Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Solitaepiserversecuredevelopment 160422112005

311 views

Published on

Secure software development in .NET platform. How to automate testing and what developers should consider in their projects.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Solitaepiserversecuredevelopment 160422112005

  1. 1. SECURE DEVELOPMENT IN .NET Joona Immonen Software architect joona.immonen@solita.fi
  2. 2. AGENDA › Security in overall › Threat modeling › Hosting › CI tools › Final thoughts
  3. 3. SECURITY OVERVIEW AKA how to understand what Troy Hunt says
  4. 4. DEVELOPERS AS SECURITY TESTERS › Pros: • Enables continuous security testing. • Developers will automate. • Minimal hand-over costs. • Will find important non-security related bugs. › Cons: • Not security specialists. Will miss some things. • May need investment (training, some tools)
  5. 5. BASIC SECURITY MODEL Confidentiality • Privacy • Password policies • Encryption Integrity • Trustworthiness of data • Checksums Availability • Bandwidths • Bottlenecks • Disaster recovery planning
  6. 6. ONION MODEL OF DEFENSE IN DEPTH
  7. 7. OWASP TESTING GUIDE 4.0 › Picture presents how OWASP thinks that different security controls are linked to secure development life cycle
  8. 8. THREAT MODEL IN GENERAL
  9. 9. PROBLEM DOMAIN
  10. 10. THREAT MODELING APPROACH https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_008
  11. 11. HOSTING PERSPECTIVE
  12. 12. SECURITY TESTING ASPECTS IN ONION MODEL Network scanning Vulnerability scanning Web application security testing Static code analyze Web application onfiguration analysis Operating system configuration analysis Application server vulnerability scanning
  13. 13. HOW ONION MODEL IS LINKED TO OUR PROJECTS Public internet Private networks between servers Customer network Host has most commonly shared responsibility Application is on our responsibility Part of data is on our responsibility Part of the data comes from integrations Updates come from other parties, conf from us Part of the applications are products (inriver, IIS)
  14. 14. Threat analysis Implementation and design Automated tests Manual tests Operational security
  15. 15. CONTINUOUS INTEGRATION PERSPECTIVE
  16. 16. TOOLS IN SECURE DEVELOPMENT LIFECYCLE Beforedevelopment Definitionanddesign Development Deployment Maintenance FxCop X VisualCodeGrepper X SonarQube X Code Metrics X OWASP ZAP X X X Nessus X X jMeter X X X
  17. 17. TOOLS IN DEFENCE IN DEPTH Network Host Appserver Application Web.config Sourcecode FxCop X X VisualCodeGrepper X X SonarQube X X Code Metrics X OWASP ZAP X X Nessus X X X X jMeter X X
  18. 18. HOW TOOLS MITIGATE ”OWASP TOP 10” Injection Brokenauth XSS Directobjref Misconf Dataexposure Functionlevelauth CSRF Knownvuln Unvalidatedredirects FxCop 1 1 1 1 VCG 1 1 1 SonarQube 1 1 1 1 Code Metrics OWASP ZAP 2 2 2 2 2 1 2 1 2 Nessus 1 1 1 1 2 1 1 2 1 jMeter empty=no, 1=maybe, 2=meant for that
  19. 19. HOW TOOLS MITIGATE CSA ”NOTORIOUS NINE” DataBreaches DataLoss AccountorServiceTraffic Hijacking InsecureinterfacesandAPIs DenialofService MaliciousInsiders Abuseofcloudservices InsufficientDueDiligence SharedTechnology Vulnerabilities FxCop 1 1 VisualCodeGrepper 1 1 SonarQube 1 1 Code Metrics 1 OWASP ZAP 1 1 1 Nessus 1 1 1 jMeter 1 1 empty=no, 1=maybe, 2=meant for that
  20. 20. FINAL THOUGHTS
  21. 21. EPISERVER DEVELOPMENT › Know your HTTP headers › Understand the security responsibilities of each party (dev, hosting) › AntiForgeryTokens! › Do not EVER leave SQL injections in your application › Think about security in beforehand › All the frontend includes………
  22. 22. SONARQUBE DASHBOARD
  23. 23. BUILD PIPELINE
  24. 24. DEVELOPER -> HACKER › Traits • Curiosity and creativity. What will happen, if.. ? • Perseverance › Skills • Technical knowledge, deep/wide • Common vulnerabilities • Security testing › Some developers are hobbyist hackers. (Apply at rekry@solita.fi)
  25. 25. OWASP ZAP DEMO › OWASP ZAP as a proxy against alloy demo site

×