Building More Secure Applications Dave Glover Developer Solutions Specialist Microsoft Australia Blog: Graham Elliott Architectural Technology Specialist Microsoft Australia ARC215

Agenda The Importance of Application Security Addressing Application Security Security Principles to Live By Tools and Resources Next Steps Q&A

The Importance of Application Security The Gartner Group states: "Today over 70% of attacks against a company's Web site or Web application come at the 'Application Layer' not the Network or System layer." Microsoft Developer Research: "64 percent of developers are not confident in their ability to write secure applications"

Understanding The Attackers Author Script-Kiddie Hobbyist Hacker Expert Specialist Vandal, Cyberpun k Thief, Booster, Fence, Classic Criminals Spy, Terrorist Mal-Tech Trespasser National Interest, Chaos Steal Something of Value / assets Personal Fame, To Embarrass, To Win Curiosity Nothing Anyone Un-intentional Disgruntled Employee

Example Threats Against The Application ThreatExamples SQL injection Inc DROP TABLE in text typed into an input field Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Session hijacking Using a stolen session ID cookie to access someone else's session state Identity spoofing Using a stolen forms authentication cookie to pose as another user Information disclosure Allowing client to see a stack trace when an unhandled exception occurs

Addressing Application Security Graham

Holistic Approach to Security Port blocking FilteringEncryption FilteringEncryption Spoofed packets, etc. Network Defend the network Updates IIS hardening ACLsCASLogging Least privilege Account management Updates IIS hardening ACLsCASLogging Least privilege Account management Buffer overflows, illicit paths, etc. Host Defend the host ValidationHashingEncryption Secrets Mgt. Cookie Mgt. Session Mgt. Error handling ValidationHashingEncryption Secrets Mgt. Cookie Mgt. Session Mgt. Error handling SQL injection, XSS, input tampering, etc. Application Defend the application

Holistic Approach Challenges Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attackers vs. Defenders Architects, developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Architects, developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Security As an Afterthought Do I need security … Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability

The Paradigm Shift… Security is not about being “buzzword compliant” Simply “looking for bugs” doesn’t make software secure You must reduce the chance defects are entered into the design and code Requires executive commitment and investment Requires process improvement Requires education

Security Development Lifecycle TestPlans Complete Test Plans CompleteDesignsComplete Concept CodeComplete ShipPost-Ship Security push Security questions during interviews Determine security sign-off criteria External review Threat Modeling Response Process Security team review Education Data mutation and least privilege tests Review old defects, check-ins checked secure coding guidelines, use tools = ongoing Final Security review

Microsoft’s SDL Security Training Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Testing and Verification Development of New Code Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates RequirementsDesignImplementationVerificationRelease Support & Servicing Threat Modeling Functional Specifications Security Deployment Lifecycle Task and Processes Traditional Microsoft Software Product Development Lifecycle Tasks and Processes

Early Results of the SDL Windows pre- and post-SDL critical and important security bulletins SQL Server 2000 pre- and post-SDL security bulletins Exchange Server 2000 pre- and post-SDL security bulletins

Threat Modeling Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever, they are the attacker’s goal(s) Threat Asset Mitigation Vulnerability

Security Principles to Live By Graham

Security Principles to Live By Living in an un-trusted world Security Features != Secure Features Don’t Trust Input, Assume it’s All Evil Always validate data as it crosses trust boundaries Don’t rely on client side validation Constrain, reject, and sanitize user input Type checks, length checks, range checks, format checks Assume external systems are insecure Use managed code where possible

Security Principles to Live By Do you really need to be admin? Use Least Privilege (to build, test and run) Applications should execute with the least privilege to get the job done and no more You will make mistakes Malicious code executing in a highly- privileged process runs with extra privileges Design for Separation of Privilege

Security Principles to Live By Reducing your exposure Reduce Your Attack Surface (early) The interfaces exposed to an attacker Surfaces on by default are the most valuable to attackers Minimizing attack surface minimizes complexity Use only the services that your application requires Employ Secure Defaults Install application in a secure state Users should have to enable features that reduce security Users should NOT have to disable features to achieve security Understand Your Giblets

Security Principles to Live By Code fails… really, it does! Plan on Failure, Fail in a Secure Mode Failure code path should be most secure Don’t log detailed error to the client Learn From Mistakes (yours and theirs) Understand them; and fix them correctly Build security into your response plans Defence in Depth Threat risk goes down as threat difficulty goes up Driven by policy

Key Security Principles Protecting your secret stuff Treat the storage medium as if it were at risk Confidentiality and Integrity Avoid Storing Secrets If required, store hashes of secrets Take appropriate security measures Never Depend on “Security by Obscurity” Obscurity cannot provide real security Eg: roll your own crypto, hiding security keys in files, relying on undocumented registry keys

Tools and Resources Dave

Security in Visual Studio 2005 Create project and testing policies Integrated Bug Tracking Distributed system designers CAS and IntelliSense in Zone Permission Calculator Data Protection API ASP.NET v2 security made easy

Security in Visual Studio 2005 Application Verifier Static Analysis Tools Code Coverage Load/Stress Testing VB.NET My Classes

Visual Studio Application Designer - IntelliSense in Zone

Next Steps Next Steps Stay informed about security Microsoft Developers Network Security Center Microsoft Security Guidance Get additional security training Find online and in-person training seminars: Read the books: Threat Modeling Writing Secure Code

We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation Your Feedback is Important!

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.