bp dev security summit.ppt
TRANSCRIPT
-
7/30/2019 BP Dev Security Summit.ppt
1/46
Writing Secure Code
Best Practices
Raf Cox
ConsultantMicrosoft Services BeLux
-
7/30/2019 BP Dev Security Summit.ppt
2/46
What We Will Cover
Secure Development Process
Threat Modeling
Risk MitigationSecurity Best Practices
-
7/30/2019 BP Dev Security Summit.ppt
3/46
Session Prerequisites
Development experience with MicrosoftVisual Basic , Microsoft Visual C++ , or C#
Level 200
-
7/30/2019 BP Dev Security Summit.ppt
4/46
Agenda
Secure Development Process
Threat Modeling
Risk MitigationSecurity Best Practices
-
7/30/2019 BP Dev Security Summit.ppt
5/46
Improving the Application
Development Process
Consider security
At the start of the process
Throughout developmentThrough deployment
At all software review milestones
Do not stop looking for security bugs untilthe end of the development process
-
7/30/2019 BP Dev Security Summit.ppt
6/46
SD3
Secureby Design
Secureby Default
Secure inDeployment
Secure architecture and code
Threat analysis
Vulnerability reduction
Attack surface area reduced
Unused features turned off by default
Minimum privileges used
Protection: Detection, defense,recovery, and management
Process: How to guides, architectureguides
People: Training
The SD3 Security Framework
-
7/30/2019 BP Dev Security Summit.ppt
7/46
Secure Product Development
Timeline
TestPlansComplete
Designs
Complete
Concept Code
Complete
Ship Post-Ship
Test for security
vulnerabilities
Assess securityknowledge when
hiring team members
Determinesecurity sign-off
criteria
Send out forexternal review
Analyzethreats
Learn andrefine
Perform security
team review
Train teammembers
Test for data mutation
and least privilege
Resolve security issues,verify code againstsecurity guidelines
=ongoing
-
7/30/2019 BP Dev Security Summit.ppt
8/46
Secure By Design
Raise security awareness of design team
Use ongoing training
Challenge attitudes - What I dont know wont
hurt me does not apply!
Get security right during the design phase
Define product security goals
Implement security as a key product feature
Use threat modeling during design phase
-
7/30/2019 BP Dev Security Summit.ppt
9/46
Agenda
Secure Development Process
Threat Modeling
Risk MitigationSecurity Best Practices
-
7/30/2019 BP Dev Security Summit.ppt
10/46
What Is Threat Modeling?
Threat modeling is a security-based analysisthat:
Helps a product team understand where theproduct is most vulnerable
Evaluates the threats to an application
Aims to reduce overall security risks
Finds assets
Uncovers vulnerabilitiesIdentifies threats
Should help form the basis of security designspecifications
-
7/30/2019 BP Dev Security Summit.ppt
11/46
Benefits of Threat Modeling
Helps you understand your application better
Helps you find bugs
Identifies complexdesign bugs
Helps integrate newteam members
Drives well-designedsecurity test plans
Threat
Vulnerability
Asset
-
7/30/2019 BP Dev Security Summit.ppt
12/46
The Threat Modeling Process
Identify Assets1
Create an Architecture Overview2
Decompose the Application3
Identify the Threats4
Document the Threats5
Rate the Threats6
Threat Modeling Process
-
7/30/2019 BP Dev Security Summit.ppt
13/46
Threat Modeling ProcessStep 1: Identify Assets
Build a list of assets that require protection,including:
Confidential data, such as customer databases
Web pages
System availability
Anything else that, if compromised, would prevent
correct operation of your application
-
7/30/2019 BP Dev Security Summit.ppt
14/46
Threat Modeling ProcessStep 2: Create An Architecture Overview
Identify what the application does
Create an application architecture diagram
Identify the technologies
NTFS Permissions
(Authentication)
File Authorization
URL Authorization
.NET Roles(Authentication)
User-Defined Role
(Authentication)
SSL
(Privacy/Integrity)
Trust
BoundaryAliceMaryBob
IIS
Anonymous
Authentication
Forms
Authentication
IPSec
(Private/Integrity)
Trust Boundary
ASPNET
(Process Identity)MicrosoftASP.NET
Microsoft Windowsr
Authentication
Microsoft
SQL Server
-
7/30/2019 BP Dev Security Summit.ppt
15/46
Threat Modeling ProcessStep 3: Decompose the Application
Break down the application
Create a security profilebased on traditional areas
of vulnerabilityExamine interactionsbetween differentsubsystems
Use DFD or UML diagrams
Identify Trust Boundaries
Identify Data Flow
Identify Entry Points
Identify Privileged Code
Document Security Profile
-
7/30/2019 BP Dev Security Summit.ppt
16/46
Threat Modeling ProcessStep 4: Identify the Threats
Assemble team
Identify threats
Network threats
Host threats
Application threats
-
7/30/2019 BP Dev Security Summit.ppt
17/46
Types of threats Examples
SpoofingForging e-mail messages
Replaying authentication packets
TamperingAltering data during transmission
Changing data in files
Repudiation Deleting a critical file and deny itPurchasing a product and deny it
Informationdisclosure
Exposing information in error messages
Exposing code on Web sites
Denial of serviceFlooding a network with SYN packets
Flooding a network with forged ICMPpackets
Elevation of privilege
Exploiting buffer overruns to gain systemprivileges
Obtaining administrator privilegesillegitimately
Threat Modeling ProcessIdentify the Threats by Using STRIDE
-
7/30/2019 BP Dev Security Summit.ppt
18/46
Threat #1 (I)
View payroll data
1.1Traffic isunprotected
1.2Attacker viewstraffic
1.2.1Sniff traffic withprotocol analyzer
1.2.2Listen to routertraffic
1.2.2.1Router is
unpatched
1.2.2.2Compromise
router
1.2.2.3Guess router
password
1.0 View payroll data (I)
1.1 Traffic is unprotected (AND)
1.2 Attacker views traffic
1.2.1 Sniff traffic with protocol analyzer
1.2.2 Listen to router traffic
1.2.2.1 Router is unpatched (AND)
1.2.2.2 Compromise router
1.2.2.3 Guess router password
Threat Modeling ProcessIdentify the Threats by Using Attack Trees
-
7/30/2019 BP Dev Security Summit.ppt
19/46
Threat Modeling ProcessStep 5: Document the Threats
Document threats by using a template:
Leave Risk blank (for now)
Threat Description Injection of SQL Commands
Threat target Data Access Component
Risk
Attack techniques Attacker appends SQL commands to username, which is used to form a SQL query
Countermeasures Use a regular expression to validate theuser name, and use a stored procedure
with parameters to access the database
-
7/30/2019 BP Dev Security Summit.ppt
20/46
Threat Modeling Process
Step 6: Rate the Threats
Use formula:
Risk = Probability * Damage Potential
Use DREAD to rate threats
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
-
7/30/2019 BP Dev Security Summit.ppt
21/46
Threat Modeling ProcessExample: Rate the Threats
Threat #1 (I)
View payroll data
1.1Traffic isunprotected
1.2Attacker viewstraffic
1.2.1Sniff traffic withprotocol analyzer
1.2.2Listen to routertraffic
1.2.2.1Router isunpatched
1.2.2.2Compromiserouter
1.2.2.3Guess routerpassword
Damage potential
Affected Users
-or-
Damage
Reproducibility
Exploitability
Discoverability
-or-
Chance
-
7/30/2019 BP Dev Security Summit.ppt
22/46
Typical application related
vulnerabilities
Memory Issues
Arithmetic Errors
Cross-site Scripting
SQL Injection
Canonicalization Issues
Cryptography Weaknesses
Unicode Issues
Denial of Service
-
7/30/2019 BP Dev Security Summit.ppt
23/46
What is SQL Injection?
SQL injection is:
The process of adding SQL statements in userinput
Used by hackers to:Probe databases
Bypass authorization
Execute multiple SQL statements
Call built-in stored procedures
-
7/30/2019 BP Dev Security Summit.ppt
24/46
Demonstration 3SQL Injection
Investigating SQL Injection Issues
Using Parameterized Queries to Defend Against
SQL Injection
-
7/30/2019 BP Dev Security Summit.ppt
25/46
Agenda
Secure Development Process
Threat Modeling
Risk Mitigation
Security Best Practices
-
7/30/2019 BP Dev Security Summit.ppt
26/46
Risk Mitigation Options
Option 1: Do Nothing
Option 2: Warn the User
Option 3: Remove the Problem
Option 4: Fix It Patrolled
-
7/30/2019 BP Dev Security Summit.ppt
27/46
Risk Mitigation Process
Threat Type(STRIDE)
Mitigation Technique Mitigation Technique
Technology Technology Technology Technology
Spoofing Authentication
NTLMX.509 certs
PGP keys
Basic
Digest
Kerberos
SSL/TLS
1. Identify category
For example:Spoofing
2. Select techniques
For example:
Authentication or
Protect secret data
3. Choose technology
For example:
Kerberos
-
7/30/2019 BP Dev Security Summit.ppt
28/46
Sample Mitigation Techniques
Client Server
PersistentData
AuthenticationData
ConfigurationData STRIDE
STRIDE
STRIDE
STRIDE
SSL/TLS
IPSec
RPC/DCOM
with Privacy
Firewall
Limitingresource
utilization for
anonymous
connections
Strong access
control
Digital signatures
Auditing
InsecureNetwork
-
7/30/2019 BP Dev Security Summit.ppt
29/46
Agenda
Secure Development Process
Threat Modeling
Risk Mitigation
Security Best Practices
-
7/30/2019 BP Dev Security Summit.ppt
30/46
Run with Least Privilege
Well-known security doctrine:
Run with just enough privilege to get the jobdone, and no more!
Elevated privilege can lead to disastrousconsequences
Malicious code executing in a highly privileged
process runs with extra privileges tooMany viruses spread because the recipient hasadministrator privileges
-
7/30/2019 BP Dev Security Summit.ppt
31/46
Demonstration 1
ASP.NET Applications Security
Investigating ASP.NET Application Privileges
Restricting ASP.NET Applications Trust Levels
Sandboxing Privileged Code
Using Sandboxed Assemblies
-
7/30/2019 BP Dev Security Summit.ppt
32/46
Reduce the Attack Surface
Expose only limited, well documentedinterfaces from your application
Use only the services that your application
requiresThe Slammer and CodeRed viruses would nothave happened if certain features were not on bydefault
ILoveYou (and other viruses) would not havehappened if scripting was disabled
Turn everything else off
-
7/30/2019 BP Dev Security Summit.ppt
33/46
Do Not Trust User Input
Validate all input
Assume all input is harmful until proven otherwise
Look for valid data and reject everything else
Constrain, reject, and sanitize user input withType checks
Length checks
Range checks
Format checks
Validator.ValidationExpression =
"\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*";
f 1 f
-
7/30/2019 BP Dev Security Summit.ppt
34/46
Defense in Depth (1 of 3)Use Multiple Gatekeepers
SSL
ISA Firewall
IIS
SQL Server
ISA FirewallIPSec
D f i D h (2 f 3)
-
7/30/2019 BP Dev Security Summit.ppt
35/46
Defense in Depth (2 of 3)Apply Appropriate Measures for Each Layer
Check security
Check security
Application.dll
Application.exe
Check security
Check security
Secure
resource
with an ACL
Application.dll
D f i D h (3 f 3)
-
7/30/2019 BP Dev Security Summit.ppt
36/46
Defense in Depth (3 of 3)Use Strong ACLs on Resources
Design ACLs into the application from thebeginning
Apply ACLs to files, folders, Web pages,
registry settings, database files, printers, andobjects in Active Directory
Create your own ACLs during application
installationInclude DENY ACEs
Do not use NULL DACLs
D N R l S i b Ob i
-
7/30/2019 BP Dev Security Summit.ppt
37/46
Do Not Rely on Security by Obscurity
Do not hide security keys in files
Do not rely on undocumented registry keys
Always assume an attacker knows everythingyou know
U D t P t ti API (DPAPI) t
-
7/30/2019 BP Dev Security Summit.ppt
38/46
Use Data Protection API (DPAPI) to
Protect Secrets
Two DPAPI functions:
CryptProtectData
CryptUnprotectData
Two stores for data encrypted with DPAPI:
User store
Machine store
F il I t lli tl (1 f 2)
-
7/30/2019 BP Dev Security Summit.ppt
39/46
Fail Intelligently (1 of 2)
If your code does fail, make sure it failssecurely
DWORD dwRet = IsAccessAllowed();
if (dwRet == ERROR_ACCESS_DENIED) {
// Security check failed.
// Inform user that access is denied
} else {
// Security check OK.
// Perform task
}
What if
IsAccessAllowed()
returns
ERROR_NOT_ENOUGH_MEMORY?
F il I t llig tl (2 f 2)
-
7/30/2019 BP Dev Security Summit.ppt
40/46
Fail Intelligently (2 of 2)
Do not:Reveal information in error messages
Consume resources for lengthy periods oftime after a failure
Do:
Use exception handling blocks to avoidpropagating errors back to the caller
Write suspicious failures to an event log
T t S it
-
7/30/2019 BP Dev Security Summit.ppt
41/46
Test Security
Involve test teams in projects at the beginning
Use threat modeling to develop security testingstrategy
Think Evil. Be Evil. Test Evil.
Automate attacks with scripts and low-level programminglanguages
Submit a variety of invalid data
Delete or deny access to files or registry entries
Test with an account that is not an administrator account
Know your enemy and know yourself
What techniques and technologies will hackers use?
What techniques and technologies can testers use?
L f Mi t k
-
7/30/2019 BP Dev Security Summit.ppt
42/46
Learn from Mistakes
If you find a security problem, learn from themistake
How did the security error occur?
Has the same error been made elsewhere in thecode?
How could it have been prevented?
What should be changed to avoid a repetition ofthis kind of error?
Do you need to update educational material oranalysis tools?
S i S
-
7/30/2019 BP Dev Security Summit.ppt
43/46
Session Summary
Secure Development Process
Threat Modeling
Risk Mitigation
Security Best Practices
N t St
-
7/30/2019 BP Dev Security Summit.ppt
44/46
Next Steps
1. Stay informed about security Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asp
Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/
2. Get additional security training Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx
Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
F r M r I f r ti
http://www.microsoft.com/security/security_bulletins/alerts2.asphttp://www.microsoft.com/security/guidance/http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/learning/http://www.microsoft.com/learning/http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/security/guidance/http://www.microsoft.com/security/security_bulletins/alerts2.asp -
7/30/2019 BP Dev Security Summit.ppt
45/46
For More Information
Microsoft Security Site (all audiences)
http://www.microsoft.com/security
MSDN Security Site (developers)
http://msdn.microsoft.com/security
TechNet Security Site (IT professionals)
http://www.microsoft.com/technet/security
http://www.microsoft.com/securityhttp://msdn.microsoft.com/securityhttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/securityhttp://msdn.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/security -
7/30/2019 BP Dev Security Summit.ppt
46/46