1 / 30

developing secure code on the microsoft platform

Albert_Lan
Download Presentation

developing secure code on the microsoft platform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Developing Secure Code on the Microsoft Platform Anil Revuru, Microsoft ACE Team Steve Yi, Microsoft ISV Architecture Advisor

    2. Introductions Steve Yi Microsoft ISV Architecture Advisor steveyi@microsoft.com http://blogs.msdn.com/steveyi Anil Revuru Microsoft ACE Team Anil.revuru@microsoft.com http://blogs.msdn.com/ace_team [STEVE][STEVE]

    3. Agenda Introduction Microsoft ACE Team SDL – Security Development Lifecycle Threat Modeling Web Applications Application Configuration SQL Server Authentication & Authorization Resources Next Steps Q&A [STEVE][STEVE]

    4. Who is the ACE Team? ACE Team – Application Consulting & Engineering Technologists that provide services in the areas of security, privacy & performance Team enforces ASAP process in Microsoft ASAP - Application Software Assurance Program Process to ensure security & privacy standards are met by Line of Business applications. ACE Services - Services arm of ACE Team [ANIL][ANIL]

    5. Security Development Lifecycle Objective: Identify and ensure resolution of security/privacy vulnerabilities found in applications Enable Application Risk Management Strategic Tactical Operational Legal [ANIL][ANIL]

    6. SDL – Inputs & Outputs Inputs Application Information Design Documents Source Code Server Information Outputs Bugs logged in security/privacy database Exception Requests [ANIL][ANIL]

    7. SDL & SDLC Designed to be inline with the Software Development Lifecycle [ANIL][ANIL]

    8. SDL: Risk Assessment SDLC Envision : SDL Risk Assessment Objective System Inventory Determine application risk categorization High Risk Security/Privacy Release Compulsory threat model/design review; white box code review and host level scan Medium Risk Security/Privacy Release White box code review and host level scan Low Risk Security/Privacy Release Host level scan [ANIL][ANIL]

    9. SDL: Threat Model / Design Review SDLC Design : SDL Threat Model Objective Consistent methodology for objectively evaluating threats to applications Review application design to verify compliance with security standards and best practices Verify application meets application principles Confidentiality & Integrity Authentication & Authorization Availability Non-repudiation [ANIL][ANIL]

    10. SDL: Threat Modeling Review security checklist/policy Team concludes ‘self’ code review and attack and penetration testing DEMONSTRATION: Microsoft Threat Analysis & Modeling v2.0 Beta 2 [ANIL][ANIL]

    11. SDL: Internal Review SDLC Develop : SDL Internal Review Review security checklist/policy Team concludes ‘self’ code review and attack and penetration testing [ANIL][ANIL]

    12. SDL: Assessment SDLC Testing : SDL Pre-Production Assessment Objective Low Risk Applications Host Level Scan: Windows, IIS, SQL Medium/High Risk Applications Host Level Scan White Box Code Review [ANIL][ANIL]

    13. SDL: White Box Code Review Process Application team provides source code Analysts review application code uncovering security vulnerabilities Vulnerabilities logged in bug database Application team addresses all Severity 1 bugs prior to release [ANIL][ANIL]

    14. Common Attack Patterns White Box Code Review may reveal: Cross-Site Script vulnerabilities SQL Injection Buffer Overflow Poor Authorization Controls Secrets Stored in Clear Text [ANIL][ANIL]

    15. Securing Web Applications Cross Site Scripting A technique allowing hackers to: Appear to re-write the text of your web site Abuse the user’s trust in your site to: Steal web session info and cookies Hijack client sessions Potentially access the computer Execute ActiveX controls [STEVE][STEVE]

    16. Securing Web Applications Cross Site Scripting Defense Input validation – 1st line of defense Output encoding Platform features Server.HtmlEncode() doesn’t always protect Use Anti-XSS (properly implemented) [STEVE][STEVE]

    17. Securing Web App Config Secure sensitive configuration information in Web.config Configuration Sections <appSettings>: custom application settings. <connectionStrings>: connection strings. <identity>: impersonation credentials. <sessionState>:connection string for the out-of-process session state provider. How To: Encrypt Configuration Sections in ASP.NET 2.0 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000006.asp [STEVE][STEVE]

    18. Securing Web App Config aspnet_regiis -pe “SectionName" -app "/FolderName" -prov “ProviderName" DPAPI: DataProtectionConfigurationProvider RSA: RSAProtectedConfigurationProvider Accessing config data remains the same WebConfigurationManager.ConnectionStrings["MyLocalSQLServer"].ConnectionString; WebConfigurationManager.AppSettings["presenter1"]; [STEVE][STEVE]

    19. Securing Databases SQL Injection Supplying carefully crafted input to alter (or create) SQL statements If ID read directly from a Web or Windows form, the user could enter any of the following: ALFKI1001 ALFKI1001’ OR 1=1- [STEVE][STEVE]

    20. Securing Databases SQL Injection Defense Abandon Dynamic SQL Use Stored Procedures or SQL parameterized queries Sanitize all input [STEVE][STEVE]

    21. Securing Databases Consider all input ‘guilty until proven otherwise’ Run with least privilege – never as ‘sa’ Restrict access to built-in stored procedures Do not display ODBC errors [STEVE][STEVE]

    22. Securing Database Info Encrypt sensitive data Social Security Numbers Credit Card info HIPAA Compliance SQL Server 2005 Request/Response encrypted by default Native in-database encryption Certificate-based, assymetric and symmetric encryption SQL Server 2005 Books Online [STEVE][STEVE]

    23. Securing Authorization & Authentication Encapsulate common application security tasks Present a standard, provider model for common security tasks Minimize the need for custom security-related code Incorporate best practices for application security [STEVE][STEVE]

    24. Microsoft ACE Team Services Offered: Application Security Code Review Threat Modeling / Design Reviews Training Secure Application Development Threat Modeling (coming soon) Infrastructure Hacking (coming soon) Assistance with developing and deploying SDL within your environment & solutions [ANIL][ANIL]

    25. Resources ACE Team Blog: http://blogs.msdn.com/ace_team/default.aspx Application Threat Modeling http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/ Microsoft Threat Analysis and Modeling v2.0 Beta 2 http://www.microsoft.com/downloads/details.aspx?familyid=aa5589bd-fb2c-40cf-aec5-dc4319b491dd&displaylang=enCustom data sources Developer Security Resource Kit http://msdn.microsoft.com/security/securityreskit/default.aspx MSPress: Writing Secure Code http://www.microsoft.com/mspress/books/5957.asp Enterprise Library 2.0 http://msdn.microsoft.com/practices/ [STEVE][STEVE]

    26. Next Steps & Conclusion Learn More Align your development processes and organization to develop secure code Iterate and improve Iterate and improve Iterate and improve [STEVE][STEVE]

    27. Windows Vista Code Master Challenge

    28. ISV Developer Training Online, Any Time Need talking notes for web seminars… ISV Touchown Virtual Labs: This series of hands-on labs are hosted by Microsoft—so there's no need to format hard drives or dedicate computers, and nothing to install. With 14 no-cost lab modules to choose from, you're sure to find the training you need. Each module includes a downloadable instruction manual and a 90-minute block of time in which to complete the module. Need talking notes for web seminars… ISV Touchown Virtual Labs: This series of hands-on labs are hosted by Microsoft—so there's no need to format hard drives or dedicate computers, and nothing to install. With 14 no-cost lab modules to choose from, you're sure to find the training you need. Each module includes a downloadable instruction manual and a 90-minute block of time in which to complete the module.

    29. Additional Resources for ISV’s Visit the U.S. ISV Website https://www.microsoft.com/partner/usa/isv ISV Training and Events http://partner.microsoft.com/us/isvtraining MSDN ISV Community Center http://msdn.microsoft.com/isv Visit the U.S. ISV Website to stay up to date on all of the latest programs, offerings, and events for ISV’s. You can also sign up for the monthly ISV newsletter. Just go to www.microsoft.com/partner/usa/isv. Find out about the Microsoft Partner Program and how you can obtain the ISV Competency to receive special benefits tailored just for ISV’s. Go to partner.microsoft.com/us/isvcomp. To find future ISV events and webcasts, visit www.msreadiness.com/isv.asp . Another great website for ISV’s is the MSDN ISV Community Center at msdn.microsoft.com/isv where you can find relevant technical information, white papers, blogs, and more.Visit the U.S. ISV Website to stay up to date on all of the latest programs, offerings, and events for ISV’s. You can also sign up for the monthly ISV newsletter. Just go to www.microsoft.com/partner/usa/isv. Find out about the Microsoft Partner Program and how you can obtain the ISV Competency to receive special benefits tailored just for ISV’s. Go to partner.microsoft.com/us/isvcomp. To find future ISV events and webcasts, visit www.msreadiness.com/isv.asp . Another great website for ISV’s is the MSDN ISV Community Center at msdn.microsoft.com/isv where you can find relevant technical information, white papers, blogs, and more.

More Related