Jeff ZadoJeff [email protected] [email protected] Sr. Product Manager Development ToolsSr. Product Manager Development ToolsMicrosoft CanadaMicrosoft Canada
Security Risks beyond the Network: Security Risks beyond the Network: Developing Secure SolutionsDeveloping Secure Solutions
Abstract
Ensuring that your organization’s applications are Ensuring that your organization’s applications are secure is no longer just about firewalls, networks secure is no longer just about firewalls, networks
and simple authentication. Security is a big and simple authentication. Security is a big challenge for organizations and the price of challenge for organizations and the price of
failure could mean disastrous results for failure could mean disastrous results for companies and shareholders. But I am sure that companies and shareholders. But I am sure that you all know this, as you are security experts. you all know this, as you are security experts.
However, developing secure software is a However, developing secure software is a relatively new discipline that organizations are relatively new discipline that organizations are
adopting and integrating throughout the adopting and integrating throughout the software development lifecycle. In this talk we software development lifecycle. In this talk we will look at common application security issues, will look at common application security issues, how companies can identify them earlier in the how companies can identify them earlier in the
development lifecycle and how Microsoft development lifecycle and how Microsoft solutions can be leveraged to assist you and our solutions can be leveraged to assist you and our
organizations. organizations.
““We cannot adopt the way of living We cannot adopt the way of living that was satisfactory a hundred that was satisfactory a hundred
years ago. The world in which we years ago. The world in which we live has changed, and we must live has changed, and we must
change with it. “change with it. “
Felix AdlerFelix Adler
State of the Industry
““Over 70 percent of security vulnerabilities exist at the Over 70 percent of security vulnerabilities exist at the application layer, not the network layer”application layer, not the network layer”GartnerGartner
““The battle between hackers and security professionals has The battle between hackers and security professionals has moved from the network layer to the Web applications moved from the network layer to the Web applications themselves“ themselves“ Network World Network World
““Hacking has moved from a hobbyist pursuit with a goal of Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money”notoriety to a criminal pursuit with a goal of money”Counterpane Internet SecurityCounterpane Internet Security
““64 percent of developers are not confident in their ability to 64 percent of developers are not confident in their ability to write secure applications”write secure applications”Microsoft Developer ResearchMicrosoft Developer Research
Security BreachesAffecting Businesses and Consumers
Britain warns ofmajor e-mail attack
Hackers seen aiming at government, corporate networksThe Associated PressUpdated: 1:42 p.m. ET June 16, 2005
40M credit
cards hacked
Breach at third party
payment processor
affects 22 million
Visa cards and 14
million MasterCards.
June 20, 2005: 3:18 PM EDT
By Jeanne Sahadi, CNN/Money senior writer
In 2004, 78% of enterprises hit by viruses, 49% had laptops stolen, 37% reported unauthorized access to information
--2004 CSI and FBI Computer Crime and Security Survey
The FTC reports 1,000 cases The FTC reports 1,000 cases a daya day of ID of ID theft theft
A recent FBI operation put an end to a A recent FBI operation put an end to a scheme in which nearly 150,000 victims scheme in which nearly 150,000 victims lost more than $215 million lost more than $215 million
The number of phishing e-mail messages The number of phishing e-mail messages intercepted by a prominent web security intercepted by a prominent web security company grew 300% since June 2004 company grew 300% since June 2004
Over 80% of the top 100 financial Over 80% of the top 100 financial institutions have reported external institutions have reported external attacks on their IT systems in the past attacks on their IT systems in the past year year
June 23, 2006 Another Government Security Breach
"There ought to be an assumption "There ought to be an assumption that data is encrypted when it is that data is encrypted when it is at rest or in transit," Kurtz said. at rest or in transit," Kurtz said. "With encryption, a stolen laptop "With encryption, a stolen laptop is simply a stolen laptop." is simply a stolen laptop."
People: Providing guidance on secure application
development
Tools: Providing the most innovative tools
Process: Security cannot be an afterthought
Elements that Drive Change
EducationTrain every Developer and IT Professional on security
Patterns & PracticesDedicated team focused on security
guidance
MSDN and TechNetSharing whitepapers and “how tos”
People: Education as a Driver
Process: Security Development Lifecycle (SDL)
Reduce the number of security errorsReduce the number of security errorsReduce the severity of any security errors not Reduce the severity of any security errors not foundfoundReduce the attack surfaceReduce the attack surface
A PROCESS by which Microsoft develops A PROCESS by which Microsoft develops software and defines security requirements software and defines security requirements
and milestonesand milestones
Accountability and Incentives
Microsoft Developer Research: Almost 40 percent of developers say that their Microsoft Developer Research: Almost 40 percent of developers say that their companies do not think it is “very important” to write secure applicationscompanies do not think it is “very important” to write secure applications
CXOs and management say it is very importantCXOs and management say it is very important
Current incentives on performance and ship datesCurrent incentives on performance and ship dates
Must be driven top-downMust be driven top-down
5555
1717
455455
Engineering ExcellenceFocus Yielding Results
Tools facilitate creating secure applications
Tools: Utilizing InnovationTools: Utilizing Innovation
Static AnalysisStatic Analysis
Scan your code for Scan your code for security security
vulnerabilitiesvulnerabilities
Seamless create Seamless create applications for a applications for a
custom zonecustom zone
Create non-admin appsCreate non-admin apps Secure by Secure by DefaultDefault
Secure Software Secure Software Development Lifecycle Development Lifecycle
ProcessProcess
Nurturing the Partner Ecosystem
Canadian Events and Expertise
MSDN, Technet and Security MSDN, Technet and Security Events and web resourcesEvents and web resources
Threat Modeling: Threat Modeling: http://msdn.microsoft.com/securithttp://msdn.microsoft.com/security/securecode/threatmodeling/acety/securecode/threatmodeling/acetm/video/m/video/
Consequences of Inappropriate Input Handling
Lead to a realization of various Lead to a realization of various attack patternsattack patterns Cross-Site Scripting (XSS)Cross-Site Scripting (XSS) One-Click AttacksOne-Click Attacks SQL Injection SQL Injection Canonicalization issuesCanonicalization issues Buffer overflow or arithmetic errors Buffer overflow or arithmetic errors
(Memory Management issues)(Memory Management issues) Denial of ServiceDenial of Service
What is Cross-Site Scripting?
A technique that allows attackers A technique that allows attackers to:to: Appear to rewrite the text of your Appear to rewrite the text of your
web siteweb site Abuse the user’s trust in your Abuse the user’s trust in your
website to…website to… Steal Web session information and Steal Web session information and
cookiescookies Hijack client sessionsHijack client sessions Potentially access the client computerPotentially access the client computer
Defending Against Cross-Site Scripting Attacks
Do not:Do not: Trust user inputTrust user input Echo client-supplied data without encodingEcho client-supplied data without encoding Store secret information in cookiesStore secret information in cookies
Do:Do: Take advantage of ASP.NET’s RequestValidationTake advantage of ASP.NET’s RequestValidation Take advantage of ASP.NET’s ViewStateUserKeyTake advantage of ASP.NET’s ViewStateUserKey Consider IOSec for data encoding (Consider IOSec for data encoding (
http://toolbox/details/details.aspx?ToolID=22241http://toolbox/details/details.aspx?ToolID=22241))
Use the HttpOnly cookie optionUse the HttpOnly cookie option Use the <frame> security attributeUse the <frame> security attribute
What is One-Click Attack?
Site offers persistent sign-in option Site offers persistent sign-in option (cookies)(cookies)
Victim user navigates to (or opens) an Victim user navigates to (or opens) an HTML page – perhaps a “once in a HTML page – perhaps a “once in a lifetime offer”lifetime offer”
One or more actions are carried out One or more actions are carried out using the trust of the victim user which using the trust of the victim user which is completely unsuspecting to that useris completely unsuspecting to that user
Defending Against One-Click Attack
Browser’s cross-frame security Browser’s cross-frame security limits this to a “write-only” attacklimits this to a “write-only” attack
Concept for defense: require a Concept for defense: require a data element in the request which data element in the request which the attacker can’t supplythe attacker can’t supply (Overkill) Re-authenticate the user(Overkill) Re-authenticate the user Can ask for confirmationCan ask for confirmation
Check Check ReferrerReferrer field field document.locationdocument.location or or window.open()window.open() don’t don’t
post post ReferrerReferrer
Defending Against One-Click Attack (cont.)
Classic ASPClassic ASP Generate a unique session ID once user Generate a unique session ID once user
authenticates, encrypt it and bind it to authenticates, encrypt it and bind it to each response sent to usereach response sent to user
In .Net 1.1 use ViewStateUserKeyIn .Net 1.1 use ViewStateUserKey Value assigned to it must be unique to Value assigned to it must be unique to
the current user the current user This value is used as a factor in the This value is used as a factor in the
ViewState MACViewState MACoverride protected void override protected void OnInit(OnInit(EventArgs EventArgs e)e){{// ...// ...
ViewStateUserKeyViewStateUserKey == User.Identity.Name;User.Identity.Name;// ...// ...}}
override protected void override protected void OnInit(OnInit(EventArgs EventArgs e)e){{// ...// ...
ViewStateUserKeyViewStateUserKey == User.Identity.Name;User.Identity.Name;// ...// ...}}
What is SQL Injection?
SQL injection is:SQL injection is: The process supplying carefully The process supplying carefully
crafted input to alter (or create) SQL crafted input to alter (or create) SQL statementsstatements
Can be used by malicious users to Can be used by malicious users to compromise confidentiality, integrity compromise confidentiality, integrity or availability of your application:or availability of your application: Probe databasesProbe databases Bypass authorizationBypass authorization Execute multiple SQL statementsExecute multiple SQL statements Call built-in stored proceduresCall built-in stored procedures
Defending Against SQL Injection
Abandon Dynamic SQLAbandon Dynamic SQL Use stored procedures or SQL parameterized Use stored procedures or SQL parameterized
queries to access dataqueries to access data Can have SQL Injection in stored proceduresCan have SQL Injection in stored procedures
Sanitize all inputSanitize all input Consider all input harmful until proven Consider all input harmful until proven
otherwise – test for valid data and reject otherwise – test for valid data and reject everything elseeverything else
Run with least privilegeRun with least privilege Never execute as “sa”Never execute as “sa” Restrict access to built-in stored proceduresRestrict access to built-in stored procedures
Do not display ODBC errorsDo not display ODBC errors
What are Memory Management Issues
Buffer OverrunBuffer Overrun Exists primarily in unmanaged Exists primarily in unmanaged
(C/C++) code(C/C++) code Can lead to a host-level exploits – Can lead to a host-level exploits –
keep your host patched and up-to-keep your host patched and up-to-datedate
Arithmetic ErrorsArithmetic Errors
What are Arithmetic Errors
Occur when the limitations of a Occur when the limitations of a variable are exceededvariable are exceeded E.g., Assign the value 300 to a byteE.g., Assign the value 300 to a byte
Lead to serious runtime issuesLead to serious runtime issues Are often overlooked and Are often overlooked and
underestimatedunderestimated Include:Include:
Overflow – value too large for data typeOverflow – value too large for data type Underflow – value too small for data Underflow – value too small for data
typetype
Logging
Application Security is more then setting Application Security is more then setting up perimeter defenseup perimeter defense
Keep a log trail of authentication Keep a log trail of authentication attemptsattempts Both successful and failedBoth successful and failed
Keep a log trail of all accesses to assetsKeep a log trail of all accesses to assets Log as close to an asset as possibleLog as close to an asset as possible
SQL Server Stored ProcedureSQL Server Stored Procedure Sometimes… a log trail is the only Sometimes… a log trail is the only
mitigationmitigation Identify “who, what, where & when”…Identify “who, what, where & when”…
What you Log
““Fire and Forget” – Asynchronous loggingFire and Forget” – Asynchronous logging MSMQMSMQ
Don’t write sensitive information in logsDon’t write sensitive information in logs PasswordsPasswords
Identify the (“who, what, where & when”):Identify the (“who, what, where & when”): IdentityIdentity ActionAction Component/Service/Object/MethodComponent/Service/Object/Method TimestampTimestamp
Audit
Logs identify the “who, what, Logs identify the “who, what, where & when”where & when”
Audit the logs to determine “why”Audit the logs to determine “why” Setup a process whereby logs are Setup a process whereby logs are
auditedaudited Monitor & Response ProcessMonitor & Response Process
Can be automated to some extentCan be automated to some extent Log files are an asset!Log files are an asset!
A (Quick) Summary
Use existing technologies that Use existing technologies that meet your needs…meet your needs… But implement appropriately!But implement appropriately!
Think cynical – don’t trust outside Think cynical – don’t trust outside sourcessources Application usersApplication users External dependenciesExternal dependencies