Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byCharity Goodman Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation 6 th OWASP AppSec Conference Milan - May 2007 http://www.owasp.org/ Microsoft ACE Team – Application Security from the Core Simon Roses Femerling OWASP Pantera Project Lead Security Technologist, Microsoft simonros@microsoft.com

2 6 th OWASP AppSec Conference – Milan – May 2007 Intro - Who I am?  Security Technologist at Microsoft  Former PwC, @Stake among others…  Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.  Natural from wonderful Mallorca Island in the Mediterranean Sea. 2

3 6 th OWASP AppSec Conference – Milan – May 2007 3 Agenda  SDL-IT Overview  Application Security - ACE Team Style  Threat Modeling  ACE Freeware!!  Threat Analysis & Modeling (TAM)  Anti-XSS Library  AppAssurance  Q&A

4 6 th OWASP AppSec Conference – Milan – May 2007 SDL-IT Overview 4

5 6 th OWASP AppSec Conference – Milan – May 2007 5 Security Development Lifecycle (I) Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines&Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review(FSR) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop -Tools/ Processes -Postmortems -SRLs RTM& Deployment Signoff DesignResponse Threat Modeling Models created Mitigations in design and functional specs Security Docs& Tools Customer deliverables for secure deployment RequirementsImplementationVerificationRelease

6 6 th OWASP AppSec Conference – Milan – May 2007 6 Security Development Lifecycle (II) Process Education Accountability  Defines security requirements and milestones  MANDATORY if exposed to meaningful security risks  Requires response and service planning  Includes Final Security Review (FSR) and Sign-off  Mandatory annual training – internal trainers  BlueHat – external speakers on current trends  Publish guidance on writing secure code, threat modeling and SDL; as well as courses  In-process metrics to provide early warning  Post-release metrics assess final payoff (# of vulns)  Training compliance for team and individuals Microsoft Product Development Lifecycle Microsoft Security Development Lifecycle

7 6 th OWASP AppSec Conference – Milan – May 2007 Application Security - ACE Team Style 7

8 6 th OWASP AppSec Conference – Milan – May 2007 Intro ACE Team (I)  ACE Team Mission: Drive application excellence by providing engineering leadership through world class performance, security and privacy software and services.  We are responsible for application performance, security and privacy engineering at Microsoft. Our assessment services are available to any application team at Microsoft who would like to improve their application's performance, security or privacy characteristics.  In the last 5 years we have:  Assess more than +3000 applications for security and performance.  Identify / Documented / Help to fix more than >50,000 security vulnerabilities.  Develop many security tools and best practices to use inside and outside Microsoft for free!! 8

9 6 th OWASP AppSec Conference – Milan – May 2007 Intro ACE Team (II)  Application Security  Threat Modeling & Design Reviews  Security Code Reviews  Security Process Integration  Security Guidance & Prototype Development  Infrastructure Security  Technical Compliance Management  Application Performance Tuning  Performance assessments  Training: Security & Performance 9

10 6 th OWASP AppSec Conference – Milan – May 2007 Threat Modeling 10

11 6 th OWASP AppSec Conference – Milan – May 2007 Why build a Threat Model?  The reason for building a threat model is simple: to identify potential threats so that you can build a solid security strategy to guard against them.  You cannot feasibly build a secure system until you understand the potential threats against it.  It is important to realize that threats are the by-product of your own application.  This is why it is crucial to first understand your application context, before you begin trying to defend it. 11

12 6 th OWASP AppSec Conference – Milan – May 2007 Threat Model Basics  Who? You and your team must create the TM.  What? A process to identify and mitigate threats to your product.  When? In Design phase before Implementation phase. (Basically before writing code!!!)  Why? To write secure products from the start.  How? TAM is your friend 12

13 6 th OWASP AppSec Conference – Milan – May 2007 Threats Classifications  ACE Team TAM tool uses CIA for Threat Classification that is very familiar to the secure industry.  Confidentiality  Integrity  Availability  Other Threat Classification / Threat Model is STRIDE.  Spoofing  Tampering  (Non) Repudiation  Information Disclosure  Denial of Service  Elevation of Privilege  The use of these Threat Classifications depends on your needs.  CIA = Threat Modeling  STRIDE = Attack Modeling / Categorization 13

14 6 th OWASP AppSec Conference – Milan – May 2007 Threat Model Summary  Your first line of defense when developing software.  A Threat Model is a living document and should be kept updated.  TAM has been designed to be used by development teams without deep security knowledge but is a powerful tool on hands of security aware people. 14

15 6 th OWASP AppSec Conference – Milan – May 2007 ACE Freeware!! 15

16 6 th OWASP AppSec Conference – Milan – May 2007 Threat Analysis & Modeling (TAM) 16

17 6 th OWASP AppSec Conference – Milan – May 2007 TAM Overview (I)  It is easy to use and provides a wizard that guides you to create a TM in no time.  The basic steps are:  Define Business Objectives  Decompose application  Define Uses Cases  Generate threats  TAM includes an Attack Library.  Yes, it is free! 17

18 6 th OWASP AppSec Conference – Milan – May 2007 TAM Overview (II)  TAM can perform analytics on data access, components access and more.  Powerful graph capabilities showing Attack Surface and Attack Trees.  Compressive or custom generated reports.  ACE is constantly improving TAM. 18

19 6 th OWASP AppSec Conference – Milan – May 2007 19

20 6 th OWASP AppSec Conference – Milan – May 2007 20

21 6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Library 21

22 6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Overview (I)  Powerful library to perform input / output validation in ASP.NET applications.  This library differs from most encoding libraries in that it uses the principle of inclusions technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). This approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.  Easy to use and really good documentation  Currently version is 1.5 22

23 6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Overview (II)  The library contains the following methods: 23 Encoding MethodDescription HtmlEncode Encodes input strings for use in HTML HtmlAttributeEncodeEncodes input strings for use in HTML attributes JavaScriptEncodeEncodes input strings for use in JavaScript UrlEncode Encodes input strings for use in Universal Resource Locators (URLs) VisualBasicScriptEncode Encodes input strings for use in Visual Basic Script XmlEncodeEncodes input strings for use in XML XmlAttributeEncodeEncodes input strings for use in XML attributes

24 6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Overview (III)  Anti-XSS approach:  Step 1: Review ASP.NET code that generates output  Step 2: Determine whether output includes un-trusted input parameters  Step 3: Determine the context which the un-trusted input is used as output  Step 4: Encode output 24

25 6 th OWASP AppSec Conference – Milan – May 2007 Anti-XSS Examples  #1 // Vulnerable code // Note that un-trusted input is being as an HTML attribute Literal1.Text = “ ”; // Modified code Literal1.Text = “ ”;  #2 Hello, 25

26 6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance 26

27 6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance Overview (I)  AppAssurance inspects the code of a software application for a known set of code security flaws, marks those flaws for inspection by an analyst and provides both a report of findings and a data flow graph of the application.  Can work standalone or as a plug-in for Visual Studio 2005.  Valueble tool for code review and becoming a must use tool inside Microsoft. 27

28 6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance Overview (II)  AppAssurance can scan for well-known flaws like:  SQL Injection  LDAP injection  Xpath Injection  Cross-Site Scripting (XSS)  File Canonicalization  Exception Information  Process Command  Redirection 28

29 6 th OWASP AppSec Conference – Milan – May 2007 AppAssurance Overview (III)  AppAssurance uses XML files for the rules, so it is very easy to add and tweak rules.  How AppAssurance works  The AppAssurance tool functions to identify security flaws within an application being examined by scanning the binary and or assembly of the application and tracing the data flow between statements, methods and assemblies. This includes indirect data types such as property assignments and instance tainting operations.  The engine works by taking the target assembly and all reference assemblies used in the application and analyzing all of the methods contained within the types contained within the module. It then uses a graphical modeling technique using color assigned to known issues, and transverses the sources and sinks of data to identify use or contact with known issues. 29

30 6 th OWASP AppSec Conference – Milan – May 2007 30

31 6 th OWASP AppSec Conference – Milan – May 2007 31

32 6 th OWASP AppSec Conference – Milan – May 2007 Resources  Threat Analysis & Modeling (TAM)  http://msdn2.microsoft.com/en-us/security/aa570413.aspx http://msdn2.microsoft.com/en-us/security/aa570413.aspx  Anti-XSS Library  http://msdn2.microsoft.com/en-us/security/aa973814.aspx http://msdn2.microsoft.com/en-us/security/aa973814.aspx  ACE Team blog  http://blogs.msdn.com/ace_team/ http://blogs.msdn.com/ace_team/ 32

33 6 th OWASP AppSec Conference – Milan – May 2007 The End  Q&A  Important: Beer / hard liquor (Vodka/Lemon, Margaritas, Mojitos you named it…) are always welcome  Simon Roses Femerling simonros@microsoft.com simonros@microsoft.com 33

Download ppt "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist

Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Similar presentations

Ads by Google