Application Security Part 1 – Threat Defense in Client/Server Applications Presented by Greg Sohl © 2006, Gregory M. Sohl

Application Security? Not Physical Security Not Network Security Not Just Protocol Security (i.e. SSL / HTTPS) Not CAS – at least not directly Coding Practices and Techniques

Not Physical Security

Not Network Security

Not Just Protocol Security (i.e. SSL / HTTPS)

Not CAS – at least not directly

Coding Practices and Techniques

Who are the Attackers? Disgruntled staff or developers “ Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack Motivated criminal attackers, such as organized crime Criminal attackers without motive against your organization, such as defacers Script kiddies

Disgruntled staff or developers

“ Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack

Motivated criminal attackers, such as organized crime

Criminal attackers without motive against your organization, such as defacers

Script kiddies

Application Security – Part 1 Tonight’s Focus – Protecting against common application attacks Threat Modeling Types of Attacks Defenses against Attacks Tools and Resources

Tonight’s Focus – Protecting against common application attacks

Threat Modeling

Types of Attacks

Defenses against Attacks

Tools and Resources

Threat Modeling Identifying points of your application that are subject to attack Create overview of the application architecture Document Trust Boundaries Identify the assets that need protecting Document the application entry points Document the application’s trust levels Decompose the application with DFDs Identify and Rank Threats Build an attack tree for each threat

Identifying points of your application that are subject to attack

Create overview of the application architecture

Document Trust Boundaries

Identify the assets that need protecting

Document the application entry points

Document the application’s trust levels

Decompose the application with DFDs

Identify and Rank Threats

Build an attack tree for each threat

Trust Boundaries

Threat Modeling – Classify Threats STRIDE - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege

STRIDE - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp

Spoofing identity

Tampering with data

Repudiation

Information disclosure

Denial of service

Elevation of privilege

Threat Modeling – Ranking Threats DREAD – Threat ranking http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp Damage Potential How great is the damage if the vulnerability is exploited? Reproducibility How easy is it to reproduce the attack? Exploitability How easy is it to launch an attack? Affected Users As a rough percentage, how many users are affected? Discoverability How easy is it to find the vulnerability?

DREAD – Threat ranking http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp

Damage Potential

How great is the damage if the vulnerability is exploited?

Reproducibility

How easy is it to reproduce the attack?

Exploitability

How easy is it to launch an attack?

Affected Users

As a rough percentage, how many users are affected?

Discoverability

How easy is it to find the vulnerability?

Threat Modeling Tool

Common Application Attacks Authentication Attacks Buffer Overruns Circumvention of expected logic flow Cross-Site Scripting (XSS) Denial of Service HTML Injection Input Manipulation Attacks LDAP Injection Message Replay Repudiation SQL Injection

Authentication Attacks

Buffer Overruns

Circumvention of expected logic flow

Cross-Site Scripting (XSS)

Denial of Service

HTML Injection

Input Manipulation Attacks

LDAP Injection

Message Replay

Repudiation

SQL Injection

Authentication Attack Types of applications vulnerable: All requiring authentication

Types of applications vulnerable: All requiring authentication

Authentication Attack Brute Force & Dictionary Attacks Mitigate by Require strong passwords Store passwords as salted, non-reversible hashes Use the new SecureString class to hold password values Account lockout with multiple failed login attempts Don’t reveal that the account is locked out. This only assists the attacker by telling them they have guessed an account name correctly. Upon a failed login, do not reveal which part of a login was incorrect. Utilize multi-factor authentication. Keep logs of login attempts, successful and failed. Monitor logs for patterns of hacking attempts.

Brute Force & Dictionary Attacks

Mitigate by

Require strong passwords

Store passwords as salted, non-reversible hashes

Use the new SecureString class to hold password values

Account lockout with multiple failed login attempts

Don’t reveal that the account is locked out. This only assists the attacker by telling them they have guessed an account name correctly.

Upon a failed login, do not reveal which part of a login was incorrect.

Utilize multi-factor authentication.

Keep logs of login attempts, successful and failed. Monitor logs for patterns of hacking attempts.

Authentication Attack Session Hijacking Types of applications vulnerable: Any utilizing Sessions keys over a communication channel Mitigate by Using encrypted communication channel (SSL / HTTPS or encrypted TCP/IP Channel for Remoting) Incorporating session timeouts at the lowest tolerable level Timeout attribute in the web.config <sessionstate>

Session Hijacking

Types of applications vulnerable: Any utilizing Sessions keys over a communication channel

Mitigate by

Using encrypted communication channel (SSL / HTTPS or encrypted TCP/IP Channel for Remoting)

Incorporating session timeouts at the lowest tolerable level

Timeout attribute in the web.config <sessionstate>

Authentication Attack Credential Theft Mitigate by Utilizing two-factor / multi-factor authentication However, read Bruce Schneier’s caveats at http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html

Credential Theft

Mitigate by

Utilizing two-factor / multi-factor authentication

However, read Bruce Schneier’s caveats at http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html

Authentication Attack Resources Strong Passwords http://www.microsoft.com/athome/security/privacy/password.mspx https://www.grc.com/passwords Extreme example! How can I store passwords in a custom user database (Hashing and Salting) http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/ Secure Password Programming with .NET http://www.developersdex.com/gurus/articles/829.asp ASP.NET Membership API http://msdn.microsoft.com/msdnmag/issues/05/11/Membership/default.aspx Using the New Security Controls in ASP.NET 2.0 http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST Wikipedia on Two-Factor Authentication http://en.wikipedia.org/wiki/Two-factor_authentication RSA’s SecureID (not a product endorsement – just an example of an two-factor authentication product) http://www.rsasecurity.com/node.asp?id=1156

Resources

Strong Passwords

http://www.microsoft.com/athome/security/privacy/password.mspx

https://www.grc.com/passwords Extreme example!

How can I store passwords in a custom user database (Hashing and Salting)

http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/

Secure Password Programming with .NET

http://www.developersdex.com/gurus/articles/829.asp

ASP.NET Membership API

http://msdn.microsoft.com/msdnmag/issues/05/11/Membership/default.aspx

Using the New Security Controls in ASP.NET 2.0

http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST

Wikipedia on Two-Factor Authentication

http://en.wikipedia.org/wiki/Two-factor_authentication

RSA’s SecureID (not a product endorsement – just an example of an two-factor authentication product)

http://www.rsasecurity.com/node.asp?id=1156

Buffer Overflow Attacks Types of applications vulnerable: Unmanaged Mitigate by Use 100% Managed Code Careful use of non-managed code when necessary

Types of applications vulnerable: Unmanaged

Mitigate by

Use 100% Managed Code

Careful use of non-managed code when necessary

Circumvention of Expected Logic Flow Attack Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services Mitigate by Careful management of session / state information Don’t trust the client Authorize every action / transaction / message

Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services

Mitigate by

Careful management of session / state information

Don’t trust the client

Authorize every action / transaction / message

Cross Site Scripting Attack (XSS) Types of applications vulnerable: ASP.NET Mitigate by: HTML Encoding or URL Encoding all text and parameter output. Demo Resources Microsoft Anti-Cross Site Scripting Library V1.0 http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en Allows only known “good” text. Encodes all other text. This contrasts with the corresponding methods in the HttpUtility class which targets known “bad” text. CERT Advisory http://www.cert.org/advisories/CA-2000-02.html

Types of applications vulnerable: ASP.NET

Mitigate by:

HTML Encoding or URL Encoding all text and parameter output.

Demo

Resources

Microsoft Anti-Cross Site Scripting Library V1.0

http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en

Allows only known “good” text. Encodes all other text. This contrasts with the corresponding methods in the HttpUtility class which targets known “bad” text.

CERT Advisory

http://www.cert.org/advisories/CA-2000-02.html

Exception Management Mitigate by: Standardize error handling code ASP.NET custom error page Last-chance exception catching Log detailed data needed for problem diagnosis.

Mitigate by:

Standardize error handling code

ASP.NET custom error page

Last-chance exception catching

Log detailed data needed for problem diagnosis.

HTML Injection Attack The purpose of HTML Injection is for site defacement. Types of applications vulnerable: ASP.NET Mitigate by: HTML Encoding or URL Encoding all text and parameter output – same as XSS

The purpose of HTML Injection is for site defacement.

Types of applications vulnerable: ASP.NET

Mitigate by:

HTML Encoding or URL Encoding all text and parameter output – same as XSS

Input Manipulation Attack & Trusting the Client’s Authorization Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services Items subject to Input Manipulation ASP.NET ViewState POST / GET Fields including hidden Fields Cookies ALL input!

Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services

Items subject to Input Manipulation

ASP.NET ViewState

POST / GET Fields including hidden Fields

Cookies

ALL input!

Input Manipulation Attack & Trusting the Client’s Authorization Mitigate by Checking Data for Validity Constrain Reject Sanitize Centralized approach

Mitigate by

Checking Data for Validity

Constrain

Reject

Sanitize

Centralized approach

Trust Boundary Chokepoints Use chokepoints between Trust Boundaries Channel all input (and output) through the chokepoints

Use chokepoints between Trust Boundaries

Channel all input (and output) through the chokepoints

LDAP Injection Attack Types of applications vulnerable: All using LDAP server for authentication and/or authorization data SPI Dynamics White Paper - http://www.spidynamics.com/whitepapers/LDAPinjection.pdf

Types of applications vulnerable: All using LDAP server for authentication and/or authorization data

SPI Dynamics White Paper - http://www.spidynamics.com/whitepapers/LDAPinjection.pdf

Message Replay Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services Mitigate by Uniquely identifying messages with a signature. Cache messages for a period of time. Check new messages signatures against the cache and reject duplicates. Resources Implementing Message Replay Detection in WSE 3.0 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wss_ch5_impmsgreplaydet_wse30.asp

Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services

Mitigate by

Uniquely identifying messages with a signature. Cache messages for a period of time. Check new messages signatures against the cache and reject duplicates.

Resources

Implementing Message Replay Detection in WSE 3.0

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wss_ch5_impmsgreplaydet_wse30.asp

Repudiation Types of applications vulnerable: All Mitigate by Strong authentication Logging transactions with user information. Message digital signatures Bad example – ARS to iSeries SPs Resources Definition: http://en.wikipedia.org/wiki/Non-repudiation

Types of applications vulnerable: All

Mitigate by

Strong authentication

Logging transactions with user information.

Message digital signatures

Bad example – ARS to iSeries SPs

Resources

Definition: http://en.wikipedia.org/wiki/Non-repudiation

SQL Injection Attack Occurs when your application uses input to construct dynamic SQL statements to access the database. Types of applications vulnerable: All using SQL-based databases

Occurs when your application uses input to construct dynamic SQL statements to access the database.

Types of applications vulnerable: All using SQL-based databases

SQL Injection Attack Mitigate by: Employing the principal of least privilege to database server access Using stored procedures SqlDataAdapter myCommand = new SqlDataAdapter(&quot;AuthorLogin&quot;, conn); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, SqlDbType.VarChar, 11); parm.Value = Login.Text;

Mitigate by:

Employing the principal of least privilege to database server access

Using stored procedures

SqlDataAdapter myCommand = new SqlDataAdapter(&quot;AuthorLogin&quot;, conn);

myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;

SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, SqlDbType.VarChar, 11);

parm.Value = Login.Text;

SQL Injection Attack Using parameterized queries SqlDataAdapter myCommand = new SqlDataAdapter( &quot;SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id&quot;, conn); SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, SqlDbType.VarChar, 11); parm.Value = Login.Text; Escape user input used in dynamic queries private string SafeSqlLiteral(string inputSQL) { return inputSQL.Replace(&quot;'&quot;, &quot;''&quot;); }

Using parameterized queries

SqlDataAdapter myCommand = new SqlDataAdapter(

&quot;SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id&quot;, conn);

SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;,

SqlDbType.VarChar, 11);

parm.Value = Login.Text;

Escape user input used in dynamic queries

private string SafeSqlLiteral(string inputSQL)

{

return inputSQL.Replace(&quot;'&quot;, &quot;''&quot;);

}

SQL Injection Attack Resources SPI Dynamics Whitepaper http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf Stop SQL Injection Attacks Before They Stop You http://msdn.microsoft.com/msdnmag/issues/04/09/sqlinjection/default.aspx How To: Protect From SQL Injection in ASP.NET http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.asp Improving Web Application Security: Threats and Countermeasures: Chapter 14 – Building Secure Data Access http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Resources

SPI Dynamics Whitepaper

http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

Stop SQL Injection Attacks Before They Stop You

http://msdn.microsoft.com/msdnmag/issues/04/09/sqlinjection/default.aspx

How To: Protect From SQL Injection in ASP.NET

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.asp

Improving Web Application Security: Threats and Countermeasures: Chapter 14 – Building Secure Data Access

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Resources Organizations and Web Sites Open Web Application Security Project http://www.owasp.org – Generally focused http://www.owasp.net - .NET focused but light on content SecurityFocus http://www.securityfocus.com Institute for Security and Open Methodologies http://www.isecom.org

Organizations and Web Sites

Open Web Application Security Project

http://www.owasp.org – Generally focused

http://www.owasp.net - .NET focused but light on content

SecurityFocus

http://www.securityfocus.com

Institute for Security and Open Methodologies

http://www.isecom.org

Resources Threat Modeling MSDN Patterns and Practices - Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp MS Threat Modeling Tool http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en MS Threat Modeling Security Home http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx Microsoft Application Threat Modeling Blog http://blogs.msdn.com/threatmodeling/ Larry Osterman’s Blog – Security Category http://blogs.msdn.com/larryosterman/archive/category/5905.aspx Threat Modeling chapter in Writing Secure Code Threat Modeling chapter in The .NET Developer's Guide to Windows Security OWASP Guide chapter on “THREAT RISK MODELING”

Threat Modeling

MSDN Patterns and Practices - Improving Web Application Security: Threats and Countermeasures

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

MS Threat Modeling Tool

http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en

MS Threat Modeling Security Home

http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx

Microsoft Application Threat Modeling Blog

http://blogs.msdn.com/threatmodeling/

Larry Osterman’s Blog – Security Category

http://blogs.msdn.com/larryosterman/archive/category/5905.aspx

Threat Modeling chapter in Writing Secure Code

Threat Modeling chapter in The .NET Developer's Guide to Windows Security

OWASP Guide chapter on “THREAT RISK MODELING”

Resources Books and Papers Writing Secure Code (Michael Howard, David LeBlanc) http://www.amazon.com/gp/product/0735617228/qid=1141268042/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155 The .NET Developer's Guide to Windows Security (Keith Brown) http://www.amazon.com/gp/product/0321228359/qid=1141268134/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155 OWASP Guide to Building Secure Web Applications and Web Services 2.0 http://www.owasp.org/documentation/guide.html OWASP Top Ten Project http://www.owasp.org/documentation/topten.html

Books and Papers

Writing Secure Code (Michael Howard, David LeBlanc)

http://www.amazon.com/gp/product/0735617228/qid=1141268042/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155

The .NET Developer's Guide to Windows Security (Keith Brown)

http://www.amazon.com/gp/product/0321228359/qid=1141268134/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155

OWASP Guide to Building Secure Web Applications and Web Services 2.0

http://www.owasp.org/documentation/guide.html

OWASP Top Ten Project

http://www.owasp.org/documentation/topten.html

Resources Mailing Lists Penetration Testing and Web Application Security lists at SecurityFocus.com http://www.securityfocus.com/archive

Mailing Lists

Penetration Testing and Web Application Security lists at SecurityFocus.com

http://www.securityfocus.com/archive

Resources Testing Tools Web and Web Services Microsoft Fiddler http://www.fiddlertool.com/fiddler/ Paros Proxy http://www.parosproxy.org TamperIE http://www.bayden.com/other/ SPI Dynamics http://www.spidynamics.com (commercial tools)

Testing Tools

Web and Web Services

Microsoft Fiddler http://www.fiddlertool.com/fiddler/

Paros Proxy http://www.parosproxy.org

TamperIE http://www.bayden.com/other/

SPI Dynamics http://www.spidynamics.com (commercial tools)

Resources Web Casts Microsoft Digital Blackbelt Security Series http://www.microsoft.com/events/series/digitalblackbelt.mspx Writing Secure Code – Threat Defense http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032253724&culture=en-us

Web Casts

Microsoft Digital Blackbelt Security Series

http://www.microsoft.com/events/series/digitalblackbelt.mspx

Writing Secure Code – Threat Defense

http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032253724&culture=en-us

Resources Blogs Anil John http://www.securesoa.com/blog/default.aspx J.D. Meier http://blogs.msdn.com/jmeier/default.aspx Especially enjoyable – Security approaches that don’t work http://blogs.msdn.com/jmeier/archive/2005/10/11/479490.aspx .NET Security Blog http://blogs.msdn.com/shawnfa/default.aspx Michael Howard http://blogs.msdn.com/michael_howard/default.aspx

Blogs

Anil John http://www.securesoa.com/blog/default.aspx

J.D. Meier http://blogs.msdn.com/jmeier/default.aspx

Especially enjoyable – Security approaches that don’t work http://blogs.msdn.com/jmeier/archive/2005/10/11/479490.aspx

.NET Security Blog http://blogs.msdn.com/shawnfa/default.aspx

Michael Howard http://blogs.msdn.com/michael_howard/default.aspx

Resources Practice Applications OWASP WebGoat (http://www.owasp.org/software/webgoat.html) Maven Security WebMaven (http://www.mavensecurity.com/webmaven) FoundStone http://www.foundstone.com/resources/freetools.htm) HacmeBank - The Hacme Books application simulates a ‘real-world’ eCommerce bookstore. HacmeBooks - Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme Bank simulates a &quot;real-world&quot; online banking application.

Practice Applications

OWASP

WebGoat (http://www.owasp.org/software/webgoat.html)

Maven Security

WebMaven (http://www.mavensecurity.com/webmaven)

FoundStone

http://www.foundstone.com/resources/freetools.htm)

HacmeBank - The Hacme Books application simulates a ‘real-world’ eCommerce bookstore.

HacmeBooks - Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme Bank simulates a &quot;real-world&quot; online banking application.

Resources Other Documents and Articles Writing Secure Code on MSDN http://msdn.microsoft.com/security/securecode/default.aspx patterns & practices Security Guidance for Applications Index http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityGuidanceIndex.asp patterns & practices Security How Tos Index http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityHowTosIndex.asp Microsoft Developer Security Resource Kit http://msdn.microsoft.com/security/securityreskit/default.aspx Secure Coding Guidelines for the .NET Framework http://msdn.microsoft.com/security/securecode/bestpractices/default.aspx?pull=/library/en-us/dnnetsec/html/seccodeguide.asp Visual Studio 2005 Security Features and Tools http://msdn.microsoft.com/security/vs2005security/default.aspx Security Enhancements in the .NET Framework 2.0 http://msdn.microsoft.com/msdnmag/issues/06/00/SecurityBriefs/default.aspx Using the New Security Controls in ASP.NET 2.0 http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST Security Headaches? Take ASP.NET 2.0! (Keith Brown) http://msdn.microsoft.com/msdnmag/issues/04/06/ASPNET20Security/ The Trustworthy Computing Security Development Lifecycle http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp ASP.NET Security: 8 Ways to Avoid Attack http://www.devx.com/security/Article/20898/0/page/1 Web Service Security: Scenarios, Patterns, and Implementation Guidance: Home http://www.gotdotnet.com/codegallery/codegallery.aspx?id=67f659f6-9457-4860-80ff-0535dffed5e6

Other Documents and Articles

Writing Secure Code on MSDN

http://msdn.microsoft.com/security/securecode/default.aspx

patterns & practices Security Guidance for Applications Index

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityGuidanceIndex.asp

patterns & practices Security How Tos Index

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityHowTosIndex.asp

Microsoft Developer Security Resource Kit

http://msdn.microsoft.com/security/securityreskit/default.aspx

Secure Coding Guidelines for the .NET Framework

http://msdn.microsoft.com/security/securecode/bestpractices/default.aspx?pull=/library/en-us/dnnetsec/html/seccodeguide.asp

Visual Studio 2005 Security Features and Tools

http://msdn.microsoft.com/security/vs2005security/default.aspx

Security Enhancements in the .NET Framework 2.0

http://msdn.microsoft.com/msdnmag/issues/06/00/SecurityBriefs/default.aspx

Using the New Security Controls in ASP.NET 2.0

http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST

Security Headaches? Take ASP.NET 2.0! (Keith Brown)

http://msdn.microsoft.com/msdnmag/issues/04/06/ASPNET20Security/

The Trustworthy Computing Security Development Lifecycle

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

ASP.NET Security: 8 Ways to Avoid Attack

http://www.devx.com/security/Article/20898/0/page/1

Web Service Security: Scenarios, Patterns, and Implementation Guidance: Home

http://www.gotdotnet.com/codegallery/codegallery.aspx?id=67f659f6-9457-4860-80ff-0535dffed5e6

Resources Code Libraries Microsoft Anti-Cross Site Scripting Library V1.0 http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en Training Security Training Modules (beta) http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityTrainingModules

Code Libraries

Microsoft Anti-Cross Site Scripting Library V1.0

http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en

Training

Security Training Modules (beta)

http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityTrainingModules

Principals Least Privilege http://en.wikipedia.org/wiki/Principle_of_least_privilege http://web.mit.edu/Saltzer/www/publications/protection/ Defense in Depth http://en.wikipedia.org/wiki/Defense_in_depth Incorporate security into your entire SDLC Train your developers in secure coding practices and give them patterns to follow Learn to think like an attacker Jack of all trades quiz http://www.isecom.org/projects/jack.shtml

Least Privilege

http://en.wikipedia.org/wiki/Principle_of_least_privilege

http://web.mit.edu/Saltzer/www/publications/protection/

Defense in Depth

http://en.wikipedia.org/wiki/Defense_in_depth

Incorporate security into your entire SDLC

Train your developers in secure coding practices and give them patterns to follow

Learn to think like an attacker

Jack of all trades quiz http://www.isecom.org/projects/jack.shtml