Your SlideShare is downloading. ×
0
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Threat Modeling - Writing Secure Code

2,869

Published on

An introduction to Security Principals and Patterns in Application Architectural Design.

An introduction to Security Principals and Patterns in Application Architectural Design.

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,869
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • “Search engines will find anything you have hidden” We could say “could, or might find”… but we need to think of this as WILL find anything that we have hidden.
  • Transcript

    • 1. Threat Modeling<br />an introduction toSecurity Principals and Patterns in Application Architectural Design<br />Caleb Jenkins<br />Software Ninja | Architecthttp://DevelopingUX.com<br />
    • 2. Threat<br />
    • 3. +<br />Threat<br />Attack<br />
    • 4. or is your world more like this?<br />
    • 5.
    • 6.
    • 7.
    • 8.
    • 9. Agenda<br /><ul><li>Threat Analysis</li></ul>Basic Security Concepts<br />Security Code Review<br />Summary / Q&A<br />
    • 10. T.J. Maxx theft believed largest hack ever<br />TJX cos. put number to loss Wednesday, acknowledges it could still go up<br />By Mark Jewell<br />Associated Press<br />March 30, 2007<br />BOSTON - A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information.<br />Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.<br />
    • 11. T.J. Maxx theft believed largest hack ever<br />TJX cos. put number to loss Wednesday, acknowledges it could still go up<br />By Mark Jewell<br />Associated Press<br />March 30, 2007<br />Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.<br />
    • 12. Assets are the things an attacker wants to take from you<br />Threats are the ways in which the attacker will try to get at your assets<br />Mitigations are the ways you block the attacker from getting the assets<br />Vulnerabilities are unmitigated threats<br />Threat Models are an assessment of the Assets, Threats, Mitigations and Vulnerabilities of the system you are building or have built<br />
    • 13. Assets are more than money…<br />Reputation & Customer Confidence<br />Confidential Data<br />Processor, Storage, Bandwidth<br />Availability<br />Performance<br />
    • 14. Threat Analysis<br />Secure software starts with understanding the threats<br />Threats are not vulnerabilities<br />Threats live forever<br />How will attackers attempt to compromise the system?<br />Asset<br />Mitigation<br />Threat<br />Vulnerability<br />
    • 15. Security User Stories<br />Describes something the bad guy wants to do (a threat)<br /><ul><li>Short and to the point
    • 16. Written by the user in non-technical language</li></ul>As an attacker<br />I want to &lt;attack&gt;<br />So that &lt;crime&gt;<br />By &lt;method&gt;<br />
    • 17. Security User Stories<br />As an attacker<br />I want to obtain credentials<br />So that I can plunder bank accounts<br />By tricking users into logging into my bogus site with a Phishing mail<br />
    • 18. Security Objectives<br />What do you not want to happen?<br /><ul><li>Confidentiality</li></ul>“I do not want unauthorized users to gain access to confidential information”<br /><ul><li>Integrity</li></ul>“I do not want unauthorized users to tamper with data”<br /><ul><li>Availability</li></ul>“I do not want the system to be unavailable because of an attack”<br />Agree on security objectives up front<br /><ul><li>Helps to scope and focus your security efforts</li></li></ul><li>Agenda<br />Threat Analysis<br /><ul><li>Basic Security Concepts</li></ul>Security Code Review<br />Summary / Q&A<br />
    • 19. Basic Security Concepts<br /><ul><li>Reduce Attack Surface</li></ul>Defense In Depth<br />Least Privilege<br />Fail to Secure Mode<br />
    • 20. Attack Surface<br />The “Attack Surface” is the sum of the ways in which an attacker can get at you<br /><ul><li> Smaller Attack Surface is better</li></li></ul><li>Attack Surface<br />The “Attack Surface” is the sum of the ways in which an attacker can get at you<br /><ul><li> Smaller Attack Surface is better</li></ul>Which one has the <br />Smaller attack surface?<br />
    • 21. Attack Surface<br />The “Attack Surface” is the sum of the ways in which an attacker can get at you<br /><ul><li> Smaller Attack Surface is better</li></ul>Hint: No way to know… what’s on the other side?<br />
    • 22. Understand Your Attack Surface<br />Networking protocols that are enabled by default<br />Network Endpoints<br />Code that auto-starts or will execute when accessed<br />Examples: Services, daemons, ISAPI filters and applications, SOAP services, and Web roots<br />Reusable components <br />ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute)<br />Process identities for all the code you run<br />User accounts installed<br />
    • 23. Reducing Attack Surface<br />TCP/UDP<br />TCP/UDP<br />TCP/UDP<br />Service: Autostart SYSTEM <br />
    • 24. Reducing Attack Surface<br />TCP/UDP<br />TCP/UDP<br />TCP/UDP<br />Service: Autostart SYSTEM <br />Turn off less-used ports<br />
    • 25. Reducing Attack Surface<br />TCP/UDP<br />TCP only<br />Service: Autostart SYSTEM <br />Turn off UDP connections<br />
    • 26. Reducing Attack Surface<br />TCP only<br />Service: Autostart SYSTEM <br />Restrict requests<br />to subnet/IP range<br />
    • 27. Reducing Attack Surface<br />TCP only<br />Service: Autostart SYSTEM <br />Authenticate connections<br />
    • 28. Reducing Attack Surface<br />TCP only<br />Service: Manual NetService<br />Lower privilege<br />Turn feature off<br />
    • 29. Reducing Attack Surface<br />TCP only<br />Service: Manual NetService<br />Everyone (Full Control)<br />Admin (Full Control)<br />Everyone (Read)<br />Service (RW)<br />Harden ACLs on <br />data store<br />
    • 30. Basic Security Concepts<br />Reduce Attack Surface<br /><ul><li>Defense In Depth</li></ul>Least Privilege<br />Fail to Secure Mode<br />
    • 31. Defense In Depth<br />Don’t count on one line of defense for everything<br />What if the attacker penetrates that defense?<br />Contain the damage<br />Example – Nuclear Plants<br />
    • 32.
    • 33. “<br />Multiple redundant safety systems. Nuclear plants are designed according to a &quot;defense in depth&quot; philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection.<br />- Nuclear Energy Institute<br />“<br />
    • 34. System Failures can be Bad<br />
    • 35. Defense in Depth (MS03-007)Windows Server 2003 Unaffected<br />Microsoft Security Bulletin MS03-007<br />Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)<br />Originally posted: March 17, 2003 <br />Impact of vulnerability: Run code of attacker&apos;s choice<br />Maximum Severity Rating: Critical<br />Affected Software: <br />Microsoft Windows NT 4.0 <br />Microsoft Windows 2000 <br />Microsoft Windows XP <br />Not Affected Software:<br />Microsoft Windows Server 2003<br />
    • 36. The underlying DLL (NTDLL.DLL) not vulnerable<br />Code made more conservative during Security Push<br />Defense in Depth (MS03-007)Windows Server 2003 Unaffected<br />Microsoft Security Bulletin MS03-007<br />Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)<br />Originally posted: March 17, 2003 <br />Impact of vulnerability: Run code of attacker&apos;s choice<br />Maximum Severity Rating: Critical<br />Affected Software: <br />Microsoft Windows NT 4.0 <br />Microsoft Windows 2000 <br />Microsoft Windows XP <br />Not Affected Software:<br />Microsoft Windows Server 2003<br />
    • 37. The underlying DLL (NTDLL.DLL) not vulnerable<br />Code made more conservative during Security Push<br />IIS 6.0 not running by default on Windows Server 2003<br />Even if it was vulnerable<br />Defense in Depth (MS03-007)Windows Server 2003 Unaffected<br />Microsoft Security Bulletin MS03-007<br />Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)<br />Originally posted: March 17, 2003 <br />Impact of vulnerability: Run code of attacker&apos;s choice<br />Maximum Severity Rating: Critical<br />Affected Software: <br />Microsoft Windows NT 4.0 <br />Microsoft Windows 2000 <br />Microsoft Windows XP <br />Not Affected Software:<br />Microsoft Windows Server 2003<br />
    • 38. The underlying DLL (NTDLL.DLL) not vulnerable<br />Code made more conservative during Security Push<br />IIS 6.0 not running by default on Windows Server 2003<br />Even if it was vulnerable<br />IIS 6.0 doesn’t have WebDAV enabled by default<br />Even if it was running<br />Defense in Depth (MS03-007)Windows Server 2003 Unaffected<br />Microsoft Security Bulletin MS03-007<br />Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)<br />Originally posted: March 17, 2003 <br />Impact of vulnerability: Run code of attacker&apos;s choice<br />Maximum Severity Rating: Critical<br />Affected Software: <br />Microsoft Windows NT 4.0 <br />Microsoft Windows 2000 <br />Microsoft Windows XP <br />Not Affected Software:<br />Microsoft Windows Server 2003<br />
    • 39. The underlying DLL (NTDLL.DLL) not vulnerable<br />Code made more conservative during Security Push<br />IIS 6.0 not running by default on Windows Server 2003<br />Even if it was vulnerable<br />IIS 6.0 doesn’t have WebDAV enabled by default<br />Even if it was running<br />Maximum URL length in IIS 6.0 is 16kb by default (&gt;64kb needed) <br />Even if it did have WebDAV enabled<br />Defense in Depth (MS03-007)Windows Server 2003 Unaffected<br />Microsoft Security Bulletin MS03-007<br />Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)<br />Originally posted: March 17, 2003 <br />Impact of vulnerability: Run code of attacker&apos;s choice<br />Maximum Severity Rating: Critical<br />Affected Software: <br />Microsoft Windows NT 4.0 <br />Microsoft Windows 2000 <br />Microsoft Windows XP <br />Not Affected Software:<br />Microsoft Windows Server 2003<br />
    • 40. The underlying DLL (NTDLL.DLL) not vulnerable<br />Even if the buffer was large enough<br />Code made more conservative during Security Push<br />Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)<br />IIS 6.0 not running by default on Windows Server 2003<br />Even if it was vulnerable<br />IIS 6.0 doesn’t have WebDAV enabled by default<br />Even if it was running<br />Maximum URL length in IIS 6.0 is 16kb by default (&gt;64kb needed) <br />Even if it did have WebDAV enabled<br />Defense in Depth (MS03-007)Windows Server 2003 Unaffected<br />Microsoft Security Bulletin MS03-007<br />Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)<br />Originally posted: March 17, 2003 <br />Impact of vulnerability: Run code of attacker&apos;s choice<br />Maximum Severity Rating: Critical<br />Affected Software: <br />Microsoft Windows NT 4.0 <br />Microsoft Windows 2000 <br />Microsoft Windows XP <br />Not Affected Software:<br />Microsoft Windows Server 2003<br />
    • 41. The underlying DLL (NTDLL.DLL) not vulnerable<br />Even if the buffer was large enough<br />Code made more conservative during Security Push<br />Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)<br />IIS 6.0 not running by default on Windows Server 2003<br />Even if it was vulnerable<br />IIS 6.0 doesn’t have WebDAV enabled by default<br />Even if it was running<br />Maximum URL length in IIS 6.0 is 16kb by default (&gt;64kb needed) <br />Even if it did have WebDAV enabled<br />Even if it there was an exploitable buffer overrun<br />Would have occurred in w3wp.exe which is now running as ‘network service’<br />Defense in Depth (MS03-007)Windows Server 2003 Unaffected<br />Microsoft Security Bulletin MS03-007<br />Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)<br />Originally posted: March 17, 2003 <br />Impact of vulnerability: Run code of attacker&apos;s choice<br />Maximum Severity Rating: Critical<br />Affected Software: <br />Microsoft Windows NT 4.0 <br />Microsoft Windows 2000 <br />Microsoft Windows XP <br />Not Affected Software:<br />Microsoft Windows Server 2003<br />
    • 42. Basic Security Concepts<br />Reduce Attack Surface<br />Defense In Depth<br /><ul><li>Least Privilege</li></ul>Fail to Secure Mode<br />
    • 43. Least Privilege<br />A defense in depth measure<br />Code should run with only the permissions it requires<br />Attackers can only do whatever the code was already allowed to do<br />Recommendations<br /><ul><li>Use least privilege accounts
    • 44. Use code access security
    • 45. Write Apps that non-admins can actually use</li></li></ul><li>Fail To Secure Mode<br />Function Authenticate(UserID As String, Password As String)<br />Dim Authenticated As Boolean = True<br /> Try<br /> Dim conn As New SqlConnection(connString)<br /> conn.Open()<br /> Dim cmd As New SqlCommand(&quot;SELECT Count(*) FROM Users …”)<br /> Dim count As Integer<br /> count = cmd.ExecuteScalar()<br /> Authenticated = (count = 1)<br /> Catch ex As Exception<br /> MessageBox.Show(&quot;Error logging in &quot; + ex.Message)<br /> End Try<br /> Return Authenticated<br />End Function<br />
    • 46. Fail To Secure Mode<br />Function Authenticate(UserID As String, Password As String)<br />Dim Authenticated As Boolean = True<br /> Try<br /> Dim conn As New SqlConnection(connString)<br /> conn.Open()<br /> Dim cmd As New SqlCommand(&quot;SELECT Count(*) FROM Users …”)<br /> Dim count As Integer<br /> count = cmd.ExecuteScalar()<br /> Authenticated = (count = 1)<br /> Catch ex As Exception<br /> MessageBox.Show(&quot;Error logging in &quot; + ex.Message)<br /> End Try<br /> Return Authenticated<br />End Function<br />Authenticated As Boolean = True<br />Danger!!<br />Assumes Success<br />
    • 47. Fail To Secure Mode<br />Function Authenticate(UserID As String, Password As String)<br />Dim Authenticated As Boolean = True<br /> Try<br /> Dim conn As New SqlConnection(connString)<br /> conn.Open()<br /> Dim cmd As New SqlCommand(&quot;SELECT Count(*) FROM Users …”)<br /> Dim count As Integer<br /> count = cmd.ExecuteScalar()<br /> Authenticated = (count = 1)<br /> Catch ex As Exception<br /> MessageBox.Show(&quot;Error logging in &quot; + ex.Message)<br /> End Try<br /> Return Authenticated<br />End Function<br />Authenticated As Boolean = True<br />Danger!!<br />Assumes Success<br />Authenticated flag may still be true here<br />Catch ex As Exception<br />
    • 48. Agenda<br />Threat Analysis<br />Basic Security Concepts<br /><ul><li>Security Code Review</li></ul>Summary / Q&A<br />
    • 49. Try<br />Dim conn As SqlConnection = Nothing<br />Dim results As New DataSet()<br /> conn = New SqlConnection(&quot;data source=localhost;&quot; _<br /> + &quot;user id=sa;password=password;&quot; + _<br /> &quot;Initial Catalog=SqlInjectionDemo&quot;)<br />conn.Open()<br /> sqlString = &quot;SELECT HasShipped&quot; + _<br />&quot; FROM Shipment WHERE ID=&apos;&quot; + ID + &quot;&apos;&quot;<br />cmd = New SqlCommand(sqlString, conn)<br />Dim adapter As New SqlDataAdapter(cmd)<br />adapter.Fill(results)<br />Catch se As SqlException<br /> Dim status As String<br /> status = sqlString + &quot; failed&quot;<br />For Each err As SqlError In se.Errors<br /> status = status + err.Message<br />Next<br />MesssageBox.Show(status)<br />End Try<br />Security Code Review<br />
    • 50. Try<br />Dim conn As SqlConnection = Nothing<br />Dim results As New DataSet()<br /> conn = New SqlConnection(&quot;data source=localhost;&quot; _<br /> + &quot;user id=sa;password=password;&quot; + _<br /> &quot;Initial Catalog=SqlInjectionDemo&quot;)<br />conn.Open()<br /> sqlString = &quot;SELECT HasShipped&quot; + _<br />&quot; FROM Shipment WHERE ID=&apos;&quot; + ID + &quot;&apos;&quot;<br />cmd = New SqlCommand(sqlString, conn)<br />Dim adapter As New SqlDataAdapter(cmd)<br />adapter.Fill(results)<br />Catch se As SqlException<br /> Dim status As String<br /> status = sqlString + &quot; failed&quot;<br />For Each err As SqlError In se.Errors<br /> status = status + err.Message<br />Next<br />MesssageBox.Show(status)<br />End Try<br />Security Code Review<br />Never connect as SA<br />Don’t Embed Secrets<br />user id=sa<br />password=password<br />Unencrypted & Weak Password<br />
    • 51. Try<br />Dim conn As SqlConnection = Nothing<br />Dim results As New DataSet()<br /> conn = New SqlConnection(&quot;data source=localhost;&quot; _<br /> + &quot;user id=sa;password=password;&quot; + _<br /> &quot;Initial Catalog=SqlInjectionDemo&quot;)<br />conn.Open()<br /> sqlString = &quot;SELECT HasShipped&quot; + _<br />&quot; FROM Shipment WHERE ID=&apos;&quot; + ID + &quot;&apos;&quot;<br />cmd = New SqlCommand(sqlString, conn)<br />Dim adapter As New SqlDataAdapter(cmd)<br />adapter.Fill(results)<br />Catch se As SqlException<br /> Dim status As String<br /> status = sqlString + &quot; failed&quot;<br />For Each err As SqlError In se.Errors<br /> status = status + err.Message<br />Next<br />MesssageBox.Show(status)<br />End Try<br />Security Code Review<br />Never connect as SA<br />Don’t Embed Secrets<br />user id=sa<br />password=password<br />Unencrypted & Weak Password<br />WHERE ID=&apos;&quot; + ID + &quot;&apos;&quot;<br />Don’t Concatenate arguments<br />
    • 52. Try<br />Dim conn As SqlConnection = Nothing<br />Dim results As New DataSet()<br /> conn = New SqlConnection(&quot;data source=localhost;&quot; _<br /> + &quot;user id=sa;password=password;&quot; + _<br /> &quot;Initial Catalog=SqlInjectionDemo&quot;)<br />conn.Open()<br /> sqlString = &quot;SELECT HasShipped&quot; + _<br />&quot; FROM Shipment WHERE ID=&apos;&quot; + ID + &quot;&apos;&quot;<br />cmd = New SqlCommand(sqlString, conn)<br />Dim adapter As New SqlDataAdapter(cmd)<br />adapter.Fill(results)<br />Catch se As SqlException<br /> Dim status As String<br /> status = sqlString + &quot; failed&quot;<br />For Each err As SqlError In se.Errors<br /> status = status + err.Message<br />Next<br />MesssageBox.Show(status)<br />End Try<br />Security Code Review<br />Never connect as SA<br />Don’t Embed Secrets<br />user id=sa<br />password=password<br />Unencrypted & Weak Password<br />WHERE ID=&apos;&quot; + ID + &quot;&apos;&quot;<br />Don’t Concatenate arguments<br />Don’t reveal everything to an attacker<br />For Each err As SqlError<br />
    • 53. Why not connect as SA?<br />Violates the principle of least privilege<br />Threat: Code is subject to attacker elevating privilege<br />Mitigation Recommendation<br />Defense in depth <br />Action: Run SQL as Network Service rather than Local System<br />Reduce surface area: eliminate privileges on everything except for the required stored procedures<br />Action: Create stored procedures<br />Least privilege: run as a lesser privileged user when connecting to database<br />Action: Fix the connection string<br />
    • 54. Why not embed secrets?<br />Violates the principle of avoiding security by obscurity<br />Threat: Secrets are easily discovered<br />Mitigation Recommendation<br />Don’t Store Secrets<br />Tip: Use Windows Authentication<br />Encrypt secrets<br />For .NET 1.1 consider Enterprise Library<br />For .NET 2.0 use Enterprise Library or System.Security.Cryptography.ProtectedData<br />For SQL Server 2005 use EncryptByKey / DecryptByKey<br />
    • 55. Storing Secrets<br />Hackers use search engines to locate secrets<br />Search engines will find anything you have hidden<br />
    • 56. Storing Secrets<br />MySQL Data Dumps<br />Config Files on *nix systems<br />
    • 57. Fix Connection String<br />Not good<br />Much Better<br />
    • 58. Never create your own encryption<br />
    • 59. Never create your own encryption<br />
    • 60. Never create your own encryption<br />
    • 61. Why not use easy passwords?<br />Because they are easily broken by brute force attacks<br />Threat: Attacker guesses or brute forces password to access secrets<br />Mitigation:<br /><ul><li>Enforce a strong password policy
    • 62. Enable password policy enforcement on SQL Server
    • 63. Uses Windows Server 2003 policy</li></li></ul><li>Brute Force Dictionary Attacks<br />
    • 64. Password Policy<br />SQL Server 2005 Management Studio Tool Shown<br />
    • 65. Why not concatenate arguments?<br />Violates the principle of All Input Is Evil (Until Proven Otherwise)<br />Threat: Code is subject to luring attacks via SQL Injection<br />Mitigation Recommendation<br /><ul><li>Reduce Attack Surface
    • 66. Use parameters with SQL
    • 67. Create stored procedures and grant access only to the stored procedure
    • 68. Consider Table-Valued Functions in SQL 2005
    • 69. Disable unneeded SQL Server Features</li></li></ul><li>Using Parameters and Sprocs<br />
    • 70. Reduce SQL Surface Area<br />
    • 71. Reduce SQL Surface Area<br />If you don’t connect in a sysadmin role the account used by xp_cmdshell will be the one defined by xp_cmdshell_proxy_account which may have reduced privilege<br />
    • 72. Evil Input Attack - Hotmail<br />October 2001 an XSS vulnerability which allowed an attacker to steal a user&apos;s Microsoft .NET Passport session cookies. <br />Exploit for this vulnerability consisted of sending a malicious email to a Hotmail user, which contained malformed HTML. <br />The script filtering code in Hotmail&apos;s site failed to remove the broken HTML and Internet Explorer&apos;s parsing algorithm happily interpreted the malicious code. <br />
    • 73. Security Fix: Validate Input<br />Constrain<br /><ul><li>Look for valid data and reject everything else
    • 74. Set Max Length to 5
    • 75. Use Regular Expressions to permit only what you want
    • 76. Integer expression: “^[0-9]{0,5}$”</li></ul>Reject<br /><ul><li>Reject things you know are bad</li></ul>Sanitize<br /><ul><li>Use SQL Parameters
    • 77. HTMLEncode output</li></li></ul><li>discussion: White Listing vs Black Listing Input<br />“Look for valid data and reject everything else”<br />SQL Example: string.Replace(“delete”, “”)<br />
    • 78. discussion: White Listing vs Black Listing Input<br />“Look for valid data and reject everything else”<br />SQL Example: string.Replace(“delete”, “”)<br />“deldeleteete”<br />
    • 79. discussion: White Listing vs Black Listing Input<br />“Look for valid data and reject everything else”<br />SQL Example: string.Replace(“delete”, “”)<br />“deldeleteete”<br />“deldeleteete”<br />
    • 80. discussion: White Listing vs Black Listing Input<br />“Look for valid data and reject everything else”<br />SQL Example: string.Replace(“delete”, “”)<br />“deldeleteete”<br />“deldeleteete”<br />“delete”<br />
    • 81. demo: SQL Injection<br />Sanitizing User Input<br />Select Count(*) From Users<br />Where User Name = ‘’ OR<br />1+1=2; -- ‘ and password = ‘’<br />
    • 82. demo: SQL Injection<br />Sanitizing User Input<br />
    • 83. Discussion: XSS<br />Sanitizing User Input<br />
    • 84. Why not reveal all exceptions?<br />Most users won’t understand the details anyway<br />Threat: Code is subject to information disclosure threats<br />Mitigation Recommendation<br /><ul><li>Map low level error messages to meaningful messages for your users
    • 85. Never disclose secrets in error messages</li></li></ul><li>Meaningful Error Messages<br />What this error really means…<br />No SmartCard inserted in card reader<br />
    • 86. observe: Security Architectureis a moving target.<br />
    • 87. review <br />
    • 88. Threat Model Checklist<br /><ul><li>No design is complete without a threat model!
    • 89. Capture your work in a threat model document
    • 90. Investigate threats
    • 91. Track and prioritize vulnerabilities through to mitigation and testing
    • 92. Take advantage of security guidance http://msdn.microsoft.com/securityguidance</li></ul>vuln<br />threat<br />asset<br />
    • 93. Architects Must<br />Understand security terminology and best practices<br /><ul><li>Pay attention to what is happening in the industry</li></ul>Instill security thinking throughout the application lifecycle <br />Ensure that the team has an up to date threat model<br />Ensure that the team has operational procedures that will ensure ongoing security<br />
    • 94. exercise: Use the Threat Analysis & Modeling Tool<br />
    • 95. Resources<br /><ul><li>Patterns & Practices Security Guidance
    • 96. http://msdn.microsoft.com/securityguidance
    • 97. http://del.icio.us/calebjenkins/SecurityTools</li></li></ul><li>?<br />
    • 98. Thank you<br />DevelopingUX.com<br />

    ×