essentials of application security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Essentials of Application Security PowerPoint Presentation
Download Presentation
Essentials of Application Security

Loading in 2 Seconds...

play fullscreen
1 / 35

Essentials of Application Security - PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on

Essentials of Application Security. Rames Gantanant Puumsoft, Director of Business Solutions Microsoft, Regional Director Thailand. What We Will Cover. The Importance of Application Security Security Technologies Secure Development Guidelines. Session Prerequisites.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Essentials of Application Security' - mistico


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
essentials of application security

Essentials of Application Security

Rames Gantanant

Puumsoft, Director of Business Solutions

Microsoft, Regional Director Thailand

what we will cover
What We Will Cover
  • The Importance of Application Security
  • Security Technologies
  • Secure Development Guidelines
session prerequisites
Session Prerequisites
  • Development experience with MicrosoftVisual Basic® , Microsoft Visual C++® , or C#

Level 200

agenda
Agenda
  • The Importance of Application Security
  • Security Technologies
  • Secure Development Guidelines
common types of attacks

Organizational

Attacks

Attackers

Automated

Attacks

Restricted Data

DoS

Accidental Breaches

In Security

Connection Fails

Denial of

Service (DoS)

Viruses, Trojan Horses, and Worms

Common Types of Attacks
consequences of poor security
Consequences of Poor Security
  • Stolen intellectual property
  • System downtime
  • Lost productivity
  • Damage to business reputation
  • Lost consumer confidence
  • Severe financial losses due to lost revenue
challenges when implementing security

Attacker needs to understand only one vulnerability

Defender needs to secure all entry points

Attackers have unlimited time

Defender works with time and cost constraints

Attackers vs. Defenders

Secure systems are more difficult to use

Complex and strong passwords are difficult to remember

Users prefer simple passwords

Security vs. Usability

Do I need security…

Developers and management think that security does not add any business value

Addressing vulnerabilities just before a product is released is very expensive

Security As an Afterthought

Challenges When Implementing Security
the developer role in application security
The Developer Role in Application Security
  • Developers must:
    • Work with solution architects and systems administrators to ensure application security
    • Contribute to security by:
      • Adopting good application security development practices
      • Knowing where security vulnerabilities occur and how to avoid them
      • Using secure programming techniques
holistic approach to security
Holistic Approach to Security
  • Security must be considered at:
    • All stages of a project
      • Design
      • Development
      • Deployment
    • All layers
      • Network
      • Host
      • Application

“Security is only as good as the weakest link”

security throughout project lifecycle
Security Throughout Project Lifecycle

Learn and

refine

Analyze

threats

External

review

Secure questionsduring interviews

Determine

security sign-off

criteria

Security push

Concept

Ship

Post-Ship

Designs

Complete

TestPlansComplete

Code

Complete

Review old defects, check-ins checked

secure coding guidelines, use tools

Train team

members

Data mutation

and least privilege tests

Security team review

=ongoing

agenda1
Agenda
  • The Importance of Application Security
  • Security Technologies
  • Secure Development Guidelines
overview of security technologies
Overview of Security Technologies
  • Developers need to use and apply:
    • Encryption
    • Hashing
    • Digital signatures
    • Digital certificates
    • Secure communication
    • Authentication
    • Authorization
    • Firewalls
    • Auditing
    • Service packs and updates
encryption
Encryption
  • Encryption is the process of encoding data
    • To protect a user’s identity or data from being read
    • To protect data from being altered
    • To verify that data originates from a particular user
  • Encryption can be:
    • Asymmetric
    • Symmetric
verifying data integrity with hashes

User B

User A

Data

Data

Data

Hash Algorithm

Hash Value

If hash values match, data is valid

Hash Algorithm

Hash Value

Hash Value

User A sends data and hash value to User B

Verifying Data Integrity with Hashes
how digital certificates work
How Digital Certificates Work

Private Key

User

Private/Public

Key Pair

Computer

Public Key

Service

Application

Certification Authority

Certified Administrator

secure communication technologies
Secure CommunicationTechnologies
  • Technologies include:
    • IPSec
    • SSL
    • TLS
    • RPC encryption

IPSec

RPC Encryption

SSL/TLS

secure communication how ssl works
Secure CommunicationHow SSL Works

Web ServerRoot Certificate

2

Message

Secure Browser

Secure Web Server

3

4

HTTPS

1

The user browses to a secure Web server by using HTTPS

The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate

The Web server receives the session key and decrypts it by using the server’s private key

After the connection is established, all communication between the browser and Web server is secure

1

2

3

4

slide20

Demonstration 1SSL Server CertificatesViewing a Web Site on a Non-Secure ServerGenerating a Certificate RequestRequesting a Trial CertificateInstalling the SSL Certificate Testing the SSL Certificate

authentication purpose of authentication
AuthenticationPurpose of Authentication
  • Verifies the identity of a principal by:
    • Accepting credentials
    • Validating those credentials
  • Secures communications by ensuring your application knows who the caller is
  • Encrypting the data is not enough!
authentication authentication methods
Authentication Authentication Methods
  • Basic
  • Digest
  • Digital certificates
  • Integrated
    • The Kerberos version 5 protocol
    • NTLM
  • Microsoft Passport
  • Biometrics
authentication basic authentication
Authentication Basic Authentication
  • Is simple but effective
  • Is supported by all majorbrowsers and servers
  • Is easy to program andset up
  • Manages user credentials
  • Requires SSL/TLS
authentication when to use integrated authentication

Client

AuthenticationWhen to Use Integrated Authentication

Firewall

Intranet?

No

Cannot use Integrated Authentication

Yes

Windows 2000

Or later?

No

NTLM

Server Authentication

Windows

Integrated

Yes

Active Directory

Domain?

No

Kerberos

Client and Server Authentication

Yes

authorization what is authorization
AuthorizationWhat is Authorization?
  • Authorization:
    • Occurs after your client request is authenticated
    • Is the process of confirming that an authenticated principal is allowed access to specific resources
    • Checks rights assigned to files, folders, registry settings, applications, and so on
    • Can be role-based
    • Can be code-based
authorization common authorization techniques
AuthorizationCommon Authorization Techniques
  • IIS Web permissions (and IP/DNS restrictions)
  • .NET role-based security
  • .NET code access security
  • NTFS access control lists (ACL)
  • SQL Server logins
  • SQL Server permissions
authorization impersonation delegation model

Web or Application Server

Database or other resource server

A

A

B

B

C

C

AuthorizationImpersonation/Delegation Model
  • Client identity is used to access downstream resources
slide28

Demonstration 2IIS Authentication Techniques Using Anonymous AuthenticationUsing Basic Authentication Using Integrated Windows Authentication

agenda2
Agenda
  • The Importance of Application Security
  • Security Technologies
  • Secure Development Guidelines
proactive security development
Proactive Security Development
  • Integrate security improvements throughout the development process
  • Focus on security and ensure your code can withstand new attacks
  • Promote the key role of education
    • Raise awareness within your team
    • Learn from your mistakes and other’s mistakes
adopt the sd3 security framework
Adopt the SD3 Security Framework

Secure by Design

  • Build threat models
    • Conduct code reviews, penetration tests
    • Run code with minimal privileges

Secure by Default

  • Minimize your attack surface
  • Enable services securely

Secure in Deployment

  • Leverage the security best practices
  • Create security guidance
  • Build tools to assess application security
session summary
Session Summary
  • The Importance of Application Security
  • Security Technologies
  • Secure Development Guidelines
for more information
For More Information
  • Microsoft Security Site (all audiences)
    • http://www.microsoft.com/security
  • MSDN Security Site (developers)
    • http://msdn.microsoft.com/security
  • TechNet Security Site (IT professionals)
    • http://www.microsoft.com/technet/security