Securing the MVC Architecture Part One Alex Smolen Software Security Consultant Foundstone, Inc Mission Viejo, CA [email_address]

Who are you? Name: Seymour Flaus Age: 28 Title: Software Security Architect

Name: Seymour Flaus

Age: 28

Title: Software Security Architect

You like spicy food…

And pinball…

And astronomy.

You don’t like clueless bosses…

Or frightening cats…

Or Insecure Software!

First day at work… HACME Inc.

HACME Inc.

Hugh Jasul Good Morning! Care for coffee?

Seymour Flaus No thanks.

Hugh Jasul Great. Hey, want to see a picture of my cat?

Seymour Flaus Uh…

Seymour Flaus Cute.

Hugh Jasul Enough small talk, Seymour. Hacme Inc. is in a bit of trouble…

Seymour Flaus Trouble?

Hugh Jasul We’ve had a few security “issues”…

Seymour Flaus Such as?

Hugh Jasul Hackers have been hacking into Hacme Bank accounts!

Seymour Flaus Oh, is that all? So it’s not just a clever name.

Hugh Jasul No, there’s more. But find and fix this vulnerability right now! We’re going live tomorrow!

Get to work!

Get to work!

Seymour Flaus OK, fixed it!

Hugh Jasul Not so fast, we got a complaint from one of our UAT testers.

Seymour Flaus Who’s that?

Seymour Flaus OK, back to the drawing board.

Hugh Jasul Fantastic work, Seymour. By the way, we’re going to need you on Saturday morning for a four hour meeting…

Seymour Flaus Great. Nice to be appreciated.

Hugh Jasul Next order of business… Hacme Books customers are complaining that a book is being added to their cart!

Seymour Flaus I’m on it!

Get to work!

Get to work!

Hugh Jasul Great job Seymour! By the way, I have some dry cleaning ready, could you..

Seymour Flaus I got my masters for this?

Hugh Jasul Great, great, great. Now, I know you’ve been busy, but there’s a top priority task at hand.

Seymour Flaus Do tell.

Hugh Jasul People have been cheating on Hacme Casino and scamming us for big $$$. Find and fix!

Seymour Flaus Here we go…

Get to work!

Get to work!

Hugh Jasul Alright, I think that’s a great first day. I’m off to the golf course…

Seymour Flaus See ya. I’m going to go hit up craigslist for a new job.

Introduction Who am I? Software Security Consultant Developer Architect/Designer

Who am I?

Introduction Who am I talking to? People using… People building… Software security folks frameworks.

Introduction What’s the point? WTF?

Security Concerns Analyze each component of architecture for security responsibilities

Analyze each component of architecture for security responsibilities

MVC Architecture View Model Controller

MVC Architecture View Model Controller View

MVC Architecture View Model Controller

Security Concerns

Security Concerns - Model Data Protection in Storage

Data Protection in Storage

Security Concerns - Model Encrypt credit card information Hash passwords Scrub personally identifiable information Data Protection in Storage

Encrypt credit card

information

Hash passwords

Scrub personally

identifiable information

Security Concerns - Model Fine Grained Authorization

Fine Grained Authorization

Security Concerns - Model Verify user is accessing their own account Verify that transaction is made at an appropriate hour Make sure that user is not “cheating” Fine Grained Authorization

Verify user is accessing their own account

Verify that transaction is made at an appropriate hour

Make sure that user is not “cheating”

Security Concerns - Model Logging

Logging

Security Concerns - Model Log login attempts Log input validation failures Log access to log Logging

Log login attempts

Log input validation failures

Log access to log

Security Concerns - Model Authentication

Authentication

Security Concerns - Model Secure transport layer Check password policies Lockout account Authentication

Secure transport layer

Check password policies

Lockout account

Security Concerns - View Data Sanitization

Data Sanitization

Security Concerns - View HTML encode dynamic data Mask sensitive information Remove comments Data Sanitization

HTML encode dynamic data

Mask sensitive information

Remove comments

Security Concerns - View Error Handling

Error Handling

Security Concerns - View Give user friendly error message Remove system error information Prevent username enumeration Error Handling

Give user friendly error message

Remove system error information

Prevent username enumeration

Security Concerns - View Data Protection in Storage

Data Protection in Storage

Security Concerns - View Prevent pages from being cached Don’t pass sensitive information in URL Disable AUTOCOMPLETE Data Protection In Storage

Prevent pages from being cached

Don’t pass sensitive information in URL

Disable AUTOCOMPLETE

Security Concerns - View Data Protection in Transit

Data Protection in Transit

Security Concerns - View Use SSL for secure content Data Protection In Transit

Use SSL for secure content

Security Concerns - Controller Data Validation

Data Validation

Security Concerns - Controller Verify entered date is actually a valid date Make sure comments are less than 500 words Look for recognized attack strings Data Validation

Verify entered date is actually a valid date

Make sure comments are less than 500 words

Look for recognized attack strings

Security Concerns - Controller Session Management

Session Management

Security Concerns - Controller Verify session is valid Check username, roles Perform session timeout Authenticate again Session Management

Verify session is valid

Check username, roles

Perform session timeout

Authenticate again

Security Concerns - Controller Coarse-Grained Authorization

Coarse-Grained Authorization

Security Concerns - Controller Verify user is authenticated for sensitive resources Verify user is in correct role Make sure IP address is internal Coarse-Grained Authorization

Verify user is authenticated for sensitive resources

Verify user is in correct role

Make sure IP address is internal

Security Concerns - Controller Data Protection in Transit

Data Protection in Transit

Security Concerns - Controller Use SSL Set secure cookies Data Protection in Transit

Use SSL

Set secure cookies

Thanks!

Stay tuned for… Examination of security mechanisms in: J2EE/Struts ASP.NET Ruby on Rails

Examination of security mechanisms in:

J2EE/Struts

ASP.NET

Ruby on Rails