Writing Secure Code – Best Practices

Slides:



Advertisements
Similar presentations
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Advertisements

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Understand Database Security Concepts
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
System and Network Security Practices COEN 351 E-Commerce Security.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Essentials of Security Steve Lamb Technical Security Advisor
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Maintaining and Updating Windows Server 2008
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Author: Bill Buchanan. Work Schedule Author: Bill Buchanan.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Module 14: Configuring Server Security Compliance
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Module 6: Designing Security for Network Hosts
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Practical Threat Modeling for Software Architects & System Developers
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Module 7: Implementing Security Using Group Policy.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Module 2: Designing Network Security
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
Computer Security By Duncan Hall.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Computer Security Sample security policy Dr Alexei Vernitski.
Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.
Writing Secure Code – Best Practices Name Job Title Company.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
CS457 Introduction to Information Security Systems
Threat Modeling for Cloud Computing
Critical Security Controls
Configuring Windows Firewall with Advanced Security
Evaluating Existing Systems
Evaluating Existing Systems
Essentials of Hack Resistant Applications
Security mechanisms and vulnerabilities in .NET
Lesson 16-Windows NT Security Issues
Operating System Security
Implementing Client Security on Windows 2000 and Windows XP Level 150
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

Writing Secure Code – Best Practices Randy Guthrie, PhD Microsoft Academic Developer Evangelist

Secure Development Process Threat Modeling Risk Mitigation Security Best Practices

Improving the Application Development Process Consider security At the start of the process Throughout development Through deployment At all software review milestones Do not stop looking for security bugs until the end of the development process

The SD3 Security Framework Secure architecture and code Threat analysis Vulnerability reduction Secure by Design Protection: Detection, defense, recovery, management Process: How to guides, architecture guides People: Training Secure in Deployment Attack surface area reduced Unused features turned off by default Minimum privileges used Secure by Default

Secure Product Development Timeline Concept Designs Complete Test Plans Complete Code Ship Post-Ship Assess security knowledge when hiring team members Analyze threats Determine security sign-off criteria Send out for external review Test for security vulnerabilities Learn and refine Train team members Perform security team review Test for data mutation and least privilege Resolve security issues, verify code against security guidelines =ongoing

Secure By Design Raise security awareness of design team Use ongoing training Challenge attitudes - “What I don’t know won’t hurt me” does not apply! Get security right during the design phase Define product security goals Implement security as a key product feature Use threat modeling during design phase

Threat Modeling Secure Development Process Threat Modeling Risk Mitigation Security Best Practices

What Is Threat Modeling? Threat modeling is a security-based analysis that: Helps a product team understand where the product is most vulnerable Evaluates the threats to an application Aims to reduce overall security risks Finds assets Uncovers vulnerabilities Identifies threats Should help form the basis of security design specifications

Benefits of Threat Modeling Helps you understand your application better Helps you find bugs Identifies complex design bugs Helps integrate new team members Drives well-designed security test plans Threat Vulnerability Asset

The Threat Modeling Process Identify Assets 1 Create an Architecture Overview 2 Decompose the Application 3 Identify the Threats 4 Document the Threats 5 Rate the Threats 6

Threat Modeling Process – Step 1: Identify Assets Build a list of assets that require protection, including: Confidential data, such as customer databases Web pages System availability Anything else that, if compromised, would prevent correct operation of your application

Threat Modeling Process – Step 2: Create An Architecture Overview Identify what the application does Create an application architecture diagram Identify the technologies NTFS Permissions (Authentication) File Authorization URL Authorization .NET Roles User-Defined Role SSL (Privacy/Integrity) Trust Boundary Alice Mary Bob IIS Anonymous Authentication Forms ASPNET (Process Identity) Microsoft ASP.NET Microsoft Windows SQL Server™ IPSec (Private/Integrity)

Threat Modeling Process – Step 3: Decompose the Application Break down the application Create a security profile based on traditional areas of vulnerability Examine interactions between different subsystems Use DFD or UML diagrams Identify Trust Boundaries Identify Data Flow Identify Entry Points Identify Privileged Code Document Security Profile

Threat Modeling Process – Step 4: Identify the Threats Assemble team Identify threats Network threats Host threats Application threats

Threat Modeling Process – Identify the Threats by Using STRIDE Types of threats Examples Spoofing Forging e-mail messages Replaying authentication packets Tampering Altering data during transmission Changing data in files Repudiation Deleting a critical file and deny it Purchasing a product and deny it Information disclosure Exposing information in error messages Exposing code on Web sites Denial of service Flooding a network with SYN packets Flooding a network with forged ICMP packets Elevation of privilege Exploiting buffer overruns to gain system privileges Obtaining administrator privileges illegitimately

Threat Modeling Process – Identify the Threats by Using Attack Trees 1.0 View payroll data (I) 1.1 Traffic is unprotected (AND) 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router traffic 1.2.2.1 Router is unpatched (AND) 1.2.2.2 Compromise router 1.2.2.3 Guess router password Threat #1 (I) View payroll data 1.1 Traffic is unprotected 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router 1.2.2.1 Router is unpatched 1.2.2.2 Compromise router 1.2.2.3 Guess router password

Threat Modeling Process – Step 5: Document the Threats Document threats by using a template: Leave Risk blank (for now) Threat Description Injection of SQL Commands Threat target Data Access Component Risk Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Use a regular expression to validate the user name, and use a stored procedure with parameters to access the database

Threat Modeling Process – Step 6: Rate the Threats Use formula: Risk = Probability * Damage Potential Use DREAD to rate threats Damage potential  Reproducibility  Exploitability   Affected users  Discoverability

Threat Modeling Process – Example: Rate the Threats Threat #1 (I) View payroll data 1.1 Traffic is unprotected 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router 1.2.2.1 Router is unpatched 1.2.2.2 Compromise router 1.2.2.3 Guess router password Damage potential Affected Users -or- Damage Reproducibility Exploitability Discoverability Chance

Coding to a Threat Model Use threat modeling to help Determine the most “dangerous” portions of your application Prioritize security push efforts Prioritize ongoing code reviews Determine the threat mitigation techniques to employ Determine data flow

Risk Mitigation Secure Development Process Threat Modeling Security Best Practices

Risk Mitigation Options Do Nothing Option 1 Warn the User Option 2 Remove the Problem Option 3 Fix It Option 4 Patrolled

Risk Mitigation Process Threat Type (STRIDE) Mitigation Technique Technology Identify category For example: Spoofing 1 Select techniques For example: Authentication or Protect secret data 2 Choose technology For example: Kerberos 3 Spoofing Authentication NTLM X.509 certs PGP keys Basic Digest Kerberos SSL/TLS 1 2 3

Sample Mitigation Techniques Firewall Limiting resource utilization for anonymous connections Client Server Persistent Data Authentication Data Configuration Data STRIDE Insecure Network SSL/TLS IPSec RPC/DCO with Privacy Strong access control Digital signatures Auditing

Security Best Practices Secure Development Process Threat Modeling Risk Mitigation Security Best Practices

Run with Least Privilege Well-known security doctrine: “Run with just enough privilege to get the job done, and no more!” Elevated privilege can lead to disastrous consequences Malicious code executing in a highly privileged process runs with extra privileges too Many viruses spread because the recipient has administrator privileges

Demonstration 1: ASP.NET Applications Security Investigating ASP.NET Application Privileges Restricting ASP.NET Applications Trust Levels Sandboxing Privileged Code Using Sandboxed Assemblies

Reduce the Attack Surface Expose only limited, well documented interfaces from your application Use only the services that your application requires The Slammer and CodeRed viruses would not have happened if certain features were not on by default ILoveYou (and other viruses) would not have happened if scripting was disabled Turn everything else off

Do Not Trust User Input Validate all input Assume all input is harmful until proven otherwise Look for valid data and reject everything else Constrain, reject, and sanitize user input with Type checks Length checks Range checks Format checks Validator.ValidationExpression = "\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*";

Demonstration 2: Windows Forms Validation Viewing a Non-Validating Application Adding Input Validation Validating the Complete Form

Defense in Depth (1 of 3) – Use Multiple Gatekeepers IIS ISA Firewall ISA Firewall SQL Server SSL IPSec

Defense in Depth (2 of 3) – Apply Appropriate Measures for Each Layer Check security Check security Application.dll Check security Secure resource with an ACL Application.exe Check security Application.dll

Defense in Depth (3 of 3) – Use Strong ACLs on Resources Design ACLs into the application from the beginning Apply ACLs to files, folders, Web pages, registry settings, database files, printers, and objects in Active Directory Create your own ACLs during application installation Include DENY ACEs Do not use NULL DACLs

Do Not Rely on Security by Obscurity Do not hide security keys in files Do not rely on undocumented registry keys Always assume an attacker knows everything you know

Use Data Protection API (DPAPI) to Protect Secrets Two DPAPI functions: CryptProtectData CryptUnprotectData Two stores for data encrypted with DPAPI: User store Machine store

Fail Intelligently (1 of 2) DWORD dwRet = IsAccessAllowed(…); if (dwRet == ERROR_ACCESS_DENIED) { // Security check failed. // Inform user that access is denied } else { // Security check OK. // Perform task… } What if IsAccessAllowed() returns ERROR_NOT_ ENOUGH_MEMORY? If your code does fail, make sure it fails securely

Fail Intelligently (2 of 2) Do not: Reveal information in error messages Consume resources for lengthy periods of time after a failure Do: Use exception handling blocks to avoid propagating errors back to the caller Write suspicious failures to an event log <customErrors mode="On"/>

Test Security Involve test teams in projects at the beginning Use threat modeling to develop security testing strategy Think Evil. Be Evil. Test Evil. Automate attacks with scripts and low-level programming languages Submit a variety of invalid data Delete or deny access to files or registry entries Test with an account that is not an administrator account Know your enemy and know yourself What techniques and technologies will hackers use? What techniques and technologies can testers use?

Learn from Mistakes If you find a security problem, learn from the mistake How did the security error occur? Has the same error been made elsewhere in the code? How could it have been prevented? What should be changed to avoid a repetition of this kind of error? Do you need to update educational material or analysis tools?

Links to resources http://www.mis-laboratory.com/Student/default.htm