SECURE

DEVELOPMENT IN

.NET

Joona Immonen

Software architect

joona.immonen@solita.fi

AGENDA

› Security in overall

› Threat modeling

› Hosting

› CI tools

› Final thoughts

SECURITY

OVERVIEW

AKA how to understand what Troy Hunt says

DEVELOPERS AS SECURITY

TESTERS

› Pros:

• Enables continuous security testing.

• Developers will automate.

• Minimal hand-over costs.

• Will find important non-security related bugs.

› Cons:

• Not security specialists. Will miss some things.

• May need investment (training, some tools)

BASIC SECURITY MODEL

Confidentiality• Privacy• Password policies• EncryptionIntegrity• Trustworthiness of data• ChecksumsAvailability• Bandwidths• Bottlenecks• Disaster recovery planning

ONION MODEL OF DEFENSE IN

DEPTH

OWASP TESTING

GUIDE 4.0

› Picture presents how OWASP

thinks that different security

controls are linked to secure

development life cycle

THREAT MODEL

IN GENERAL

PROBLEM DOMAIN

THREAT MODELING APPROACH

https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_008

HOSTING

PERSPECTIVE

SECURITY TESTING ASPECTS IN

ONION MODEL

Network scanning

Vulnerability scanning

Web application security testing

Static code analyze

Web application onfiguration analysis

Operating system configuration analysis

Application server vulnerability scanning

HOW ONION MODEL IS LINKED TO

OUR PROJECTS

Public internet

Private networks between servers

Customer network

Host has most commonly shared responsibility

Application is on our responsibility

Part of data is on our responsibility

Part of the data comes from integrations

Updates come from other parties, conf from us

Part of the applications are products (inriver, IIS)

Threat analysis Implementationand design

Automated tests Manual tests Operational security

CONTINUOUS

INTEGRATION

PERSPECTIVE

TOOLS IN SECURE DEVELOPMENT

LIFECYCLE

Be

for

ed

ev

elo

pm

en

t

De

fin

itio

n a

nd

de

sig

n

De

ve

lop

me

nt

De

plo

ym

en

t

Ma

inte

na

nc

e

FxCop X

VisualCodeGrepper X

SonarQube X

Code Metrics X

OWASP ZAP X X X

Nessus X X

jMeter X X X

TOOLS IN DEFENCE IN DEPTH

Ne

two

rk

Ho

st

Ap

ps

er

ve

r

Ap

pli

ca

tio

n

We

b.c

on

fig

So

ur

ce

co

de

FxCop X X

VisualCodeGrepper X X

SonarQube X X

Code Metrics X

OWASP ZAP X X

Nessus X X X X

jMeter X X

HOW TOOLS MITIGATE

”OWASP TOP 10”

Inje

cti

on

Br

ok

en

au

th

XS

S

Dir

ec

t o

bj

re

f

Mis

co

nf

Da

ta e

xp

os

ur

e

Fu

nc

tio

n l

ev

el

au

th

CS

RF

Kn

ow

n v

uln

Un

va

lid

ate

dr

ed

ire

cts

FxCop 1 1 1 1

VCG 1 1 1

SonarQube 1 1 1 1

Code Metrics

OWASP ZAP 2 2 2 2 2 1 2 1 2

Nessus 1 1 1 1 2 1 1 2 1

jMeter

empty=no, 1=maybe, 2=meant for that

HOW TOOLS MITIGATE CSA

”NOTORIOUS NINE”

Da

ta B

re

ac

he

s

Da

ta L

oss

Ac

co

un

t o

r S

er

vic

e T

ra

ffic

Hij

ac

kin

g

Inse

cu

re

in

ter

fac

es a

nd

AP

Is

De

nia

l o

f S

er

vic

e

Ma

lic

iou

s I

nsid

er

s

Ab

use

of

clo

ud

se

rv

ice

s

Insu

ffic

ien

t D

ue

Dil

ige

nc

e

Sh

ar

ed

Te

ch

no

log

y

Vu

lne

ra

bil

itie

s

FxCop 1 1

VisualCodeGrepper 1 1

SonarQube 1 1

Code Metrics 1

OWASP ZAP 1 1 1

Nessus 1 1 1

jMeter 1 1

empty=no, 1=maybe, 2=meant for that

FINAL THOUGHTS

EPISERVER DEVELOPMENT

› Know your HTTP headers

› Understand the security responsibilities of each party (dev, hosting)

› AntiForgeryTokens!

› Do not EVER leave SQL injections in your application

› Think about security in beforehand

› All the frontend includes………

SONARQUBE DASHBOARD

BUILD PIPELINE

DEVELOPER -> HACKER

› Traits

• Curiosity and creativity. What will happen, if.. ?

• Perseverance

› Skills

• Technical knowledge, deep/wide

• Common vulnerabilities

• Security testing

› Some developers are hobbyist hackers. (Apply at rekry@solita.fi)

OWASP ZAP DEMO

› OWASP ZAP as a proxy against alloy demo site