Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building More Secure Applications Dave Glover Developer Solutions Specialist Microsoft Australia Blog:

Published byMoris Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "Building More Secure Applications Dave Glover Developer Solutions Specialist Microsoft Australia Blog:"— Presentation transcript:

1 Building More Secure Applications Dave Glover Developer Solutions Specialist Microsoft Australia Blog: http://blogs.msdn.com/dglover http://blogs.msdn.com/dglover Graham Elliott Architectural Technology Specialist Microsoft Australia graham.elliott@microsoft.com ARC215

2 Agenda The Importance of Application Security Addressing Application Security Security Principles to Live By Tools and Resources Next Steps Q&A

3 The Importance of Application Security The Gartner Group states: "Today over 70% of attacks against a company's Web site or Web application come at the 'Application Layer' not the Network or System layer." Microsoft Developer Research: "64 percent of developers are not confident in their ability to write secure applications"

4

5 Understanding The Attackers Author Script-Kiddie Hobbyist Hacker Expert Specialist Vandal, Cyberpun k Thief, Booster, Fence, Classic Criminals Spy, Terrorist Mal-Tech Trespasser National Interest, Chaos Steal Something of Value / assets Personal Fame, To Embarrass, To Win Curiosity Nothing Anyone Un-intentional Disgruntled Employee

6 Example Threats Against The Application ThreatExamples SQL injection Inc DROP TABLE in text typed into an input field Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Session hijacking Using a stolen session ID cookie to access someone else's session state Identity spoofing Using a stolen forms authentication cookie to pose as another user Information disclosure Allowing client to see a stack trace when an unhandled exception occurs

7 Addressing Application Security Graham

8 Holistic Approach to Security Port blocking FilteringEncryption FilteringEncryption Spoofed packets, etc. Network Defend the network Updates IIS hardening ACLsCASLogging Least privilege Account management Updates IIS hardening ACLsCASLogging Least privilege Account management Buffer overflows, illicit paths, etc. Host Defend the host ValidationHashingEncryption Secrets Mgt. Cookie Mgt. Session Mgt. Error handling ValidationHashingEncryption Secrets Mgt. Cookie Mgt. Session Mgt. Error handling SQL injection, XSS, input tampering, etc. Application Defend the application

9 Holistic Approach Challenges Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attackers vs. Defenders Architects, developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Architects, developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Security As an Afterthought Do I need security … Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability

10 The Paradigm Shift… Security is not about being “buzzword compliant” Simply “looking for bugs” doesn’t make software secure You must reduce the chance defects are entered into the design and code Requires executive commitment and investment Requires process improvement Requires education

11 Security Development Lifecycle TestPlans Complete Test Plans CompleteDesignsComplete Concept CodeComplete ShipPost-Ship Security push Security questions during interviews Determine security sign-off criteria External review Threat Modeling Response Process Security team review Education Data mutation and least privilege tests Review old defects, check-ins checked secure coding guidelines, use tools = ongoing Final Security review

12 Microsoft’s SDL http://msdn.microsoft.com/security/sdl Security Training Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Testing and Verification Development of New Code Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates RequirementsDesignImplementationVerificationRelease Support & Servicing Threat Modeling Functional Specifications Security Deployment Lifecycle Task and Processes Traditional Microsoft Software Product Development Lifecycle Tasks and Processes

13 Early Results of the SDL Windows pre- and post-SDL critical and important security bulletins SQL Server 2000 pre- and post-SDL security bulletins Exchange Server 2000 pre- and post-SDL security bulletins 55 17 455

14 Threat Modeling Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever, they are the attacker’s goal(s) Threat Asset Mitigation Vulnerability

15 Security Principles to Live By Graham

16 Security Principles to Live By Living in an un-trusted world Security Features != Secure Features Don’t Trust Input, Assume it’s All Evil Always validate data as it crosses trust boundaries Don’t rely on client side validation Constrain, reject, and sanitize user input Type checks, length checks, range checks, format checks Assume external systems are insecure Use managed code where possible

17 Security Principles to Live By Do you really need to be admin? Use Least Privilege (to build, test and run) Applications should execute with the least privilege to get the job done and no more You will make mistakes Malicious code executing in a highly- privileged process runs with extra privileges Design for Separation of Privilege

18 Security Principles to Live By Reducing your exposure Reduce Your Attack Surface (early) The interfaces exposed to an attacker Surfaces on by default are the most valuable to attackers Minimizing attack surface minimizes complexity Use only the services that your application requires Employ Secure Defaults Install application in a secure state Users should have to enable features that reduce security Users should NOT have to disable features to achieve security Understand Your Giblets

19 Security Principles to Live By Code fails… really, it does! Plan on Failure, Fail in a Secure Mode Failure code path should be most secure Don’t log detailed error to the client Learn From Mistakes (yours and theirs) Understand them; and fix them correctly Build security into your response plans Defence in Depth Threat risk goes down as threat difficulty goes up Driven by policy

20 Key Security Principles Protecting your secret stuff Treat the storage medium as if it were at risk Confidentiality and Integrity Avoid Storing Secrets If required, store hashes of secrets Take appropriate security measures Never Depend on “Security by Obscurity” Obscurity cannot provide real security Eg: roll your own crypto, hiding security keys in files, relying on undocumented registry keys

21 Tools and Resources Dave

22 Security in Visual Studio 2005 Create project and testing policies Integrated Bug Tracking Distributed system designers CAS and IntelliSense in Zone Permission Calculator Data Protection API ASP.NET v2 security made easy

23 Security in Visual Studio 2005 Application Verifier Static Analysis Tools Code Coverage Load/Stress Testing VB.NET My Classes

24 Visual Studio 2005 - Application Designer - IntelliSense in Zone

25 Next Steps Next Steps Stay informed about security Microsoft Developers Network Security Center http://msdn.microsoft.com/security/ Microsoft Security Guidance http://www.microsoft.com/security/guidance/ Get additional security training Find online and in-person training seminars: http://www.microsoft.com/seminar/events/security/ Read the books: Threat Modeling Writing Secure Code

26 We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation Your Feedback is Important!

27

28 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29

Download ppt "Building More Secure Applications Dave Glover Developer Solutions Specialist Microsoft Australia Blog:"

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE

Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE
Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist

Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.

Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Similar presentations

Ads by Google