bp dev security summit.ppt

7/30/2019 BP Dev Security Summit.ppt

1/46

Writing Secure Code

Best Practices

Raf Cox

ConsultantMicrosoft Services BeLux


2/46

What We Will Cover

Secure Development Process

Threat Modeling

Risk MitigationSecurity Best Practices


3/46

Session Prerequisites

Development experience with MicrosoftVisual Basic , Microsoft Visual C++ , or C#

Level 200


4/46

Agenda


Threat Modeling



5/46

Improving the Application

Development Process

Consider security

At the start of the process

Throughout developmentThrough deployment

At all software review milestones

Do not stop looking for security bugs untilthe end of the development process


6/46

SD3

Secureby Design

Secureby Default

Secure inDeployment

Secure architecture and code

Threat analysis

Vulnerability reduction

Attack surface area reduced

Unused features turned off by default

Minimum privileges used

Protection: Detection, defense,recovery, and management

Process: How to guides, architectureguides

People: Training

The SD3 Security Framework


7/46

Secure Product Development

Timeline

TestPlansComplete

Designs

Complete

Concept Code

Complete

Ship Post-Ship

Test for security

vulnerabilities

Assess securityknowledge when

hiring team members

Determinesecurity sign-off

criteria

Send out forexternal review

Analyzethreats

Learn andrefine

Perform security

team review

Train teammembers

Test for data mutation

and least privilege

Resolve security issues,verify code againstsecurity guidelines

=ongoing


8/46

Secure By Design

Raise security awareness of design team

Use ongoing training

Challenge attitudes - What I dont know wont

hurt me does not apply!

Get security right during the design phase

Define product security goals

Implement security as a key product feature

Use threat modeling during design phase


9/46

Agenda


Threat Modeling



10/46

What Is Threat Modeling?

Threat modeling is a security-based analysisthat:

Helps a product team understand where theproduct is most vulnerable

Evaluates the threats to an application

Aims to reduce overall security risks

Finds assets

Uncovers vulnerabilitiesIdentifies threats

Should help form the basis of security designspecifications


11/46

Benefits of Threat Modeling

Helps you understand your application better

Helps you find bugs

Identifies complexdesign bugs

Helps integrate newteam members

Drives well-designedsecurity test plans

Threat

Vulnerability

Asset


12/46

The Threat Modeling Process

Identify Assets1

Create an Architecture Overview2

Decompose the Application3

Identify the Threats4

Document the Threats5

Rate the Threats6

Threat Modeling Process


13/46

Threat Modeling ProcessStep 1: Identify Assets

Build a list of assets that require protection,including:

Confidential data, such as customer databases

Web pages

System availability

Anything else that, if compromised, would prevent

correct operation of your application


14/46

Threat Modeling ProcessStep 2: Create An Architecture Overview

Identify what the application does

Create an application architecture diagram

Identify the technologies

NTFS Permissions

(Authentication)

File Authorization

URL Authorization

.NET Roles(Authentication)

User-Defined Role

(Authentication)

SSL

(Privacy/Integrity)

Trust

BoundaryAliceMaryBob

IIS

Anonymous

Authentication

Forms

Authentication

IPSec

(Private/Integrity)

Trust Boundary

ASPNET

(Process Identity)MicrosoftASP.NET

Microsoft Windowsr

Authentication

Microsoft

SQL Server


15/46

Threat Modeling ProcessStep 3: Decompose the Application

Break down the application

Create a security profilebased on traditional areas

of vulnerabilityExamine interactionsbetween differentsubsystems

Use DFD or UML diagrams

Identify Trust Boundaries

Identify Data Flow

Identify Entry Points

Identify Privileged Code

Document Security Profile


16/46

Threat Modeling ProcessStep 4: Identify the Threats

Assemble team

Identify threats

Network threats

Host threats

Application threats


17/46

Types of threats Examples

SpoofingForging e-mail messages

Replaying authentication packets

TamperingAltering data during transmission

Changing data in files

Repudiation Deleting a critical file and deny itPurchasing a product and deny it

Informationdisclosure

Exposing information in error messages

Exposing code on Web sites

Denial of serviceFlooding a network with SYN packets

Flooding a network with forged ICMPpackets

Elevation of privilege

Exploiting buffer overruns to gain systemprivileges

Obtaining administrator privilegesillegitimately

Threat Modeling ProcessIdentify the Threats by Using STRIDE


18/46

Threat #1 (I)

View payroll data

1.1Traffic isunprotected

1.2Attacker viewstraffic

1.2.1Sniff traffic withprotocol analyzer

1.2.2Listen to routertraffic

1.2.2.1Router is

unpatched

1.2.2.2Compromise

router

1.2.2.3Guess router

password

1.0 View payroll data (I)

1.1 Traffic is unprotected (AND)

1.2 Attacker views traffic

1.2.1 Sniff traffic with protocol analyzer

1.2.2 Listen to router traffic

1.2.2.1 Router is unpatched (AND)

1.2.2.2 Compromise router

1.2.2.3 Guess router password

Threat Modeling ProcessIdentify the Threats by Using Attack Trees


19/46

Threat Modeling ProcessStep 5: Document the Threats

Document threats by using a template:

Leave Risk blank (for now)

Threat Description Injection of SQL Commands

Threat target Data Access Component

Risk

Attack techniques Attacker appends SQL commands to username, which is used to form a SQL query

Countermeasures Use a regular expression to validate theuser name, and use a stored procedure

with parameters to access the database


20/46

Threat Modeling Process

Step 6: Rate the Threats

Use formula:

Risk = Probability * Damage Potential

Use DREAD to rate threats

Damage potential

Reproducibility

Exploitability

Affected users

Discoverability


21/46

Threat Modeling ProcessExample: Rate the Threats

Threat #1 (I)

View payroll data

1.1Traffic isunprotected

1.2Attacker viewstraffic

1.2.1Sniff traffic withprotocol analyzer

1.2.2Listen to routertraffic

1.2.2.1Router isunpatched

1.2.2.2Compromiserouter

1.2.2.3Guess routerpassword

Damage potential

Affected Users

-or-

Damage

Reproducibility

Exploitability

Discoverability

-or-

Chance


22/46

Typical application related

vulnerabilities

Memory Issues

Arithmetic Errors

Cross-site Scripting

SQL Injection

Canonicalization Issues

Cryptography Weaknesses

Unicode Issues

Denial of Service


23/46

What is SQL Injection?

SQL injection is:

The process of adding SQL statements in userinput

Used by hackers to:Probe databases

Bypass authorization

Execute multiple SQL statements

Call built-in stored procedures


24/46

Demonstration 3SQL Injection

Investigating SQL Injection Issues

Using Parameterized Queries to Defend Against

SQL Injection


25/46

Agenda


Threat Modeling

Risk Mitigation

Security Best Practices


26/46

Risk Mitigation Options

Option 1: Do Nothing

Option 2: Warn the User

Option 3: Remove the Problem

Option 4: Fix It Patrolled


27/46

Risk Mitigation Process

Threat Type(STRIDE)

Mitigation Technique Mitigation Technique

Technology Technology Technology Technology

Spoofing Authentication

NTLMX.509 certs

PGP keys

Basic

Digest

Kerberos

SSL/TLS

1. Identify category

For example:Spoofing

2. Select techniques

For example:

Authentication or

Protect secret data

3. Choose technology

For example:

Kerberos


28/46

Sample Mitigation Techniques

Client Server

PersistentData

AuthenticationData

ConfigurationData STRIDE

STRIDE

STRIDE

STRIDE

SSL/TLS

IPSec

RPC/DCOM

with Privacy

Firewall

Limitingresource

utilization for

anonymous

connections

Strong access

control

Digital signatures

Auditing

InsecureNetwork


29/46

Agenda


Threat Modeling

Risk Mitigation



30/46

Run with Least Privilege

Well-known security doctrine:

Run with just enough privilege to get the jobdone, and no more!

Elevated privilege can lead to disastrousconsequences

Malicious code executing in a highly privileged

process runs with extra privileges tooMany viruses spread because the recipient hasadministrator privileges


31/46

Demonstration 1

ASP.NET Applications Security

Investigating ASP.NET Application Privileges

Restricting ASP.NET Applications Trust Levels

Sandboxing Privileged Code

Using Sandboxed Assemblies


32/46

Reduce the Attack Surface

Expose only limited, well documentedinterfaces from your application

Use only the services that your application

requiresThe Slammer and CodeRed viruses would nothave happened if certain features were not on bydefault

ILoveYou (and other viruses) would not havehappened if scripting was disabled

Turn everything else off


33/46

Do Not Trust User Input

Validate all input

Assume all input is harmful until proven otherwise

Look for valid data and reject everything else

Constrain, reject, and sanitize user input withType checks

Length checks

Range checks

Format checks

Validator.ValidationExpression =

"\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*";

f 1 f


34/46

Defense in Depth (1 of 3)Use Multiple Gatekeepers

SSL

ISA Firewall

IIS

SQL Server

ISA FirewallIPSec

D f i D h (2 f 3)


35/46

Defense in Depth (2 of 3)Apply Appropriate Measures for Each Layer

Check security

Check security

Application.dll

Application.exe

Check security

Check security

Secure

resource

with an ACL

Application.dll

D f i D h (3 f 3)


36/46

Defense in Depth (3 of 3)Use Strong ACLs on Resources

Design ACLs into the application from thebeginning

Apply ACLs to files, folders, Web pages,

registry settings, database files, printers, andobjects in Active Directory

Create your own ACLs during application

installationInclude DENY ACEs

Do not use NULL DACLs

D N R l S i b Ob i


37/46

Do Not Rely on Security by Obscurity

Do not hide security keys in files

Do not rely on undocumented registry keys

Always assume an attacker knows everythingyou know

U D t P t ti API (DPAPI) t


38/46

Use Data Protection API (DPAPI) to

Protect Secrets

Two DPAPI functions:

CryptProtectData

CryptUnprotectData

Two stores for data encrypted with DPAPI:

User store

Machine store

F il I t lli tl (1 f 2)


39/46

Fail Intelligently (1 of 2)

If your code does fail, make sure it failssecurely

DWORD dwRet = IsAccessAllowed();

if (dwRet == ERROR_ACCESS_DENIED) {

// Security check failed.

// Inform user that access is denied

} else {

// Security check OK.

// Perform task

}

What if

IsAccessAllowed()

returns

ERROR_NOT_ENOUGH_MEMORY?

F il I t llig tl (2 f 2)


40/46

Fail Intelligently (2 of 2)

Do not:Reveal information in error messages

Consume resources for lengthy periods oftime after a failure

Do:

Use exception handling blocks to avoidpropagating errors back to the caller

Write suspicious failures to an event log

T t S it


41/46

Test Security

Involve test teams in projects at the beginning

Use threat modeling to develop security testingstrategy

Think Evil. Be Evil. Test Evil.

Automate attacks with scripts and low-level programminglanguages

Submit a variety of invalid data

Delete or deny access to files or registry entries

Test with an account that is not an administrator account

Know your enemy and know yourself

What techniques and technologies will hackers use?

What techniques and technologies can testers use?

L f Mi t k


42/46

Learn from Mistakes

If you find a security problem, learn from themistake

How did the security error occur?

Has the same error been made elsewhere in thecode?

How could it have been prevented?

What should be changed to avoid a repetition ofthis kind of error?

Do you need to update educational material oranalysis tools?

S i S


43/46

Session Summary


Threat Modeling

Risk Mitigation


N t St


44/46

Next Steps

1. Stay informed about security Sign up for security bulletins:

http://www.microsoft.com/security/security_bulletins/alerts2.asp

Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/

2. Get additional security training Find online and in-person training seminars:

http://www.microsoft.com/seminar/events/security.mspx

Find a local CTEC for hands-on training:

http://www.microsoft.com/learning/

F r M r I f r ti
http://www.microsoft.com/security/security_bulletins/alerts2.asphttp://www.microsoft.com/security/guidance/http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/learning/http://www.microsoft.com/learning/http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/security/guidance/http://www.microsoft.com/security/security_bulletins/alerts2.asp


45/46

For More Information

Microsoft Security Site (all audiences)

http://www.microsoft.com/security

MSDN Security Site (developers)

http://msdn.microsoft.com/security

TechNet Security Site (IT professionals)

http://www.microsoft.com/technet/security
http://www.microsoft.com/securityhttp://msdn.microsoft.com/securityhttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/securityhttp://msdn.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/security


46/46

bp dev security summit.ppt

Documents