1 / 52

Chris’s Top Ten Security Tips

Chris’s Top Ten Security Tips. Chris Seary CISSP MVP. Me. Securing large enterprise applications Developer ISO 27001 Lead Auditor. 10.What is an X509 certificate?. 10.What is an X509 certificate?. Message. Jhbsx^8. Encrypt. Decrypt. Message. 10.What is an X509 certificate?. Public.

tea
Download Presentation

Chris’s Top Ten Security Tips

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chris’s Top Ten Security Tips Chris Seary CISSP MVP

  2. Me • Securing large enterprise applications • Developer • ISO 27001 Lead Auditor

  3. 10.What is an X509 certificate?

  4. 10.What is an X509 certificate? Message Jhbsx^8 Encrypt Decrypt Message

  5. 10.What is an X509 certificate? Public Message Jhbsx^8 Encrypt Private Decrypt Message

  6. 10.What is an X509 certificate? Public Message Jhbsx^8 Encrypt Private Decrypt Usually includes encryption of symmetric key! Message

  7. Certificate Subject name Serial number Issuer Public key CA signature Attribute 1 Attribute 2 Attribute 3 . . 10.What is an X509 certificate?

  8. Certificate Subject name Serial number Issuer Public key CA signature Attribute 1 Attribute 2 Attribute 3 . . 10.What is an X509 certificate? Private key Certificate store

  9. Certificate Subject name Serial number Issuer Public key CA signature Attribute 1 Attribute 2 Attribute 3 . . 10.What is an X509 certificate? Private key is the essential component! Private key Certificate store

  10. 10.What is an X509 certificate? • Local machine • Certificates used by system • Demo uses Network Service • Current user • Logged on user • Permissions have to be granted for other users to access private keys

  11. 9.What is a PKI?

  12. 9.What is a PKI? Jennifer Brad

  13. 9.What is a PKI? Jennifer Brad Brad’s public key

  14. 9.What is a PKI? Jennifer Brad Encrypts message Kvhdxa 6e6t4g Brad’s public key

  15. 9.What is a PKI? Jennifer Brad Kvhdxa 6e6t4g Message sent Brad’s public key

  16. 9.What is a PKI? Jennifer Brad Decrypts Message Stuff Brad’s public key Brad’s private key

  17. 9.What is a PKI? Jennifer Brad Angelina Man in the middle attack

  18. 9.What is a PKI? Jennifer Brad Brad’s public key Angelina Man in the middle attack

  19. 9.What is a PKI? Jennifer Brad Angelina’s public key Angelina Brad’s public key Man in the middle attack

  20. 9.What is a PKI? Jennifer Brad Encrypts message Gvvwh 336fwd Angelina’s public key Angelina Brad’s public key Man in the middle attack

  21. 9.What is a PKI? Jennifer Brad Sends message Gvvwh 336fwd Angelina’s public key Angelina Brad’s public key Man in the middle attack

  22. 9.What is a PKI? Jennifer Brad Message stuff Angelina’s public key Angelina’s private key Decrypts message Angelina Brad’s public key Man in the middle attack

  23. 9.What is a PKI? Jennifer Brad Message New Angelina’s public key Changes message Angelina Brad’s public key Man in the middle attack

  24. 9.What is a PKI? Jennifer Brad Hjbsxa687 svscv Angelina’s public key Encrypts Using Brad’s public key Angelina Brad’s public key Man in the middle attack

  25. 9.What is a PKI? Jennifer Brad Hjbsxa687 svscv Angelina’s public key Sends message Angelina Brad’s public key Man in the middle attack

  26. 9.What is a PKI? Brad decrypts Using his Private key Jennifer Brad Message New Angelina’s public key Angelina Brad’s public key Man in the middle attack

  27. 9.What is a PKI? CA Jennifer Brad Brad’s public key

  28. 9.What is a PKI? CA Digitally signs Jennifer Brad Brad’s public key

  29. 9.What is a PKI? CA Trust Trust Digitally signs Jennifer Brad CA cert Placed in cert store CA cert Placed in cert store Brad’s public key

  30. 9.What is a PKI? CA Jennifer Brad Brad’s public key

  31. 9.What is a PKI? CA Jennifer Brad Checks Signature On cert Against CA cert Public key Brad’s public key Definitely Brad!

  32. 8. Best way to implement cryptography • Don’t write your own algorithm • Use policy where possible • WS-Security • Use configuration where possible • IIS and SSL • Use simple APIs that perform crypto in one step • CAPICOM • Enterprise libraries

  33. 7.How do we store secrets? • Encryption! • But…… • How do we store the encryption key?

  34. 7.How do we store secrets? • DPAPI • Get from nugget

  35. 6. what’s the one hop problem? • I can authenticate to the web server • I can’t authenticate to the database on another server

  36. 6. what’s the one hop problem? Web server SQL

  37. 6. what’s the one hop problem? Username Password Web server SQL

  38. 6. what’s the one hop problem? Username Password Web server NTLM auth SQL

  39. 6. what’s the one hop problem? Digest AD cert mapping Web server SQL

  40. 6. what’s the one hop problem? Digest AD cert mapping Web server Null session SQL

  41. 6. what’s the one hop problem? Digest AD cert mapping Web server Null session SQL

  42. 6. what’s the one hop problem? Solution! • Protocol transition • Kerberos • Protocol transition

  43. 6. what’s the one hop problem? Solution! Web server Any IIS authentication Method: Basic Certs Digest SQL

  44. 6. what’s the one hop problem? Solution! Kerberos auth Web server Any IIS authentication Method: Basic Certs Digest SQL

  45. 6. what’s the one hop problem? Solution! • Patterns and Practices ‘Web Service Security: Scenarios, Patterns and Implementation Guidance for Web Services Enhancements (WSE) 3.0’ • From MSDN

  46. 5.ACL, DACL and SACL – wossat?

  47. 4.Validation, validation, validation • CICO • Crap In Crap Out

  48. 4.Validation, validation, validation • White list validation • Check for what you will allow • Regex • Many functions available on net • Replace bad input • Escape characters • HTMLEncode output • Not a cure, but a patch • Negotiate acceptable input with business when gathering requirements

  49. 3.Warning, Will Robinson!

  50. 2.Using SQL

More Related