Presentation is loading. Please wait.

Presentation is loading. Please wait.

Website Security for Developers

Published byRuth Armbruster Modified over 6 years ago

Similar presentations

Presentation on theme: "Website Security for Developers"— Presentation transcript:

1 Website Security for Developers
An Overview

2 Who am I? Mitchel Sellers Microsoft MVP, ASPInsider, DNN MVP
IowaComputerGurus, Inc. Contact Information

3 Agenda Why? What? Assumed Basics? OWASP Top 10
ASP.NET Specific Examples Resources

4 Don’t Get Caught With Your Guard Down

5 Complete Principles of Security
Security – Not just a set of protocols, but a mindset Privacy – True privacy, and trust Compliance – Compliance by design, not because of “incident” Transparency – If something happens, be transparent

6 Legal Considerations? HIPPA – Medical Information
Need to Know Environment Hardening Requirements Audit/Access Logging PCI-DSS – Credit Card/Payment Information Encryption Limitation of Storage GDPR – EU Data Protection Extract Requirements “Disappear” Requirements Explicit Consent

7 Assumed Basics SSL – It Fixes Everything Sadly this isn’t the case
Other thoughts HSTS – Enforcing HTTPS, not just requiring it Type of SSL Certificates Content Security Policies

8 OWASP Top 10 - #1 Injection Most specifically talking about SQL Injection Still an issue in 2018 Bad Example – Pulling from the id query string “SELECT * FROM AccountHistory WHERE OwnerId = “ + id Many ways to break this? Random Id = Would allow users to see something they shouldn’t Breaking Query = “ 1; DELETE FROM Users” – Drop the table Good Example – Use parameterized queries, all cases “SELECT * FROM AccountHistory WHERE OwnerId Implementation will depend on platform/language

9 Consider this

10 OWASP Top 10 - #2 Broken Authentication
Common Issues Prevention Permits automated login attacks Allows default user passwords Uses weak/insecure recovery processes (Security Question is considered “weak”) Uses Plain-Text, Encrypted, or Weak encryption for passwords Exposes the sessionID in URL Consider Multi-Factor Authentication Don’t use defaults Check against common passwords Ensure integrity in password requirements Login, Lockout, Failure messages should be the same Limit brute-force logins, and notify admins when suspected

11 OWASP Top 10 - #2 (ASP.NET Notes)
Default ASP.NET Auth covers some, but not all aspects of this Older Methods (Membership vs. Identity) Validate password formats Validate & Update Password recovery New Installations Multi-Factor not enabled by default Lockout Notifications (Not logged or implemented) Complexity Requirements – Typically ok No “known password list”

12 OWASP Top 10 - #3 Sensitive Data Exposure
Is Clear Text Transmission Used? HTTP vs HTTPS Non-secure FTP? Avoid storing sensitive information. (PCI-DSS Specifically) Disable Caching for confidential data Always use secure transmission

13 OWASP Top 10 - #4 XML External Entities
Limited to XML Data Processing SAML & SOAP are two most common Best Prevention is to validate XML before parsing, and disable DTD External Processing Details: tion_Cheat_Sheet

14 OWASP Top 10 - #5 Broken Access Control
Risks Similar to risk in #1 – Situations where the URL could be modified to change access protocols Missing authentication on child methods Assuming that if you can see ____ that by default you cannot see the rest. CORS Misconfiguration – Allowing other clients Prevention Log misuse, notify if excessive Rate Limit API’s Invalidate tokens at logout

15 OWASP Top 10 - #6 Security Misconfiguration
Risks Forgetting to remove defaults. (Ex sample project, Module, File) Unnecessary features/ports (FTP, Utility Modules, etc) Patching not followed Prevention Documented and repeatable hardening process (Install/Config) Minimize platform, use custom install options Automated validated of configuration (Trust but verify)

16 OWASP Top 10 - #7 Cross-Site Scripting
Risks Using untrusted values and displaying Response.Write($”<script>alert(‘{Request.Querystring[“msg”]}’);</script>”) Can be JS or HTML Think of Rich Text Editor Prevention Escape untrusted XML/HTML Consider Content Security Policy to truly lock down data eat_Sheet

17 OWASP Top 10 - #8 Insecure Deserialization
Could happen with any serialized data that was outside of your control Prevention is to distrust all Examples Cookies with list of permissions Hidden field with userId values Must verity, similar to that of #1, and #5

18 OWASP Top 10 - #9 Using Components With Known Vulnerabilities
Not patching a framework to deal with security issues Not patching third-party componeents with known issues Not patching Windows Not patching ASP.NET Using older FTP software Etc.

19 OWASP Top 10 - #10 Insufficient Logging & Monitoring
Logging is great, but what do you do with it? Monitoring/Alerting is often overlooked, until it is a problem Activity logging should be repeatable/detailed for high-risk transactions. (Delete, etc) Establish a response protocol

20 ASP.NET Specific Examples
Known vs. User Supplied Values UserId Querystring Parameters Store/Update Data based on the combination of values Delete – Require both the UserId and the ItemId in the SQL, prevent random delete, of non-owned content Edit – Require UserId and ItemId when retrieving to validate it is that the user has access

21 Third-Party Stuff Do they follow these practices?
Just because you can’t see it, doesn’t mean it isn’t there Review & Patching notifications

22 Upcoming Sessions Later Today:
Should I migrate to ASP.NET Core? Will it Hurt?

23 Resources Microsoft GDPR Recommendations: us/TrustCenter/Privacy/gdpr/readiness OWASP Top : _%28en%29.pdf.pdf

Download ppt "Website Security for Developers"

Similar presentations

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Similar presentations

Ads by Google