Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation 6 th OWASP AppSec Conference Milan - May Microsoft ACE Team – Application Security from the Core Simon Roses Femerling OWASP Pantera Project Lead Security Technologist, Microsoft
6 th OWASP AppSec Conference – Milan – May 2007 Intro - Who I am? Security Technologist at Microsoft Former among others… Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts. Natural from wonderful Mallorca Island in the Mediterranean Sea. 2
6 th OWASP AppSec Conference – Milan – May Agenda SDL-IT Overview Application Security - ACE Team Style Threat Modeling ACE Freeware!! Threat Analysis & Modeling (TAM) Anti-XSS Library AppAssurance Q&A
6 th OWASP AppSec Conference – Milan – May 2007 SDL-IT Overview 4
6 th OWASP AppSec Conference – Milan – May Security Development Lifecycle (I) Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines&Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review(FSR) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop -Tools/ Processes -Postmortems -SRLs RTM& Deployment Signoff DesignResponse Threat Modeling Models created Mitigations in design and functional specs Security Docs& Tools Customer deliverables for secure deployment RequirementsImplementationVerificationRelease
6 th OWASP AppSec Conference – Milan – May Security Development Lifecycle (II) Process Education Accountability Defines security requirements and milestones MANDATORY if exposed to meaningful security risks Requires response and service planning Includes Final Security Review (FSR) and Sign-off Mandatory annual training – internal trainers BlueHat – external speakers on current trends Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulns) Training compliance for team and individuals Microsoft Product Development Lifecycle Microsoft Security Development Lifecycle
6 th OWASP AppSec Conference – Milan – May 2007 Application Security - ACE Team Style 7
6 th OWASP AppSec Conference – Milan – May 2007 Intro ACE Team (I) ACE Team Mission: Drive application excellence by providing engineering leadership through world class performance, security and privacy software and services. We are responsible for application performance, security and privacy engineering at Microsoft. Our assessment services are available to any application team at Microsoft who would like to improve their application's performance, security or privacy characteristics. In the last 5 years we have: Assess more than applications for security and performance. Identify / Documented / Help to fix more than >50,000 security vulnerabilities. Develop many security tools and best practices to use inside and outside Microsoft for free!! 8
6 th OWASP AppSec Conference – Milan – May 2007 Intro ACE Team (II) Application Security Threat Modeling & Design Reviews Security Code Reviews Security Process Integration Security Guidance & Prototype Development Infrastructure Security Technical Compliance Management Application Performance Tuning Performance assessments Training: Security & Performance 9
6 th OWASP AppSec Conference – Milan – May 2007 Threat Modeling 10
6 th OWASP AppSec Conference – Milan – May 2007 Why build a Threat Model? The reason for building a threat model is simple: to identify potential threats so that you can build a solid security strategy to guard against them. You cannot feasibly build a secure system until you understand the potential threats against it. It is important to realize that threats are the by-product of your own application. This is why it is crucial to first understand your application context, before you begin trying to defend it. 11
6 th OWASP AppSec Conference – Milan – May 2007 Threat Model Basics Who? You and your team must create the TM. What? A process to identify and mitigate threats to your product. When? In Design phase before Implementation phase. (Basically before writing code!!!) Why? To write secure products from the start. How? TAM is your friend 12
6 th OWASP AppSec Conference – Milan – May 2007 Threats Classifications ACE Team TAM tool uses CIA for Threat Classification that is very familiar to the secure industry. Confidentiality Integrity Availability Other Threat Classification / Threat Model is STRIDE. Spoofing Tampering (Non) Repudiation Information Disclosure Denial of Service Elevation of Privilege The use of these Threat Classifications depends on your needs. CIA = Threat Modeling STRIDE = Attack Modeling / Categorization 13
6 th OWASP AppSec Conference – Milan – May 2007 Threat Model Summary Your first line of defense when developing software. A Threat Model is a living document and should be kept updated. TAM has been designed to be used by development teams without deep security knowledge but is a powerful tool on hands of security aware people. 14
6 th OWASP AppSec Conference – Milan – May 2007 ACE Freeware!! 15
6 th OWASP AppSec Conference – Milan – May 2007 Threat Analysis & Modeling (TAM) 16
6 th OWASP AppSec Conference – Milan – May 2007 TAM Overview (I) It is easy to use and provides a wizard that guides you to create a TM in no time. The basic steps are: Define Business Objectives Decompose application Define Uses Cases Generate threats TAM includes an Attack Library. Yes, it is free! 17
6 th OWASP AppSec Conference – Milan – May 2007 TAM Overview (II) TAM can perform analytics on data access, components access and more. Powerful graph capabilities showing Attack Surface and Attack Trees. Compressive or custom generated reports. ACE is constantly improving TAM. 18
6 th OWASP AppSec Conference – Milan – May
6 th OWASP AppSec Conference – Milan – May
6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Library 21
6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Overview (I) Powerful library to perform input / output validation in ASP.NET applications. This library differs from most encoding libraries in that it uses the principle of inclusions technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). This approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements. Easy to use and really good documentation Currently version is
6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Overview (II) The library contains the following methods: 23 Encoding MethodDescription HtmlEncode Encodes input strings for use in HTML HtmlAttributeEncodeEncodes input strings for use in HTML attributes JavaScriptEncodeEncodes input strings for use in JavaScript UrlEncode Encodes input strings for use in Universal Resource Locators (URLs) VisualBasicScriptEncode Encodes input strings for use in Visual Basic Script XmlEncodeEncodes input strings for use in XML XmlAttributeEncodeEncodes input strings for use in XML attributes
6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Overview (III) Anti-XSS approach: Step 1: Review ASP.NET code that generates output Step 2: Determine whether output includes un-trusted input parameters Step 3: Determine the context which the un-trusted input is used as output Step 4: Encode output 24
6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Examples #1 // Vulnerable code // Note that un-trusted input is being as an HTML attribute Literal1.Text = “ ”; // Modified code Literal1.Text = “ ”; #2 Hello, 25
6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance 26
6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance Overview (I) AppAssurance inspects the code of a software application for a known set of code security flaws, marks those flaws for inspection by an analyst and provides both a report of findings and a data flow graph of the application. Can work standalone or as a plug-in for Visual Studio Valueble tool for code review and becoming a must use tool inside Microsoft. 27
6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance Overview (II) AppAssurance can scan for well-known flaws like: SQL Injection LDAP injection Xpath Injection Cross-Site Scripting (XSS) File Canonicalization Exception Information Process Command Redirection 28
6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance Overview (III) AppAssurance uses XML files for the rules, so it is very easy to add and tweak rules. How AppAssurance works The AppAssurance tool functions to identify security flaws within an application being examined by scanning the binary and or assembly of the application and tracing the data flow between statements, methods and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by taking the target assembly and all reference assemblies used in the application and analyzing all of the methods contained within the types contained within the module. It then uses a graphical modeling technique using color assigned to known issues, and transverses the sources and sinks of data to identify use or contact with known issues. 29
6 th OWASP AppSec Conference – Milan – May
6 th OWASP AppSec Conference – Milan – May
6 th OWASP AppSec Conference – Milan – May 2007 Resources Threat Analysis & Modeling (TAM) Anti-XSS Library ACE Team blog
6 th OWASP AppSec Conference – Milan – May 2007 The End Q&A Important: Beer / hard liquor (Vodka/Lemon, Margaritas, Mojitos you named it…) are always welcome Simon Roses Femerling 33