BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Testing Relational Database

Configuration management

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

A Demo of and Preventing XSS in.NET Applications.

CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.

A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.

Server-Side vs. Client-Side Scripting Languages

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Computer Security: Principles and Practice

Stephen S. Yau CSE , Fall Security Strategies.

Understanding of Automation Framework A Storehouse of Vast Knowledge on Software Testing and Quality Assurance.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Software Life Cycle Model

SiteLock Internet Security: Big Threats for Small Business.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

OWASP Mobile Top 10 Why They Matter and What We Can Do

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Chapter 2 The process Process, Methods, and Tools

Information Systems Security Computer System Life Cycle Security.

A Framework for Automated Web Application Security Evaluation

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

Integrating Security Design Into The Software Development Process For E-Commerce Systems By: M.T. Chan, L.F. Kwok (City University of Hong Kong)

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

OWASP ESAPI SwingSet An introduction by Fabio Cerullo.

Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.

Building Secure Web Applications With ASP.Net MVC.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

ANALYSIS PHASE OF BUSINESS SYSTEM DEVELOPMENT METHODOLOGY.

Bring Your Own Security (BYOS™): Deploy Applications in a Manageable Java Container with Waratek Locker on Microsoft Azure MICROSOFT AZURE ISV PROFILE:

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Input Validation vulnerabilities in Android System Services Sukwon Choi scho668.

CS457 Introduction to Information Security Systems

Securing Your Web Application in Azure with a WAF

Understanding of Automation Framework

Evaluating Existing Systems

Evaluating Existing Systems

Migrating Oracle Forms Using Oracle Application Express

Risk Assessment = Risky Business

Virtual Patching “A security policy enforcement layer which prevents the exploitation of a known vulnerability”

Ben Smith and Laurie Williams

Presentation transcript:

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY DEVELOPMENT FOR

INTRODUCTION Resource: OWASP Top 10 – 2013, The Ten Most Critical Web Application Security Risks

DEMO: SQL INJECTION

SECURE STANDARD LIBRARY Library - is a pre-compiled code file (with extension.dll) that contains code and data that can be used by more than one program or application. By using a DLL file, a program can be modularized into separate components. Additionally, updates are easier to apply to each module without affecting other parts of the program (Microsoft, 2007). Standard - means providing requirements, specifications, guidelines or characteristics that can be used consistently to ensure that processes and services are fit ( is used because the proposed library will provide built-in functionalities as a standard for the purpose of the implementation to secure coding practices. Secure - With the standard that will be implemented within the library, it also will take concern about validating data and input so that the process will be implemented in a secure manner.

WHY NEED TO EMPHASIZE ON SECURE CODING PRACTICES AND STANDARDIZATION? 1. Web application security is fundamentally different than host or network security, and requires a different approach. 2. Custom code creates custom vulnerabilities. 3. Developers are not exactly the same with Security Experts. 4. Web Application Firewalls (WAF) are effective against known threats, but sometime they are less capable of discovering new issues or handling questionable use cases.

PROJECT AIM To identify the most common functionalities that always being used by most developers in an application project development Develop a class library that will have a standard which will provide the identified common functionalities Provided with secure coding practices, especially to encounter the most highest identified attack such as SQL injection, Cross-site scripting (XSS), etc. which mostly will be based on OWASP top ten most critical web application security risks

RESEARCH QUESTIONS The research questions are as below: a) How an application can be exploited from their vulnerability which caused by the developer themself. b) What are the common functionalities that usually required by most developer in their development environment.

RESEARCH OBJECTIVES The objectives of this study are as below: a) To identify the secure coding practices requirements within ASP.NET technologies development. b) To identify suitable standards for common functionalities in development environment. c) To develop a secure standard library for ASP.NET technology development with secure coding practices. d) To test the developed library with any ASP.NET technology development.

RESEARCH SCOPE a) The library will be available to be used by ASP.NET developer and environment, specifically by using C# or VB programming language. It also requires.NET Framework installed on the machine or server. b) The library will be applicable for a new ASP.NET project development and there are lots of code modifications required for existing application which are already developed. c) Most of secure coding practices are based on OWASP Secure Coding Practices Document, but it will not cover all of the implementations in the checklist.

LITERATURE REVIEW One of security practices in interactive application development is “Never trust user input” (Park, 2011). To guard against application-level for such attacks, input validation method is commonly implemented especially in web applications (Shar, Tan, & Briand, 2013). 1. SQL Injection 2. Cross-site Scripting (XSS) 3. Unhandled Error Exposure 4. Unencrypted Sensitive Information

RESEARCH METHODOLOGY: OPERATIONAL FRAMEWORK

Phase 1 - Initiating Phase 2 - Modelling Phase 3 - Designing Phase 4 - Developing Phase 5 - Testing Phase 6 - Implementing Phase 7 - Finalizing

EVALUATION 1. UML Documentation 2. Test cases for testing report 3. Report for the usage of the library 4. Final report thesis

EXPECTED OUTCOME: SAMPLE OF IMPLEMENTATION

COMMON PRACTICE…

USING PROPOSED LIBRARY…

CONCLUSION Developers cannot prevent security flaws in their code unless they know the types of flaws that can occur. But organization still could not rely hundred percent to developer for ensuring their program is secure all the time since developer is responsible to focus on development of functional requirements. Developers want to do the right thing, but they need to know what the right thing is. It could be the responsible for organization to help developers to specify within their policy or procedure, about what tools / techniques / libraries for developer can use in order to implement secure environment within their application project development. With the implementation of this study, it might allow other future researchers to continue upgrading and keep implementing new practices and techniques about this kind of study with other possible technologies available such as PHP, Java, ColdFusion, etc. This could be a good platform worldwide in our continuous efforts to reduce possible attack vectors within web application.

END OF SLIDE. THANK YOU.