• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Smolen Alex Securing The Mvc Architecture Part One
 

Smolen Alex Securing The Mvc Architecture Part One

on

  • 2,237 views

This is the slide deck for the presentation I gave at SD Best Practices 2007, in Boston, MA

This is the slide deck for the presentation I gave at SD Best Practices 2007, in Boston, MA

Statistics

Views

Total Views
2,237
Views on SlideShare
2,227
Embed Views
10

Actions

Likes
0
Downloads
0
Comments
0

3 Embeds 10

http://keepitlocked.net 8
http://www.slideshare.net 1
http://www.slashdocs.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Smolen Alex Securing The Mvc Architecture Part One Smolen Alex Securing The Mvc Architecture Part One Presentation Transcript

  • Securing the MVC Architecture Part One Alex Smolen Software Security Consultant Foundstone, Inc Mission Viejo, CA [email_address]
  • Who are you?
    • Name: Seymour Flaus
    • Age: 28
    • Title: Software Security Architect
  • You like spicy food…
  • And pinball…
  • And astronomy.
  • You don’t like clueless bosses…
  • Or frightening cats…
  • Or Insecure Software!
  • First day at work…
    • HACME Inc.
  • Hugh Jasul Good Morning! Care for coffee?
  • Seymour Flaus No thanks.
  • Hugh Jasul Great. Hey, want to see a picture of my cat?
  • Seymour Flaus Uh…
  •  
  • Seymour Flaus Cute.
  • Hugh Jasul Enough small talk, Seymour. Hacme Inc. is in a bit of trouble…
  • Seymour Flaus Trouble?
  • Hugh Jasul We’ve had a few security “issues”…
  • Seymour Flaus Such as?
  • Hugh Jasul Hackers have been hacking into Hacme Bank accounts!
  • Seymour Flaus Oh, is that all? So it’s not just a clever name.
  • Hugh Jasul No, there’s more. But find and fix this vulnerability right now! We’re going live tomorrow!
    • Get to work!
  • Seymour Flaus OK, fixed it!
  • Hugh Jasul Not so fast, we got a complaint from one of our UAT testers.
  • Seymour Flaus Who’s that?
  •  
  • Seymour Flaus OK, back to the drawing board.
  • Hugh Jasul Fantastic work, Seymour. By the way, we’re going to need you on Saturday morning for a four hour meeting…
  • Seymour Flaus Great. Nice to be appreciated.
  • Hugh Jasul Next order of business… Hacme Books customers are complaining that a book is being added to their cart!
  • Seymour Flaus I’m on it!
    • Get to work!
  • Hugh Jasul Great job Seymour! By the way, I have some dry cleaning ready, could you..
  • Seymour Flaus I got my masters for this?
  • Hugh Jasul Great, great, great. Now, I know you’ve been busy, but there’s a top priority task at hand.
  • Seymour Flaus Do tell.
  • Hugh Jasul People have been cheating on Hacme Casino and scamming us for big $$$. Find and fix!
  • Seymour Flaus Here we go…
    • Get to work!
  • Hugh Jasul Alright, I think that’s a great first day. I’m off to the golf course…
  • Seymour Flaus See ya. I’m going to go hit up craigslist for a new job.
  • Introduction
    • Who am I?
    Software Security Consultant Developer Architect/Designer
  • Introduction Who am I talking to? People using… People building… Software security folks frameworks.
  • Introduction What’s the point? WTF?
  • Security Concerns
    • Analyze each component of architecture for security responsibilities
  • MVC Architecture View Model Controller
  • MVC Architecture View Model Controller View
  • MVC Architecture View Model Controller
  • Security Concerns
  • Security Concerns - Model
    • Data Protection in Storage
  • Security Concerns - Model
    • Encrypt credit card
    • information
    • Hash passwords
    • Scrub personally
    • identifiable information
    Data Protection in Storage
  • Security Concerns - Model
    • Fine Grained Authorization
  • Security Concerns - Model
    • Verify user is accessing their own account
    • Verify that transaction is made at an appropriate hour
    • Make sure that user is not “cheating”
    Fine Grained Authorization
  • Security Concerns - Model
    • Logging
  • Security Concerns - Model
    • Log login attempts
    • Log input validation failures
    • Log access to log
    Logging
  • Security Concerns - Model
    • Authentication
  • Security Concerns - Model
    • Secure transport layer
    • Check password policies
    • Lockout account
    Authentication
  • Security Concerns - View
    • Data Sanitization
  • Security Concerns - View
    • HTML encode dynamic data
    • Mask sensitive information
    • Remove comments
    Data Sanitization
  • Security Concerns - View
    • Error Handling
  • Security Concerns - View
    • Give user friendly error message
    • Remove system error information
    • Prevent username enumeration
    Error Handling
  • Security Concerns - View
    • Data Protection in Storage
  • Security Concerns - View
    • Prevent pages from being cached
    • Don’t pass sensitive information in URL
    • Disable AUTOCOMPLETE
    Data Protection In Storage
  • Security Concerns - View
    • Data Protection in Transit
  • Security Concerns - View
    • Use SSL for secure content
    Data Protection In Transit
  • Security Concerns - Controller
    • Data Validation
  • Security Concerns - Controller
    • Verify entered date is actually a valid date
    • Make sure comments are less than 500 words
    • Look for recognized attack strings
    Data Validation
  • Security Concerns - Controller
    • Session Management
  • Security Concerns - Controller
    • Verify session is valid
    • Check username, roles
    • Perform session timeout
    • Authenticate again
    Session Management
  • Security Concerns - Controller
    • Coarse-Grained Authorization
  • Security Concerns - Controller
    • Verify user is authenticated for sensitive resources
    • Verify user is in correct role
    • Make sure IP address is internal
    Coarse-Grained Authorization
  • Security Concerns - Controller
    • Data Protection in Transit
  • Security Concerns - Controller
    • Use SSL
    • Set secure cookies
    Data Protection in Transit
  • Thanks!
  • Stay tuned for…
    • Examination of security mechanisms in:
      • J2EE/Struts
      • ASP.NET
      • Ruby on Rails