationRequires education
Security Development LifecycleSecurity Development Lifecycle
TestTest PlansPlansCompleteComplete
DesignsDesignsCompleteComplete
ConceptConcept CodeCodeCompleteComplete
ShipShip Post-ShipPost-Ship
Security pushSecurity questionsduring interviews
Determine security sign-off
criteria
External review
Threat Modeling
Response Process
Security team review
Education
Data mutation and least privilege
tests
Review old defects, check-ins checked
secure coding guidelines, use tools
= ongoing
Final Security review
Microsoft’s SDLMicrosoft’s SDL
http://msdn.microsoft.com/security/sdl
Security Training
Security Kickoff& Register with
SWI
Security DesignBest
Practices
Security Arch & Attack SurfaceReview
Use SecurityDevelopment
Tools &Security BestDev & Test Practices
Create Security
Docsand Tools
For Product
PrepareSecurity
ResponsePlan
Security Push
Pen Testing
FinalSecurity Review
Security Servicing &ResponseExecution
Feature ListsQuality Guidelines
Arch DocsSchedules
DesignSpecifications
Testing and Verification
Development of New Code
Bug Fixes
Code Signing A Checkpoint
Express Signoff
RTM
Product SupportService Packs/QFEs Security
Updates
Requirements Design Implementation Verification ReleaseSupport
&Servicing
ThreatModeling
FunctionalSpecifications
Security Deployment Lifecycle Task and ProcessesSecurity Deployment Lifecycle Task and Processes
Traditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTraditional Microsoft Software Product Development Lifecycle Tasks and Processes
Early Results of the SDLEarly Results of the SDL
Windows pre- and post-SDL critical and important security bulletins
SQL Server 2000 pre- and post-SDL security bulletinsExchange Server 2000 pre- and post-SDL security bulletins
5555
1717
455455
Threat ModelingThreat Modeling
Secure software starts with Secure software starts with understanding the threatsunderstanding the threats
Threats are not vulnerabilitiesThreats are not vulnerabilities
Threats live forever, they are the Threats live forever, they are the attacker’s goal(s)attacker’s goal(s)
ThreatThreat
AssetAssetMitigationMitigation
VulnerabilityVulnerability
Security Principles to Live BySecurity Principles to Live By
GrahamGraham
Security Principles to Live By Security Principles to Live By Living in an un-trusted worldLiving in an un-trusted world
Security Features != Secure FeaturesSecurity Features != Secure Features
Don’t Trust Input, Assume it’s All EvilDon’t Trust Input, Assume it’s All EvilAlways validate data as it crosses trust Always validate data as it crosses trust boundariesboundaries
Don’t rely on client side validationDon’t rely on client side validation
Constrain, reject, and sanitize user inputConstrain, reject, and sanitize user inputType checks, length checks, range checks, Type checks, length checks, range checks, format checksformat checks
Assume external systems are insecureAssume external systems are insecure
Use managed code where possibleUse managed code where possible
Security Principles to Live By Security Principles to Live By Do you really need to be admin?Do you really need to be admin?
Use Least Privilege (to Use Least Privilege (to build, test and build, test and run)run)
Applications should execute with the least Applications should execute with the least privilege to get the job done and no moreprivilege to get the job done and no more
You will make mistakesYou will make mistakes
Malicious code executing in a highly-Malicious code executing in a highly-privileged process runs with extra privileged process runs with extra privilegesprivileges
Design for Separation of Privilege Design for Separation of Privilege
Security Principles to Live By Security Principles to Live By Reducing your exposureReducing your exposure
Reduce Your Attack Surface (early)Reduce Your Attack Surface (early)The interfaces exposed to an attackerThe interfaces exposed to an attacker
Surfaces on by default are the most valuable to attackersSurfaces on by default are the most valuable to attackers
Minimizing attack surface minimizes complexityMinimizing attack surface minimizes complexity
Use only the services that your application requiresUse only the services that your application requires
Employ Secure DefaultsEmploy Secure DefaultsInstall application in a secure stateInstall application in a secure state
Users should have to enable features that reduce Users should have to enable features that reduce securitysecurity
Users should NOT have to disable features to Users should NOT have to disable features to achieve securityachieve security
Understand Your GibletsUnderstand Your Giblets
Security Principles to Live BySecurity Principles to Live ByCode fails… really, it does!Code fails… really, it does!
Plan on Failure, Fail in a Secure ModePlan on Failure, Fail in a Secure ModeFailure code path should be most secureFailure code path should be most secure
Don’t log detailed error to the clientDon’t log detailed error to the client
Learn From Mistakes (yours and theirs)Learn From Mistakes (yours and theirs)Understand them; and fUnderstand them; and fix them correctlyix them correctly
Build security into your response plansBuild security into your response plans
Defence in DepthDefence in DepthThreat risk goes down as threat difficulty Threat risk goes down as threat difficulty goes up goes up
Driven by policyDriven by policy
Key Security PrinciplesKey Security PrinciplesProtecting your secret stuffProtecting your secret stuff
Treat the storage medium as if it were Treat the storage medium as if it were at riskat risk
Confidentiality and IntegrityConfidentiality and Integrity
Avoid Storing SecretsAvoid Storing SecretsIf required, store hashes of secretsIf required, store hashes of secretsTake appropriate security measuresTake appropriate security measures
Never Depend on “Security by Never Depend on “Security by Obscurity”Obscurity”
Obscurity cannot provide real securityObscurity cannot provide real securityEg: roll your own crypto, Eg: roll your own crypto, hiding security hiding security keys in files, relying on undocumented keys in files, relying on undocumented registry keysregistry keys
Tools and ResourcesTools and Resources
DaveDave
Security in Visual Studio 2005Security in Visual Studio 2005
Create project and testing policiesCreate project and testing policies
Integrated Bug TrackingIntegrated Bug Tracking
Distributed system designersDistributed system designers
CAS and IntelliSense in ZoneCAS and IntelliSense in Zone
Permission CalculatorPermission Calculator
Data Protection APIData Protection API
ASP.NET v2 security made easyASP.NET v2 security made easy
Security in Visual Studio 2005Security in Visual Studio 2005
Application VerifierApplication Verifier
Static Analysis ToolsStatic Analysis Tools
Code CoverageCode Coverage
Load/Stress TestingLoad/Stress Testing
VB.NET My ClassesVB.NET My Classes
Visual Studio 2005Visual Studio 2005- Application Designer- Application Designer- IntelliSense in Zone- IntelliSense in Zone
Next StepsNext Steps
Stay informed about securityStay informed about securityMicrosoft Developers Network Security CenterMicrosoft Developers Network Security Center
http://http://msdn.microsoft.commsdn.microsoft.com/security//security/
Microsoft Security GuidanceMicrosoft Security Guidance
http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/
Get additional security trainingGet additional security trainingFind online and in-person training seminars:Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security/http://www.microsoft.com/seminar/events/security/
Read the books: Read the books: Threat ModelingThreat Modeling
Writing Secure CodeWriting Secure Code
We invite you to participate in ourWe invite you to participate in our online evaluationonline evaluation on CommNet,on CommNet,
accessible Friday onlyaccessible Friday only
If you choose to complete the evaluation online, If you choose to complete the evaluation online, there isthere is no need to complete the paper evaluationno need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
