This document outlines a presentation on securing .NET/C# applications. It discusses designing defendable systems through layered defenses, segmentation, and establishing a common security language between different teams. Examples are provided of strong versus weak software designs. The importance of security user stories and testing is emphasized to prevent vulnerabilities like SQL injection.

1. AppSec USA 2014
Denver, Colorado
Hacking .NET/C# Applications:
Defend By Design
Jon McCoy
DigitalBodyGuard

2. What is a Defendable System
What is a Strong/Weak Design
How to view a Software System
This Speech

3. Thanks To
Thanks AppSec/OWASP
A Critical part of the security world

4. Introduction
Jon McCoy - DigitalBodyGuard
• Software Engineer
• Digital Security
• Application Level Security
• .NET Framework Expert
• Attack and Defense

5. Overview
Work Area:
PenTesting and Active Defender
Specialize:
.Net Framework Systems

6. What is a Thick Client?
GrayWolf
Demo
Context

7. Share What I Have
Seen
Context

8. What is a
Context
Defendable API

9. What is a
Context
Defendable API

10. Focus of this talk
Daemon
API
Service

11. Focus of this talk
= =

12. Focus of this talk
= =

13. Focus of this talk
Daemon
Business Units
Service Security
Network

14. Client World View

15. Cyber Attack
Users
Web Server
DB

16. Client Wants it secure

17. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
Log

18. Communications
Web Service
SOPE/REST
Encrypted
Auth
Auth
Web Service
SOPE/REST
Encrypted

19. Unified ModUeMlinLg Language

20. Network Diagram

22. Cyber Attack

23. Critical Units
Credit Cards
Production
DB
$1,000,000
$20,000,000
User Info
DB
$100,000

24. Client Is Strong

25. Strong

26. Critical Units
Credit Cards
Production
DB
$1,000,000
$20,000,000
User Info
DB
$100,000

27. A Security Review

28. Lets say you are “Secure”
I ”PenTester” will hit you at
• Network
• Computer Login
• Employees
• Hardware
• TechSupport
• ………..

29. Strong

30. Lets say you are “Secure”
I ”The Hacker” will Attack
• Users
• Your Physical Infrastructure
• Your Web-Face
• All Digital Devices
• ………..
• Except (X/Y/Z)

31. My Team

33. A Security Review

34. On Problem
Still Good Everything is Bad

35. Security Review
• We took full control of Domain Admin
• We took full control of Network
• We took full control of Database Systems
• We took full control of Physical Security
• We took full control of File Management
• We took full control of Back Up…..
• ………..

36. On Problem
Everything is Bad

37. How do we Fix This

38. Critical Units
Credit Cards
Production
DB
$2,000,000
$20,000,000
User Info
DB
$200,000

39. Layered Defenses
Credit Cards
Production
DB
$2,000,000
$20,000,000
User Info
DB
$200,000

40. Layered Defenses
Cards Hash
User Info
DB
Credit Cards
Production
DB

41. Layered Defenses
Cards Hash
User Info
DB
Credit Cards
Production
DB

43. Guards

44. Quick Recommendations

45. API Type:
OWIN.org
REST – SOPE – Socket
DB Type:
Node.JS – Neo4Net
de Database
Node Database – Sharding & Segmentation
Security:
OAuth (2)
RSA 4096 – AES 256 – MAC(message authentication code)

46. Layered Defense
• Detect and Protect the Perimeter
• Guard and Respond
• Build Choke Points
• Find the Weak Blind Spots
• …………

47. “Client Remediates the Issues”
Client is stronger

48. Layered Defense

49. Layered Defense
Attacking as Hackers

50. Layered Defense

51. Security Review
• We took Admin in 2-4 hours(Tell Client 8 Hours)
• We took full control of Network
• We took full control of Database Systems
• We Failed to control of Physical Security
• We took full control of File Management
• We Failed to control of Back Up…..
• ………..

52. How do we Fix This

53. Layered defense
Detection and Response

54. Guard Post

56. Now Security Can Start
Now we have started
talking the same
Language

57. IT => Developer
= Pattern
Anit-Pattern
Segmentation
=
=
Good Design
Bad Design
Separation

58. Developer => DBA
Claims
Facade
Controllers
= Authentication
=
View
=
Actions

59. Security => Developer
Security Test
Attack Vector
Security Controls
= Security Unit Test
Security User Story
Defendable Systems
=
=

60. Now Security Can Start
Language = Context

61. Communications
Get to know the Client
Web Data Processing
Strong API/DAL

62. Communications
Data Access Layer

63. Communications
Data Access Layer

64. Communications
Data Access Layer

65. Communications

66. Strong vs Weak
Software
DEMO

67. Communications
Security Level

68. Communications
Security Level

69. Communications

70. Communications

71. Communications
Domain Expert

72. Communications

73. Design Security
DEMO

74. Communications
Two Completely
POS Different Systems
Web

75. Communications
POS
Web

76. Communications
POS
Web
IT/&/Networking
DB

77. Teams
POS != WEB != DB != IT

78. Mockup Project
Defend the POS

79. Communications
Trusted Network
Point Of Sales
Clients & Partners

80. Communications
Built 5 Years ago
Changes Twice a year
Only X can Access it

81. Bad Fix

82. Bandage Security

83. Communications

84. Communications
$250k
You will prevent
X/Y/Z Attacks
Best “Buzzword” Protection

85. • Turn Key
• Reliable
• Low Long Term Cost
• Free Upgrades for Three Years
• ……….

86. Communications

87. Design Security

88. Communications

89. Communications
Secure System

90. Communications
Secure System
Log System
Passive Detection

91. Communications
API/DAL
Log
Detection

92. Communications
API/DAL
Log
Detection

93. Communications
Honey-Pot
API/DAL
Log
Detection

94. Communications
Honey-Pot
API/DAL
Log
Detection

95. Communications
API/DAL
Honey-Pot
Log Detection
API/DAL

96. Communications
API/DAL
Honey-Pot
Log Detection
Data Management &
Point To Point Crypto
API/DAL

97. Communications
API/DAL
Honey-Pot
Log Detection
Crypto
Crypto
API/DAL

98. Communications
API/DAL
Honey-Pot
Log Detection
Crypto
Crypto

99. Communications
Segmented
Network
POS Auth

100. Communications
Data API
POS
Auth
Auth

101. • Segmented Hardware
• Segmented User Authentication(NO AD!)
• Segmented Management
• Segmented Data Storage/Backup
• Segmented Buildings
• Segmented Developers
• Segmented IT/Security
• Segmented Power…….

102. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web

103. Communications
POS
Web
Data API

104. Communications
Data API
POS
Web
SQL

105. Communications
Security User Stories
----SQL Injection----
• Detect SQL-injection
• Prevent SQL-injection
• Respond to SQL-injection
Data API
POS
Web
SQL

106. Communications
POS API/DAL
Crypto
Honey-Pot
SQL-Injection=>
Log Detection
Crypto
Web

107. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
SQL-Injection
Protection

108. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
SQL-Injection
Protection
SQL
Protection

109. SQL-Injection
Protection
SQL-Injection
Protection

110. SQL-Injection
Security User Stories
----SQL Injection----
• Detect SQL-injection
• Prevent SQL-injection
• Respond to SQL-injection
Security Unity Test
----SQL Injection----
• API -> SQL-injection
• Processing Logic -> SQL-injection
• BackEnd -> SQL-injection
• Detect Injection

111. SQL-Injection
Security User Stories
Occurred
----SQL Injection Occurred----
• Evaluate SQL-injection
• If Critical Respond
• If non-Critical Notify/Fix
Security Unity Test
----SQL Injection Detection---
• API -> Notify
• Processing Logic -> Notify
• BackEnd -> Notify
• LockDown Each Layer

112. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
SQL-Injection

113. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web

114. Security Response

115. Communications
Data API
POS
Web
SQL

116. Communications
SOAP
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
-
REST
Web

117. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
SQL
Protection
SQL
SOAP
-
REST

118. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web

119. Communications
Data API
POS
Web
SQL
Log

120. Communications
Data API
POS
Web
SOPE/REST

121. Communications
Data API
POS
Web
SOPE/REST

122. Communications
POS
Web
SOPE/REST
Why?
Not encrypt?

123. Communications
Web
SOPE/REST
Why?
Not encrypt?

124. Communications
Publicly Exposed
Web
Do Not Trust
SOPE/REST

125. Design Pattern
Exposed System
BURN THEM!!!!

126. Communications
I/O POS
Web
SOPE/REST

127. Communications
I/O POS
Web
Detect
and Burn
SOPE/REST
Detect
and Burn

128. Communications
I/O POS
Web
Service

129. Quick Tangent
Better Web Server Layout

130. Communications
Web Service
SOPE/REST
Encrypted
SOPE/REST
Encrypted
Web Service

131. Communications
Web Service
SOPE/REST
Encrypted
Auth
Auth
Web Service
SOPE/REST
Encrypted

132. Segmentation Is Good

133. Communications
POS
API/DAL
Crypto Honey-Pot
Log Detection
Crypto
Web

134. Communications
POS
Web

135. Communications
POS
Web Bridge

136. Communications
POS
Web Bridge

137. Communications
POS
Web
Bridge
Detection is Easy
Locking it down is Easy
Everything is Hard
Detection is Easy

138. If Breach Occurs
POS
Rotate Security
Web
Lock it All Down
Respond Aggressively
Burn it all Down
Bridge
Replace Server
Fix Exploit

139. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web

140. For a Secure Segmentation -
Developers Need To Design And Control
• FireWalls
• Network Layout
• System Provisioning
• System Security
• ………

142. Communications
API/DAL
Honey-Pot
Log Detection
POS
Web
Port:1234
Incoming TCP/UDP
From: 10.88.10.1
To: 10.88.11.255
Port:7676
Incoming TCP/UDP
From: 10.88.88.1
To: 10.88.99.111

144. Layered Defense
Security Test

145. For Developer
Security User Stories
----Core DataBase is Hacked----

146. For Security
Security User Stories
----Core DataBase is Hacked----

147. For SysAdmin
Security User Stories
----Core DataBase is Hacked----

148. For CxO
Security User Stories
----Core DataBase is Hacked----

149. For ………..
Security User Stories
----Core DataBase is Hacked----

150. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
Log

151. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
Log

152. Security User Stories
----Core DataBase is Hacked----
• Prevent Changing the Logs
• Prevent Access to Other DBs

153. Systems Game Theory

154. Systems Game Theory
Anti-Fragile

155. Security User Stories
----Lost DataBase Bridge----
• Keep WebServer Up
• Take Services Down
• Sync After Bridge is Up

156. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
Log

157. Security User Stories
----Lost DataBase Bridge----
• Keep WebServer Up
• Take Services Down
• Sync After Bridge is Up

158. Developer Response
System

159. • Security User Stories
• Security Unit Test
• Security Response Stories

160. Communications
POS API/DAL
Crypto
Honey-Pot
Log Detection
Crypto
Web
Log

161. Security Response Stories
----Hacker on Core Bridge----
• Guns
• Fire
• Pain

162. Security Response Stories
----Hacker on Core Bridge----
• Activate Full Security Response
• Revoke All Security Tokens
• Lock Down All Choke Points

163. Developer Response
System

165. Security User Stories
----Lost POS Ingress---
• Revoke Old POS Privileges
• Standup New POS System
• Standup New POS Auth System

166. Communications
Data API
POS
Auth
Auth
Auth

167. Communications
Data API
POS
Auth
Auth
Auth

169. Network Diagram

171. If Extra Time
Fun Attack Demo
GrayWolf
Demo
Context

172. 172
FIN

173. 173
MORE INFORMATION @:
www.DigitalBodyGuard.com
JonM@DigitalBodyGuard.com
Jon McCoy