Application Security Part 1 Threat Defense In Client Server Applications With .NET

7,459 views
7,321 views

Published on

This presentation grew out of my experience with testing client-server applications (web, disconnected thin client, etc.) for security issues. The knowledge was gained through research and experience. I gave the presentation to the Cedar Rapids .NET User Group (CRineta.org) in 2006.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,459
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Application Security Part 1 Threat Defense In Client Server Applications With .NET

    1. 1. Application Security Part 1 – Threat Defense in Client/Server Applications Presented by Greg Sohl © 2006, Gregory M. Sohl
    2. 2. Application Security? <ul><li>Not Physical Security </li></ul><ul><li>Not Network Security </li></ul><ul><li>Not Just Protocol Security (i.e. SSL / HTTPS) </li></ul><ul><li>Not CAS – at least not directly </li></ul><ul><li>Coding Practices and Techniques </li></ul>
    3. 3. Who are the Attackers? <ul><li>Disgruntled staff or developers </li></ul><ul><li>“ Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack </li></ul><ul><li>Motivated criminal attackers, such as organized crime </li></ul><ul><li>Criminal attackers without motive against your organization, such as defacers </li></ul><ul><li>Script kiddies </li></ul>
    4. 4. Application Security – Part 1 <ul><li>Tonight’s Focus – Protecting against common application attacks </li></ul><ul><ul><li>Threat Modeling </li></ul></ul><ul><ul><li>Types of Attacks </li></ul></ul><ul><ul><li>Defenses against Attacks </li></ul></ul><ul><ul><li>Tools and Resources </li></ul></ul>
    5. 5. Threat Modeling <ul><li>Identifying points of your application that are subject to attack </li></ul><ul><ul><li>Create overview of the application architecture </li></ul></ul><ul><ul><ul><li>Document Trust Boundaries </li></ul></ul></ul><ul><ul><li>Identify the assets that need protecting </li></ul></ul><ul><ul><li>Document the application entry points </li></ul></ul><ul><ul><li>Document the application’s trust levels </li></ul></ul><ul><ul><li>Decompose the application with DFDs </li></ul></ul><ul><ul><li>Identify and Rank Threats </li></ul></ul><ul><ul><ul><li>Build an attack tree for each threat </li></ul></ul></ul>
    6. 6. Trust Boundaries
    7. 7. Threat Modeling – Classify Threats <ul><li>STRIDE - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp </li></ul><ul><li>Spoofing identity </li></ul><ul><li>Tampering with data </li></ul><ul><li>Repudiation </li></ul><ul><li>Information disclosure </li></ul><ul><li>Denial of service </li></ul><ul><li>Elevation of privilege </li></ul>
    8. 8. Threat Modeling – Ranking Threats <ul><li>DREAD – Threat ranking http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp </li></ul><ul><li>Damage Potential </li></ul><ul><ul><li>How great is the damage if the vulnerability is exploited? </li></ul></ul><ul><li>Reproducibility </li></ul><ul><ul><li>How easy is it to reproduce the attack? </li></ul></ul><ul><li>Exploitability </li></ul><ul><ul><li>How easy is it to launch an attack? </li></ul></ul><ul><li>Affected Users </li></ul><ul><ul><li>As a rough percentage, how many users are affected? </li></ul></ul><ul><li>Discoverability </li></ul><ul><ul><li>How easy is it to find the vulnerability? </li></ul></ul>
    9. 9. Threat Modeling Tool
    10. 10. Common Application Attacks <ul><li>Authentication Attacks </li></ul><ul><li>Buffer Overruns </li></ul><ul><li>Circumvention of expected logic flow </li></ul><ul><li>Cross-Site Scripting (XSS) </li></ul><ul><li>Denial of Service </li></ul><ul><li>HTML Injection </li></ul><ul><li>Input Manipulation Attacks </li></ul><ul><li>LDAP Injection </li></ul><ul><li>Message Replay </li></ul><ul><li>Repudiation </li></ul><ul><li>SQL Injection </li></ul>
    11. 11. Authentication Attack <ul><li>Types of applications vulnerable: All requiring authentication </li></ul>
    12. 12. Authentication Attack <ul><li>Brute Force & Dictionary Attacks </li></ul><ul><ul><li>Mitigate by </li></ul></ul><ul><ul><ul><li>Require strong passwords </li></ul></ul></ul><ul><ul><ul><li>Store passwords as salted, non-reversible hashes </li></ul></ul></ul><ul><ul><ul><li>Use the new SecureString class to hold password values </li></ul></ul></ul><ul><ul><ul><li>Account lockout with multiple failed login attempts </li></ul></ul></ul><ul><ul><ul><ul><li>Don’t reveal that the account is locked out. This only assists the attacker by telling them they have guessed an account name correctly. </li></ul></ul></ul></ul><ul><ul><ul><li>Upon a failed login, do not reveal which part of a login was incorrect. </li></ul></ul></ul><ul><ul><ul><li>Utilize multi-factor authentication. </li></ul></ul></ul><ul><ul><ul><li>Keep logs of login attempts, successful and failed. Monitor logs for patterns of hacking attempts. </li></ul></ul></ul>
    13. 13. Authentication Attack <ul><li>Session Hijacking </li></ul><ul><ul><li>Types of applications vulnerable: Any utilizing Sessions keys over a communication channel </li></ul></ul><ul><ul><li>Mitigate by </li></ul></ul><ul><ul><ul><li>Using encrypted communication channel (SSL / HTTPS or encrypted TCP/IP Channel for Remoting) </li></ul></ul></ul><ul><ul><ul><li>Incorporating session timeouts at the lowest tolerable level </li></ul></ul></ul><ul><ul><ul><ul><li>Timeout attribute in the web.config <sessionstate> </li></ul></ul></ul></ul>
    14. 14. Authentication Attack <ul><li>Credential Theft </li></ul><ul><ul><li>Mitigate by </li></ul></ul><ul><ul><ul><li>Utilizing two-factor / multi-factor authentication </li></ul></ul></ul><ul><ul><ul><ul><li>However, read Bruce Schneier’s caveats at http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html </li></ul></ul></ul></ul>
    15. 15. Authentication Attack <ul><li>Resources </li></ul><ul><li>Strong Passwords </li></ul><ul><ul><li>http://www.microsoft.com/athome/security/privacy/password.mspx </li></ul></ul><ul><ul><li>https://www.grc.com/passwords Extreme example! </li></ul></ul><ul><li>How can I store passwords in a custom user database (Hashing and Salting) </li></ul><ul><ul><li>http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/ </li></ul></ul><ul><li>Secure Password Programming with .NET </li></ul><ul><ul><li>http://www.developersdex.com/gurus/articles/829.asp </li></ul></ul><ul><li>ASP.NET Membership API </li></ul><ul><ul><li>http://msdn.microsoft.com/msdnmag/issues/05/11/Membership/default.aspx </li></ul></ul><ul><li>Using the New Security Controls in ASP.NET 2.0 </li></ul><ul><ul><li>http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST </li></ul></ul><ul><li>Wikipedia on Two-Factor Authentication </li></ul><ul><ul><li>http://en.wikipedia.org/wiki/Two-factor_authentication </li></ul></ul><ul><li>RSA’s SecureID (not a product endorsement – just an example of an two-factor authentication product) </li></ul><ul><ul><li>http://www.rsasecurity.com/node.asp?id=1156 </li></ul></ul>
    16. 16. Buffer Overflow Attacks <ul><li>Types of applications vulnerable: Unmanaged </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Use 100% Managed Code </li></ul></ul><ul><ul><li>Careful use of non-managed code when necessary </li></ul></ul>
    17. 17. Circumvention of Expected Logic Flow Attack <ul><li>Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Careful management of session / state information </li></ul></ul><ul><ul><li>Don’t trust the client </li></ul></ul><ul><ul><li>Authorize every action / transaction / message </li></ul></ul>
    18. 18. Cross Site Scripting Attack (XSS) <ul><li>Types of applications vulnerable: ASP.NET </li></ul><ul><li>Mitigate by: </li></ul><ul><ul><li>HTML Encoding or URL Encoding all text and parameter output. </li></ul></ul><ul><li>Demo </li></ul><ul><li>Resources </li></ul><ul><ul><li>Microsoft Anti-Cross Site Scripting Library V1.0 </li></ul></ul><ul><ul><ul><li>http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en </li></ul></ul></ul><ul><ul><ul><li>Allows only known “good” text. Encodes all other text. This contrasts with the corresponding methods in the HttpUtility class which targets known “bad” text. </li></ul></ul></ul><ul><ul><li>CERT Advisory </li></ul></ul><ul><ul><li>http://www.cert.org/advisories/CA-2000-02.html </li></ul></ul>
    19. 19. Exception Management <ul><li>Mitigate by: </li></ul><ul><ul><li>Standardize error handling code </li></ul></ul><ul><ul><li>ASP.NET custom error page </li></ul></ul><ul><ul><li>Last-chance exception catching </li></ul></ul><ul><ul><li>Log detailed data needed for problem diagnosis. </li></ul></ul>
    20. 20. HTML Injection Attack <ul><li>The purpose of HTML Injection is for site defacement. </li></ul><ul><ul><li>Types of applications vulnerable: ASP.NET </li></ul></ul><ul><ul><li>Mitigate by: </li></ul></ul><ul><ul><ul><li>HTML Encoding or URL Encoding all text and parameter output – same as XSS </li></ul></ul></ul>
    21. 21. Input Manipulation Attack & Trusting the Client’s Authorization <ul><li>Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services </li></ul><ul><li>Items subject to Input Manipulation </li></ul><ul><ul><li>ASP.NET ViewState </li></ul></ul><ul><ul><li>POST / GET Fields including hidden Fields </li></ul></ul><ul><ul><li>Cookies </li></ul></ul><ul><ul><li>ALL input! </li></ul></ul>
    22. 22. Input Manipulation Attack & Trusting the Client’s Authorization <ul><li>Mitigate by </li></ul><ul><ul><li>Checking Data for Validity </li></ul></ul><ul><ul><ul><li>Constrain </li></ul></ul></ul><ul><ul><ul><li>Reject </li></ul></ul></ul><ul><ul><ul><li>Sanitize </li></ul></ul></ul><ul><ul><ul><li>Centralized approach </li></ul></ul></ul>
    23. 23. Trust Boundary Chokepoints <ul><li>Use chokepoints between Trust Boundaries </li></ul><ul><li>Channel all input (and output) through the chokepoints </li></ul>
    24. 24. LDAP Injection Attack <ul><li>Types of applications vulnerable: All using LDAP server for authentication and/or authorization data </li></ul><ul><li>SPI Dynamics White Paper - http://www.spidynamics.com/whitepapers/LDAPinjection.pdf </li></ul>
    25. 25. Message Replay <ul><li>Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Uniquely identifying messages with a signature. Cache messages for a period of time. Check new messages signatures against the cache and reject duplicates. </li></ul></ul><ul><li>Resources </li></ul><ul><ul><li>Implementing Message Replay Detection in WSE 3.0 </li></ul></ul><ul><ul><ul><li>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wss_ch5_impmsgreplaydet_wse30.asp </li></ul></ul></ul>
    26. 26. Repudiation <ul><li>Types of applications vulnerable: All </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Strong authentication </li></ul></ul><ul><ul><li>Logging transactions with user information. </li></ul></ul><ul><ul><li>Message digital signatures </li></ul></ul><ul><li>Bad example – ARS to iSeries SPs </li></ul><ul><li>Resources </li></ul><ul><ul><li>Definition: http://en.wikipedia.org/wiki/Non-repudiation </li></ul></ul>
    27. 27. SQL Injection Attack <ul><li>Occurs when your application uses input to construct dynamic SQL statements to access the database. </li></ul><ul><li>Types of applications vulnerable: All using SQL-based databases </li></ul>
    28. 28. SQL Injection Attack <ul><li>Mitigate by: </li></ul><ul><ul><li>Employing the principal of least privilege to database server access </li></ul></ul><ul><ul><li>Using stored procedures </li></ul></ul><ul><ul><ul><li>SqlDataAdapter myCommand = new SqlDataAdapter(&quot;AuthorLogin&quot;, conn); </li></ul></ul></ul><ul><ul><ul><li>myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; </li></ul></ul></ul><ul><ul><ul><li>SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, SqlDbType.VarChar, 11); </li></ul></ul></ul><ul><ul><ul><li>parm.Value = Login.Text; </li></ul></ul></ul>
    29. 29. SQL Injection Attack <ul><li>Using parameterized queries </li></ul><ul><ul><li>SqlDataAdapter myCommand = new SqlDataAdapter( </li></ul></ul><ul><ul><li>&quot;SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id&quot;, conn); </li></ul></ul><ul><ul><li>SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, </li></ul></ul><ul><ul><li>SqlDbType.VarChar, 11); </li></ul></ul><ul><ul><li>parm.Value = Login.Text; </li></ul></ul><ul><li>Escape user input used in dynamic queries </li></ul><ul><ul><li>private string SafeSqlLiteral(string inputSQL) </li></ul></ul><ul><ul><li>{ </li></ul></ul><ul><ul><li>return inputSQL.Replace(&quot;'&quot;, &quot;''&quot;); </li></ul></ul><ul><ul><li>} </li></ul></ul>
    30. 30. SQL Injection Attack <ul><li>Resources </li></ul><ul><li>SPI Dynamics Whitepaper </li></ul><ul><ul><li>http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf </li></ul></ul><ul><li>Stop SQL Injection Attacks Before They Stop You </li></ul><ul><ul><li>http://msdn.microsoft.com/msdnmag/issues/04/09/sqlinjection/default.aspx </li></ul></ul><ul><li>How To: Protect From SQL Injection in ASP.NET </li></ul><ul><ul><li>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.asp </li></ul></ul><ul><li>Improving Web Application Security: Threats and Countermeasures: Chapter 14 – Building Secure Data Access </li></ul><ul><ul><li>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp </li></ul></ul>
    31. 31. Resources <ul><li>Organizations and Web Sites </li></ul><ul><ul><li>Open Web Application Security Project </li></ul></ul><ul><ul><ul><li>http://www.owasp.org – Generally focused </li></ul></ul></ul><ul><ul><ul><li>http://www.owasp.net - .NET focused but light on content </li></ul></ul></ul><ul><ul><li>SecurityFocus </li></ul></ul><ul><ul><ul><li>http://www.securityfocus.com </li></ul></ul></ul><ul><ul><li>Institute for Security and Open Methodologies </li></ul></ul><ul><ul><ul><li>http://www.isecom.org </li></ul></ul></ul>
    32. 32. Resources <ul><li>Threat Modeling </li></ul><ul><li>MSDN Patterns and Practices - Improving Web Application Security: Threats and Countermeasures </li></ul><ul><ul><li>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp </li></ul></ul><ul><li>MS Threat Modeling Tool </li></ul><ul><ul><li>http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en </li></ul></ul><ul><li>MS Threat Modeling Security Home </li></ul><ul><ul><li>http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx </li></ul></ul><ul><li>Microsoft Application Threat Modeling Blog </li></ul><ul><ul><li>http://blogs.msdn.com/threatmodeling/ </li></ul></ul><ul><li>Larry Osterman’s Blog – Security Category </li></ul><ul><ul><li>http://blogs.msdn.com/larryosterman/archive/category/5905.aspx </li></ul></ul><ul><li>Threat Modeling chapter in Writing Secure Code </li></ul><ul><li>Threat Modeling chapter in The .NET Developer's Guide to Windows Security </li></ul><ul><li>OWASP Guide chapter on “THREAT RISK MODELING” </li></ul>
    33. 33. Resources <ul><li>Books and Papers </li></ul><ul><li>Writing Secure Code (Michael Howard, David LeBlanc) </li></ul><ul><ul><li>http://www.amazon.com/gp/product/0735617228/qid=1141268042/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155 </li></ul></ul><ul><li>The .NET Developer's Guide to Windows Security (Keith Brown) </li></ul><ul><ul><li>http://www.amazon.com/gp/product/0321228359/qid=1141268134/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155 </li></ul></ul><ul><li>OWASP Guide to Building Secure Web Applications and Web Services 2.0 </li></ul><ul><ul><li>http://www.owasp.org/documentation/guide.html </li></ul></ul><ul><li>OWASP Top Ten Project </li></ul><ul><ul><li>http://www.owasp.org/documentation/topten.html </li></ul></ul>
    34. 34. Resources <ul><li>Mailing Lists </li></ul><ul><ul><li>Penetration Testing and Web Application Security lists at SecurityFocus.com </li></ul></ul><ul><ul><ul><li>http://www.securityfocus.com/archive </li></ul></ul></ul>
    35. 35. Resources <ul><li>Testing Tools </li></ul><ul><ul><li>Web and Web Services </li></ul></ul><ul><ul><ul><li>Microsoft Fiddler http://www.fiddlertool.com/fiddler/ </li></ul></ul></ul><ul><ul><ul><li>Paros Proxy http://www.parosproxy.org </li></ul></ul></ul><ul><ul><ul><li>TamperIE http://www.bayden.com/other/ </li></ul></ul></ul><ul><ul><ul><li>SPI Dynamics http://www.spidynamics.com (commercial tools) </li></ul></ul></ul>
    36. 36. Resources <ul><li>Web Casts </li></ul><ul><ul><li>Microsoft Digital Blackbelt Security Series </li></ul></ul><ul><ul><ul><li>http://www.microsoft.com/events/series/digitalblackbelt.mspx </li></ul></ul></ul><ul><ul><li>Writing Secure Code – Threat Defense </li></ul></ul><ul><ul><ul><li>http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032253724&culture=en-us </li></ul></ul></ul>
    37. 37. Resources <ul><li>Blogs </li></ul><ul><ul><li>Anil John http://www.securesoa.com/blog/default.aspx </li></ul></ul><ul><ul><li>J.D. Meier http://blogs.msdn.com/jmeier/default.aspx </li></ul></ul><ul><ul><ul><li>Especially enjoyable – Security approaches that don’t work http://blogs.msdn.com/jmeier/archive/2005/10/11/479490.aspx </li></ul></ul></ul><ul><ul><li>.NET Security Blog http://blogs.msdn.com/shawnfa/default.aspx </li></ul></ul><ul><ul><li>Michael Howard http://blogs.msdn.com/michael_howard/default.aspx </li></ul></ul>
    38. 38. Resources <ul><li>Practice Applications </li></ul><ul><ul><li>OWASP </li></ul></ul><ul><ul><ul><li>WebGoat (http://www.owasp.org/software/webgoat.html) </li></ul></ul></ul><ul><ul><li>Maven Security </li></ul></ul><ul><ul><ul><li>WebMaven (http://www.mavensecurity.com/webmaven) </li></ul></ul></ul><ul><ul><li>FoundStone </li></ul></ul><ul><ul><ul><li>http://www.foundstone.com/resources/freetools.htm) </li></ul></ul></ul><ul><ul><ul><li>HacmeBank - The Hacme Books application simulates a ‘real-world’ eCommerce bookstore. </li></ul></ul></ul><ul><ul><ul><li>HacmeBooks - Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme Bank simulates a &quot;real-world&quot; online banking application. </li></ul></ul></ul>
    39. 39. Resources <ul><li>Other Documents and Articles </li></ul><ul><li>Writing Secure Code on MSDN </li></ul><ul><ul><li>http://msdn.microsoft.com/security/securecode/default.aspx </li></ul></ul><ul><li>patterns & practices Security Guidance for Applications Index </li></ul><ul><ul><li>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityGuidanceIndex.asp </li></ul></ul><ul><li>patterns & practices Security How Tos Index </li></ul><ul><ul><li>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityHowTosIndex.asp </li></ul></ul><ul><li>Microsoft Developer Security Resource Kit </li></ul><ul><ul><li>http://msdn.microsoft.com/security/securityreskit/default.aspx </li></ul></ul><ul><li>Secure Coding Guidelines for the .NET Framework </li></ul><ul><ul><li>http://msdn.microsoft.com/security/securecode/bestpractices/default.aspx?pull=/library/en-us/dnnetsec/html/seccodeguide.asp </li></ul></ul><ul><li>Visual Studio 2005 Security Features and Tools </li></ul><ul><ul><li>http://msdn.microsoft.com/security/vs2005security/default.aspx </li></ul></ul><ul><li>Security Enhancements in the .NET Framework 2.0 </li></ul><ul><ul><li>http://msdn.microsoft.com/msdnmag/issues/06/00/SecurityBriefs/default.aspx </li></ul></ul><ul><li>Using the New Security Controls in ASP.NET 2.0 </li></ul><ul><ul><li>http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST </li></ul></ul><ul><li>Security Headaches? Take ASP.NET 2.0! (Keith Brown) </li></ul><ul><ul><li>http://msdn.microsoft.com/msdnmag/issues/04/06/ASPNET20Security/ </li></ul></ul><ul><li>The Trustworthy Computing Security Development Lifecycle </li></ul><ul><ul><li>http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp </li></ul></ul><ul><li>ASP.NET Security: 8 Ways to Avoid Attack </li></ul><ul><ul><li>http://www.devx.com/security/Article/20898/0/page/1 </li></ul></ul><ul><li>Web Service Security: Scenarios, Patterns, and Implementation Guidance: Home </li></ul><ul><ul><li>http://www.gotdotnet.com/codegallery/codegallery.aspx?id=67f659f6-9457-4860-80ff-0535dffed5e6 </li></ul></ul>
    40. 40. Resources <ul><li>Code Libraries </li></ul><ul><ul><li>Microsoft Anti-Cross Site Scripting Library V1.0 </li></ul></ul><ul><ul><ul><li>http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en </li></ul></ul></ul><ul><li>Training </li></ul><ul><ul><li>Security Training Modules (beta) </li></ul></ul><ul><ul><ul><li>http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityTrainingModules </li></ul></ul></ul>
    41. 41. Principals <ul><li>Least Privilege </li></ul><ul><ul><li>http://en.wikipedia.org/wiki/Principle_of_least_privilege </li></ul></ul><ul><ul><li>http://web.mit.edu/Saltzer/www/publications/protection/ </li></ul></ul><ul><li>Defense in Depth </li></ul><ul><ul><li>http://en.wikipedia.org/wiki/Defense_in_depth </li></ul></ul><ul><li>Incorporate security into your entire SDLC </li></ul><ul><li>Train your developers in secure coding practices and give them patterns to follow </li></ul><ul><li>Learn to think like an attacker </li></ul><ul><ul><li>Jack of all trades quiz http://www.isecom.org/projects/jack.shtml </li></ul></ul>

    ×