Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing the MVC Architecture Part One Alex Smolen Software Security Consultant Foundstone, Inc Mission Viejo, CA [email_a...
Who are you? <ul><li>Name:  Seymour Flaus </li></ul><ul><li>Age:  28 </li></ul><ul><li>Title:  Software Security Architect...
You like spicy food…
And pinball…
And astronomy.
You don’t like clueless bosses…
Or frightening cats…
Or Insecure Software!
First day at work… <ul><li>HACME Inc. </li></ul>
Hugh Jasul Good Morning!  Care for coffee?
Seymour Flaus No thanks.
Hugh Jasul Great. Hey, want to see a picture of my cat?
Seymour Flaus Uh…
 
Seymour Flaus Cute.
Hugh Jasul Enough small talk, Seymour. Hacme Inc. is in a bit of trouble…
Seymour Flaus Trouble?
Hugh Jasul We’ve had a few security “issues”…
Seymour Flaus Such as?
Hugh Jasul Hackers have been hacking into Hacme Bank accounts!
Seymour Flaus Oh, is that all? So it’s not just a clever name.
Hugh Jasul No, there’s more.  But find and fix this vulnerability right now! We’re going live tomorrow!
<ul><li>Get to work! </li></ul>
Seymour Flaus OK, fixed it!
Hugh Jasul Not so fast, we got a complaint from one of our UAT testers.
Seymour Flaus Who’s that?
 
Seymour Flaus OK, back to the drawing board.
Hugh Jasul Fantastic work, Seymour. By the way, we’re going to need you on Saturday morning for a four hour meeting…
Seymour Flaus Great. Nice to be appreciated.
Hugh Jasul Next order of business… Hacme Books customers are complaining that a book is being added to their cart!
Seymour Flaus I’m on it!
<ul><li>Get to work! </li></ul>
Hugh Jasul Great job Seymour! By the way, I have some dry cleaning ready, could you..
Seymour Flaus I got my masters for this?
Hugh Jasul Great, great, great. Now, I know you’ve been busy, but there’s a top priority task at hand.
Seymour Flaus Do tell.
Hugh Jasul People have been cheating on Hacme Casino  and scamming us for big $$$. Find and fix!
Seymour Flaus Here we go…
<ul><li>Get to work! </li></ul>
Hugh Jasul Alright, I think that’s a great first day. I’m off to the golf course…
Seymour Flaus See ya. I’m going to go hit up craigslist for a new job.
Introduction <ul><li>Who am I? </li></ul>Software Security Consultant Developer Architect/Designer
Introduction Who am I talking to? People using… People building… Software security folks frameworks.
Introduction What’s the point? WTF?
Security Concerns <ul><li>Analyze each component of architecture for security responsibilities </li></ul>
MVC Architecture View Model Controller
MVC Architecture View Model Controller View
MVC Architecture View Model Controller
Security Concerns
Security Concerns - Model <ul><li>Data Protection in Storage </li></ul>
Security Concerns - Model <ul><li>Encrypt credit card  </li></ul><ul><li>information </li></ul><ul><li>Hash passwords </li...
Security Concerns - Model <ul><li>Fine Grained Authorization </li></ul>
Security Concerns - Model <ul><li>Verify user is accessing their own account </li></ul><ul><li>Verify that transaction is ...
Security Concerns - Model <ul><li>Logging </li></ul>
Security Concerns - Model <ul><li>Log login attempts </li></ul><ul><li>Log input validation failures </li></ul><ul><li>Log...
Security Concerns - Model <ul><li>Authentication </li></ul>
Security Concerns - Model <ul><li>Secure transport  layer </li></ul><ul><li>Check password  policies </li></ul><ul><li>Loc...
Security Concerns - View <ul><li>Data Sanitization </li></ul>
Security Concerns - View <ul><li>HTML encode  dynamic data </li></ul><ul><li>Mask sensitive  information </li></ul><ul><li...
Security Concerns - View <ul><li>Error Handling </li></ul>
Security Concerns - View <ul><li>Give user friendly  error message </li></ul><ul><li>Remove system  error information </li...
Security Concerns - View <ul><li>Data Protection in Storage </li></ul>
Security Concerns - View <ul><li>Prevent pages from  being cached </li></ul><ul><li>Don’t pass sensitive  information in U...
Security Concerns - View <ul><li>Data Protection in Transit </li></ul>
Security Concerns - View <ul><li>Use SSL for secure  content </li></ul>Data Protection In Transit
Security Concerns - Controller <ul><li>Data Validation </li></ul>
Security Concerns - Controller <ul><li>Verify entered date is  actually a valid date </li></ul><ul><li>Make sure comments ...
Security Concerns - Controller <ul><li>Session Management </li></ul>
Security Concerns - Controller <ul><li>Verify session is valid </li></ul><ul><li>Check username, roles </li></ul><ul><li>P...
Security Concerns - Controller <ul><li>Coarse-Grained Authorization </li></ul>
Security Concerns - Controller <ul><li>Verify user is  authenticated for  sensitive resources </li></ul><ul><li>Verify use...
Security Concerns - Controller <ul><li>Data Protection in Transit </li></ul>
Security Concerns - Controller <ul><li>Use SSL </li></ul><ul><li>Set secure cookies </li></ul>Data Protection in Transit
Thanks!
Stay tuned for… <ul><li>Examination of security mechanisms in: </li></ul><ul><ul><li>J2EE/Struts </li></ul></ul><ul><ul><l...
Upcoming SlideShare
Loading in …5
×

Smolen Alex Securing The Mvc Architecture Part One

1,925 views

Published on

This is the slide deck for the presentation I gave at SD Best Practices 2007, in Boston, MA

Published in: Technology, News & Politics
  • Be the first to comment

Smolen Alex Securing The Mvc Architecture Part One

  1. 1. Securing the MVC Architecture Part One Alex Smolen Software Security Consultant Foundstone, Inc Mission Viejo, CA [email_address]
  2. 2. Who are you? <ul><li>Name: Seymour Flaus </li></ul><ul><li>Age: 28 </li></ul><ul><li>Title: Software Security Architect </li></ul>
  3. 3. You like spicy food…
  4. 4. And pinball…
  5. 5. And astronomy.
  6. 6. You don’t like clueless bosses…
  7. 7. Or frightening cats…
  8. 8. Or Insecure Software!
  9. 9. First day at work… <ul><li>HACME Inc. </li></ul>
  10. 10. Hugh Jasul Good Morning! Care for coffee?
  11. 11. Seymour Flaus No thanks.
  12. 12. Hugh Jasul Great. Hey, want to see a picture of my cat?
  13. 13. Seymour Flaus Uh…
  14. 15. Seymour Flaus Cute.
  15. 16. Hugh Jasul Enough small talk, Seymour. Hacme Inc. is in a bit of trouble…
  16. 17. Seymour Flaus Trouble?
  17. 18. Hugh Jasul We’ve had a few security “issues”…
  18. 19. Seymour Flaus Such as?
  19. 20. Hugh Jasul Hackers have been hacking into Hacme Bank accounts!
  20. 21. Seymour Flaus Oh, is that all? So it’s not just a clever name.
  21. 22. Hugh Jasul No, there’s more. But find and fix this vulnerability right now! We’re going live tomorrow!
  22. 23. <ul><li>Get to work! </li></ul>
  23. 24. Seymour Flaus OK, fixed it!
  24. 25. Hugh Jasul Not so fast, we got a complaint from one of our UAT testers.
  25. 26. Seymour Flaus Who’s that?
  26. 28. Seymour Flaus OK, back to the drawing board.
  27. 29. Hugh Jasul Fantastic work, Seymour. By the way, we’re going to need you on Saturday morning for a four hour meeting…
  28. 30. Seymour Flaus Great. Nice to be appreciated.
  29. 31. Hugh Jasul Next order of business… Hacme Books customers are complaining that a book is being added to their cart!
  30. 32. Seymour Flaus I’m on it!
  31. 33. <ul><li>Get to work! </li></ul>
  32. 34. Hugh Jasul Great job Seymour! By the way, I have some dry cleaning ready, could you..
  33. 35. Seymour Flaus I got my masters for this?
  34. 36. Hugh Jasul Great, great, great. Now, I know you’ve been busy, but there’s a top priority task at hand.
  35. 37. Seymour Flaus Do tell.
  36. 38. Hugh Jasul People have been cheating on Hacme Casino and scamming us for big $$$. Find and fix!
  37. 39. Seymour Flaus Here we go…
  38. 40. <ul><li>Get to work! </li></ul>
  39. 41. Hugh Jasul Alright, I think that’s a great first day. I’m off to the golf course…
  40. 42. Seymour Flaus See ya. I’m going to go hit up craigslist for a new job.
  41. 43. Introduction <ul><li>Who am I? </li></ul>Software Security Consultant Developer Architect/Designer
  42. 44. Introduction Who am I talking to? People using… People building… Software security folks frameworks.
  43. 45. Introduction What’s the point? WTF?
  44. 46. Security Concerns <ul><li>Analyze each component of architecture for security responsibilities </li></ul>
  45. 47. MVC Architecture View Model Controller
  46. 48. MVC Architecture View Model Controller View
  47. 49. MVC Architecture View Model Controller
  48. 50. Security Concerns
  49. 51. Security Concerns - Model <ul><li>Data Protection in Storage </li></ul>
  50. 52. Security Concerns - Model <ul><li>Encrypt credit card </li></ul><ul><li>information </li></ul><ul><li>Hash passwords </li></ul><ul><li>Scrub personally </li></ul><ul><li>identifiable information </li></ul>Data Protection in Storage
  51. 53. Security Concerns - Model <ul><li>Fine Grained Authorization </li></ul>
  52. 54. Security Concerns - Model <ul><li>Verify user is accessing their own account </li></ul><ul><li>Verify that transaction is made at an appropriate hour </li></ul><ul><li>Make sure that user is not “cheating” </li></ul>Fine Grained Authorization
  53. 55. Security Concerns - Model <ul><li>Logging </li></ul>
  54. 56. Security Concerns - Model <ul><li>Log login attempts </li></ul><ul><li>Log input validation failures </li></ul><ul><li>Log access to log </li></ul>Logging
  55. 57. Security Concerns - Model <ul><li>Authentication </li></ul>
  56. 58. Security Concerns - Model <ul><li>Secure transport layer </li></ul><ul><li>Check password policies </li></ul><ul><li>Lockout account </li></ul>Authentication
  57. 59. Security Concerns - View <ul><li>Data Sanitization </li></ul>
  58. 60. Security Concerns - View <ul><li>HTML encode dynamic data </li></ul><ul><li>Mask sensitive information </li></ul><ul><li>Remove comments </li></ul>Data Sanitization
  59. 61. Security Concerns - View <ul><li>Error Handling </li></ul>
  60. 62. Security Concerns - View <ul><li>Give user friendly error message </li></ul><ul><li>Remove system error information </li></ul><ul><li>Prevent username enumeration </li></ul>Error Handling
  61. 63. Security Concerns - View <ul><li>Data Protection in Storage </li></ul>
  62. 64. Security Concerns - View <ul><li>Prevent pages from being cached </li></ul><ul><li>Don’t pass sensitive information in URL </li></ul><ul><li>Disable AUTOCOMPLETE </li></ul>Data Protection In Storage
  63. 65. Security Concerns - View <ul><li>Data Protection in Transit </li></ul>
  64. 66. Security Concerns - View <ul><li>Use SSL for secure content </li></ul>Data Protection In Transit
  65. 67. Security Concerns - Controller <ul><li>Data Validation </li></ul>
  66. 68. Security Concerns - Controller <ul><li>Verify entered date is actually a valid date </li></ul><ul><li>Make sure comments are less than 500 words </li></ul><ul><li>Look for recognized attack strings </li></ul>Data Validation
  67. 69. Security Concerns - Controller <ul><li>Session Management </li></ul>
  68. 70. Security Concerns - Controller <ul><li>Verify session is valid </li></ul><ul><li>Check username, roles </li></ul><ul><li>Perform session timeout </li></ul><ul><li>Authenticate again </li></ul>Session Management
  69. 71. Security Concerns - Controller <ul><li>Coarse-Grained Authorization </li></ul>
  70. 72. Security Concerns - Controller <ul><li>Verify user is authenticated for sensitive resources </li></ul><ul><li>Verify user is in correct role </li></ul><ul><li>Make sure IP address is internal </li></ul>Coarse-Grained Authorization
  71. 73. Security Concerns - Controller <ul><li>Data Protection in Transit </li></ul>
  72. 74. Security Concerns - Controller <ul><li>Use SSL </li></ul><ul><li>Set secure cookies </li></ul>Data Protection in Transit
  73. 75. Thanks!
  74. 76. Stay tuned for… <ul><li>Examination of security mechanisms in: </li></ul><ul><ul><li>J2EE/Struts </li></ul></ul><ul><ul><li>ASP.NET </li></ul></ul><ul><ul><li>Ruby on Rails </li></ul></ul>

×