Presentation is loading. Please wait.

Presentation is loading. Please wait.

More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.

Published byTracy Rushforth Modified over 10 years ago

Similar presentations

Presentation on theme: "More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft."— Presentation transcript:

1 More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft

2 What We Will Cover Brief background on the Microsoft Security Development Lifecycle (SDL) SDL processes and tools currently used to protect online services Preview future SDL online initiatives

3 Session Prerequisites Knowledge of basic web application vulnerabilities Familiarity with web programming concepts ASP.NET is a plus Level 300

4 SDL Background What is the SDL? EducationToolsProcess

5 SDL Background SQL Server Before the SDL

6 SDL Background SQL Server After the SDL

7 Online Service Requirements OWASP Top Ten Cross-Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object References Cross-Site Request Forgery Information Leakage Broken Authentication Insecure Cryptography Insecure Communications Failure to Restrict URL Access

8 Cross-Site Scripting (XSS) Input Validation Ensure the data is what the application expects FormatLength Regular expressions (can) work great here System.Text.RegularExpressions.RegexSystem.Web.UI.WebControls.RegularExpressionValidator

9 Cross-Site Scripting (XSS) Use of Regular Expressions Incorrect use of Regex: if (Regex.IsMatch(userInput, "[<>]")) // reject input Correct use of Regex: if (Regex.IsMatch(userInput, “^[a-zA-Z]{1,9}$")) // accept input

10 Cross-Site Scripting (XSS) ValidateRequest Page directive Web.config setting <configuration> </configuration> More of a defense-in-depth measure

11 Cross-Site Scripting (XSS) Encode Output Harder than it sounds! 7 different cases Plain HTML HTML attribute URLJavaScriptVBScriptXML XML attribute Use Microsoft AntiXSS Library

12 Demonstration 1 Microsoft AntiXSS Library

13 Cross-Site Scripting (XSS) Static Analysis XSSDetect Code Analysis Tool Analyzes source-to-sink dataflow Standalone or integrated into Visual Studio

14 SQL Injection Use Stored Procedures Bad code: SqlCommand command = new SqlCommand( "SELECT * FROM Customers WHERE CustomerId = '" + customerId + "'"); "SELECT * FROM Customers WHERE CustomerId = '" + customerId + "'"); Good code: SqlCommand command = new SqlCommand("GetCustomer"); command.CommandType = CommandType.StoredProcedure; command.Parameters.Add(new SqlParameter("@customerId",customerId);

15 SQL Injection Avoid EXEC @sql Moving the string concatenation to the stored proc code still leaves you vulnerable… EXEC ('SELECT * FROM Customers WHERE CustomerId = ''' + @CustomerId + ''') The only approved use of EXEC is to call other stored procedures

16 SQL Injection Remove Database Privileges Allow only EXECUTE privileges on the necessary stored procedures All other privileges on all objects must be removed This is defense in depth

17 Cross-Domain Scripting Same Origin Policy Two frames/windows can only communicate with each other if they have the same origin Origin is defined as having the same: DomainPortProtocol Also applies to XMLHttpRequest

18 Cross-Domain Scripting Same Origin Policy Example If my page is http://www.mysite.com/foo/bar.aspx PageAllowed?Why? http://blogs.mysite.com/page.aspxNoDifferent domain https://www.mysite.com/page.aspxNoDifferent protocol http://www.mysite.com:81/page.aspxNoDifferent port http://mysite.com/page.aspxNoDifferent domain http://www.mysite.com/bar/page.aspxYesEverything ok Take a guess…

19 Cross-Domain Scripting Document.Domain Two cooperating pages can lower their domain so they can talk to each other Do not lower document.domain to the “two- dots” level or lower foo.site.com is allowed site.com is prohibited.com is right out (prohibited by browsers too)

20 Cross-Domain Scripting Cross-Domain Access Policies Used by Flash, Silverlight crossdomain.xmlclientaccesspolicy.xml<cross-domain-policy> </cross-domain-policy>

21 Cross-Site Request Forgery ViewStateUserKey Built-in canary defense for ASP.NET pages protected void Page_Init(object sender, EventArgs e) { this.ViewStateUserKey = Session.SessionID; this.ViewStateUserKey = Session.SessionID;}

22 Demonstration 2 ViewStateUserKey

23 Future SDL Initiatives SDL for Agile Development SDL originally designed for long projects Difficult to implement 100+ SDL requirements in two-week-long release cycles

24 Future SDL Initiatives SDL for Agile Development cont’d Break SDL into two “classes” Non-negotiable “every-sprint” requirements “Bucket” requirements Complete at least one from each bucket Complete all requirements every six months

25 Session Summary SDL can dramatically lower the number and severity of vulnerabilities in online services Validate user input Encode output Use stored procedures Avoid EXEC @sql Limit cross-domain access Use ViewStateUserKey

26 For More Information SDL Web Site http://www.microsoft.com/sdl SDL Blog http://blogs.microsoft.com/sdl MSDN Magazine September 2008, “Security Briefs: SDL Embraces the Web” November 2008, “Agile SDL: Streamline Security Practices for Agile Development”

27 Questions and Answers Submit text questions using the “Ask” button. Don’t forget to fill out the survey. For upcoming and previously live webcasts: www.microsoft.com/events/developer.mspx www.microsoft.com/events/developer.mspx Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781 http://go.microsoft.com/fwlink/?LinkId=41781

28

Download ppt "More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Dial In Number 1-877-593-2001 Pin: 3959 Information About Microsoft September 21, 2012 Security Bulletin Jeremy Tinder Security Program Manager Microsoft.

Dial In Number Pin: 3959 Information About Microsoft September 21, 2012 Security Bulletin Jeremy Tinder Security Program Manager Microsoft.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
MSDN Connection Get personalised information on the topics and technologies you want Profile yourself today and get updates via RSS Get personalised information.

MSDN Connection Get personalised information on the topics and technologies you want Profile yourself today and get updates via RSS Get personalised information.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Similar presentations

Ads by Google