Upload File

tips and tricks to secure .net web application - owasp · 2020-01-17 · tips and tricks to secure...

  • Home
  • Documents
  • Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com
14
Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com [email protected]

Upload: others

Post on 08-Jul-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Tips and Tricks To Secure .Net Web

Application

Walter Wong

Gain Secure

MVP – Developer Security

walterwws.wordpress.com

[email protected]

Page 2: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Security Updates Operation Malaysia http://world.yes.my/?id=511&q=ytlc

Page 3: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Agenda

• Introduction to ASP.Net – Security Perspective

• Securing Layers Architecture

• Secure Deployment Environment

• .Net Obfuscation

Page 4: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Introduction to ASP.Net – Security

Perspective

• Preventing XSS input by default

• Tools ensure security level of the application

• Prevent buffer overrun by default

• Application behavior configured via

web.config

Page 5: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Demo Introduction to ASP.Net (Security Perspective)

Page 6: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Securing Layers Architecture

• Standard practice, deploy into at least 3

layers – Web Application, Business Logic,

Database

• How to ensure attackers do not by pass

second layer?

• Identity should be transfer across different

layers

Page 7: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Secure Web Services

• Most of the web services available internal or externally are accepting and allowing anonymous requests

• Security Token should be used to validate the request

• Recommend to use federation to secure the web services

• Microsoft way of implement Federation – Windows Identity Foundation (WIF)

Page 8: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Demo Secure WCF Services using WIF

Page 9: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Secure Application

• Web Application Configuration Analyzer

(WACA)

• Rules based driven scanner

• 3 main categories

– General Application

– IIS

– SQL

Page 10: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Secure Server

• Microsoft Based Security Analyzer 2.2

• Advice based on best practice for

– Windows

– SQL Server

– Desktop Application

• Explanation of

– What was scanned

– Results

– Recommend correction step

Page 11: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Demo Web Application Configuration Analyzer 2.0 Microsoft Baseline Security Analyzer

Page 12: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Obfuscation

• Microsoft.Net Framework is managed

framework

• Assemblies able to “reverse engineer” by

using tools

• Recommend to obfuscate before deploy

Page 13: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Demo Obfuscation

Page 14: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com

Conclusion

• Users are EVIL

• Obfuscate every deployment projects

• Developers seldom involve in IT

administrative tasks which is not healthy

• Learn how to secure application today

• Learn how to secure server and IIS


Windows7 Tips & Tricks

RPG Tips & Tricks

BMW Tricks Tips

Argos Tips & Tricks - Evisionsgo.evisions.com/hubfs/CoHEsion Louisville Session Content/Beginning... · Argos Tips & Tricks Michael Capulong ... Tips & Tricks 19. ...

CCSv4 Tips & Tricks

Cinahl tips & tricks

Mimio Tips & Tricks

Tips & Tricks Dwn_ds

Tips & Tricks Tips & Tricks for Writing Interpretive Text

Tips ‘n Tricks - Microchip Technologyww1.microchip.com/downloads/en/DeviceDoc/40040C.pdfTips ‘n Tricks ® Tips ‘n Tricks) Tips ‘n Tricks + _ +-. . . A. Microchip ® Microchip

Tips and Tricks of Managing an Expanding Network with ... · Tips and Tricks of Managing an Expanding Network with Quality of Service ... & VOD Campus Network ... Secure Endpoint

PK SOFTWARE TIPS & TRICKS | Secure and Powerful …

MicroMD EMR Tips & Tricks › userincludes › userconfslides › EMR Tips … · Todd Sizer, EMR Training Specialist MicroMD EMR Tips & Tricks. 2 WELCOME Tips and Tricks for the

Tips and Tricks in Laparoscopic Urology - The Eyethe-eye.eu/public/WorldTracker.org/Medical/Tips & Tricks In Laproscopic... · These “tips and tricks” ... 4 Tips and Tricks in

Windows Tips - Tricks

Tips & Tricks

SSH Tips & Tricks

Novapoint Tips & Tricks

Tips and Tricks

Tips Tricks Reports

S5704A Tips & Tricks 11 © 1999 Microchip Technology Incorporated. All Rights Reserved. S5704A Tips & Tricks 11 Tips and Tricks Tips and Tricks Using PICmicro

PHP Tips & Tricks

Citrix Tips & Tricks

Newsjacking Tips & Tricks

WSUS for Secure Patching Top Tips Tricks and scripts for Overcoming Limita…

Exposantenmeeting_Sales tips & tricks

Toad for Oracle Tips and Tricks - Delli.dell.com/.../corporate/secure/en/Documents/Toad_Tips_and_Tricks.pdf · Toad ™ for Oracle ® Tips and Tricks Dell™ Software Foreword I have

3V Tips ‘n Tricks CHAPTER 8 3V Tips ‘n Tricks - Ningapi.ning.com/.../3.3Vtipsandtricksen026368.pdf · 3V Tips ‘n Tricks Table Of Contents TIPS ‘N TRICKS INTRODUCTION TIP #1:

Tips Tricks

How to keep kayak fishing gear secure tips and tricks

Tips and tricks for making your home more secure by Royal Security

Tricks & Tips

Reporting tips & tricks

Tips and Tricks for Building Secure Mobile Apps

Screencasting tips&tricks