More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft

What We Will Cover Brief background on the Microsoft Security Development Lifecycle (SDL) SDL processes and tools currently used to protect online services Preview future SDL online initiatives

Session Prerequisites Knowledge of basic web application vulnerabilities Familiarity with web programming concepts ASP.NET is a plus Level 300

SDL Background What is the SDL? EducationToolsProcess

SDL Background SQL Server Before the SDL

SDL Background SQL Server After the SDL

Online Service Requirements OWASP Top Ten Cross-Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object References Cross-Site Request Forgery Information Leakage Broken Authentication Insecure Cryptography Insecure Communications Failure to Restrict URL Access

Cross-Site Scripting (XSS) Input Validation Ensure the data is what the application expects FormatLength Regular expressions (can) work great here System.Text.RegularExpressions.RegexSystem.Web.UI.WebControls.RegularExpressionValidator

Cross-Site Scripting (XSS) Use of Regular Expressions Incorrect use of Regex: if (Regex.IsMatch(userInput, "[<>]")) // reject input Correct use of Regex: if (Regex.IsMatch(userInput, “^[a-zA-Z]{1,9}$")) // accept input

Cross-Site Scripting (XSS) ValidateRequest Page directive Web.config setting <configuration> </configuration> More of a defense-in-depth measure

Cross-Site Scripting (XSS) Encode Output Harder than it sounds! 7 different cases Plain HTML HTML attribute URLJavaScriptVBScriptXML XML attribute Use Microsoft AntiXSS Library

Demonstration 1 Microsoft AntiXSS Library

Cross-Site Scripting (XSS) Static Analysis XSSDetect Code Analysis Tool Analyzes source-to-sink dataflow Standalone or integrated into Visual Studio

SQL Injection Use Stored Procedures Bad code: SqlCommand command = new SqlCommand( "SELECT * FROM Customers WHERE CustomerId = '" + customerId + "'"); "SELECT * FROM Customers WHERE CustomerId = '" + customerId + "'"); Good code: SqlCommand command = new SqlCommand("GetCustomer"); command.CommandType = CommandType.StoredProcedure; command.Parameters.Add(new

SQL Injection Avoid Moving the string concatenation to the stored proc code still leaves you vulnerable… EXEC ('SELECT * FROM Customers WHERE CustomerId = ''' + ''') The only approved use of EXEC is to call other stored procedures

SQL Injection Remove Database Privileges Allow only EXECUTE privileges on the necessary stored procedures All other privileges on all objects must be removed This is defense in depth

Cross-Domain Scripting Same Origin Policy Two frames/windows can only communicate with each other if they have the same origin Origin is defined as having the same: DomainPortProtocol Also applies to XMLHttpRequest

Cross-Domain Scripting Same Origin Policy Example If my page is PageAllowed?Why? domain protocol port domain ok Take a guess…

Cross-Domain Scripting Document.Domain Two cooperating pages can lower their domain so they can talk to each other Do not lower document.domain to the “two- dots” level or lower foo.site.com is allowed site.com is prohibited.com is right out (prohibited by browsers too)

Cross-Domain Scripting Cross-Domain Access Policies Used by Flash, Silverlight crossdomain.xmlclientaccesspolicy.xml<cross-domain-policy> </cross-domain-policy>

Cross-Site Request Forgery ViewStateUserKey Built-in canary defense for ASP.NET pages protected void Page_Init(object sender, EventArgs e) { this.ViewStateUserKey = Session.SessionID; this.ViewStateUserKey = Session.SessionID;}

Demonstration 2 ViewStateUserKey

Future SDL Initiatives SDL for Agile Development SDL originally designed for long projects Difficult to implement 100+ SDL requirements in two-week-long release cycles

Future SDL Initiatives SDL for Agile Development cont’d Break SDL into two “classes” Non-negotiable “every-sprint” requirements “Bucket” requirements Complete at least one from each bucket Complete all requirements every six months

Session Summary SDL can dramatically lower the number and severity of vulnerabilities in online services Validate user input Encode output Use stored procedures Avoid Limit cross-domain access Use ViewStateUserKey

For More Information SDL Web Site SDL Blog MSDN Magazine September 2008, “Security Briefs: SDL Embraces the Web” November 2008, “Agile SDL: Streamline Security Practices for Agile Development”

Questions and Answers Submit text questions using the “Ask” button. Don’t forget to fill out the survey. For upcoming and previously live webcasts: Got webcast content ideas? Contact us at: