Essentials of Application Security

1
Essentials of Application Security

• Name
• Job Title
• Company

2
What We Will Cover

• The Importance of Application Security
• Secure Application Development Practices
• Security Technologies
• Secure Development Guidelines

3
Session Prerequisites

• Development experience with MicrosoftVisual
  Basic , Microsoft Visual C , or C

Level 200
4
Agenda

• The Importance of Application Security
• Secure Application Development Practices
• Security Technologies
• Secure Development Guidelines

5
Trustworthy Computing

• Trustworthy Computing has four pillars
• Reliability means a computer system is
  dependable, is available when needed, and
  performs as expected and at appropriate levels.
• Security means a system is resilient to attack,
  and the confidentiality, integrity, and
  availability of both the system and its data are
  protected.
• Privacy means that people can control their
  personal information and organizations that use
  the information faithfully protect it.
• Business integrity is about companies in our
  industry being responsible to customers and
  helping them find appropriate solutions for their
  business issues, addressing problems with
  products or services, and being open in
  interactions with customers.

- Bill Gates July 18, 2002
6
Connection Scenarios and Security Concerns

• Connection scenarios
• Traditional wired networks
• Mobile workforces
• Public wireless networks
• Security concerns
• Application reliance on the Internet
• Business reliance on the Internet
• Internal security attacks

7
Common Types of Attacks
8
Examples of Security Intrusions

• CodeRed
• ILoveYou
• Nimda

Virus
Attacker
9
Consequences of Poor Security

• Stolen intellectual property
• System downtime
• Lost productivity
• Damage to business reputation
• Lost consumer confidence
• Severe financial losses due to lost revenue

10
Challenges When Implementing Security
11
The Developer Role in Application Security

• Developers must
• Work with solution architects and systems
  administrators to ensure application security
• Contribute to security by
• Adopting good application security development
  practices
• Knowing where security vulnerabilities occur and
  how to avoid them
• Using secure programming techniques

12
Agenda

• The Importance of Application Security
• Secure Application Development Practices
• Security Technologies
• Secure Development Guidelines

13
Holistic Approach to Security

• Security must be considered at
• All stages of a project
• Design
• Development
• Deployment
• All layers
• Network
• Host
• Application

Security is only as good as the weakest link
14
Security Throughout Project Lifecycle
Learn and refine
External review
Analyze threats
Secure questionsduring interviews
Determine security sign-off criteria
Security push
Concept
Ship
Post-Ship
Test PlansComplete
Designs Complete
Code Complete
Review old defects, check-ins checked secure
coding guidelines, use tools
Train team members
Data mutation and least privilege tests
Security team review
ongoing
15
The SD3 Security Framework
SD3

• Secure architecture and code
• Threat analysis
• Vulnerability reduction

Secure by Design

• Attack surface area reduced
• Unused features turned off by default
• Minimum privileges used

Secure by Default
Secure in Deployment

• Protection Detection, defense, recovery,
  management
• Process How to guides, architecture guides
• People Training

16
Threat Modeling

• Threat modeling is
• A security-based analysis of an application
• A crucial part of the design process
• Threat modeling
• Reduces the cost of securing an application
• Provides a logical, efficient process
• Helps the development team
• Identify where the application is most vulnerable
• Determine which threats require mitigation and
  how to address those threats

17
Ongoing Education

• Provide training about
• How security features work
• How to use the security features to build secure
  systems
• What security vulnerabilities look like in order
  to identify flawed code
• How to avoid common security vulnerabilities
• How to avoid repeating mistakes

18
Input Validation

• Buffer overruns
• SQL injection
• Cross-site scripting

All input is evil until proven otherwise!
19
Demonstration 1 Buffer Overruns Bypassing
Security Checks
20
Practices for Improving Security
Practice Benefit
Adopt Threat Modeling Identifies of security vulnerabilities Increases awareness of application architecture
Train development team Avoids common security defects Correct application of security technologies
Code Review Secures code that Accesses the network Runs by default Uses unauthenticated protocols Runs with elevated privileges
Use tools More consistent testing for vulnerabilities
Use infrastructure solutions More secure with SSL/TLS and IPSec
Use component solutions More robust with CAPICOM and .NET Cryptography namespace
Migrate managed code Avoids common vulnerabilities
21
Agenda

• The Importance of Application Security
• Secure Application Development Practices
• Security Technologies
• Secure Development Guidelines

22
Overview of Security Technologies

• Developers need to use and apply
• Encryption
• Hashing
• Digital signatures
• Digital certificates
• Secure communication
• Authentication
• Authorization
• Firewalls
• Auditing
• Service packs and updates

23
Encryption

• Encryption is the process of encoding data
• To protect a users identity or data from being
  read
• To protect data from being altered
• To verify that data originates from a particular
  user
• Encryption can be
• Asymmetric
• Symmetric

24
Symmetric vs. Asymmetric Encryption
Algorithm Type Description
Symmetric Uses one key to Encrypt the data Decrypt the data Is fast and efficient
Asymmetric Uses two mathematically related keys Public key to encrypt the data Private key to decrypt the data Is more secure than symmetric encryption Is slower than symmetric encryption
25
Verifying Data Integrity with Hashes
26
Digital Signatures
If hash values match, data came from the owner of
the private key and is valid
27
How Digital Certificates Work
Private Key
User
Private/Public Key Pair
Computer
Public Key
Service
Application
Certification Authority
Certified Administrator
28
Secure CommunicationTechnologies

• Technologies include
• IPSec
• SSL
• TLS
• RPC encryption

IPSec RPC Encryption
SSL/TLS
29
Secure Communication How IPSec Works
30
Secure Communication How SSL Works
Web ServerRoot Certificate
2
Message
Secure Web Server
Secure Browser
3
4
HTTPS
1
The user browses to a secure Web server by using
HTTPS The browser creates a unique session key
and encrypts it by using the Web servers public
key, which is generated from the root
certificate The Web server receives the session
key and decrypts it by using the servers private
key After the connection is established, all
communication between the browser and Web server
is secure
1
2
3
4
31
Demonstration 2 SSL Server Certificates
Viewing a Web Site on a Non-Secure
ServerGenerating a Certificate
RequestRequesting a Trial CertificateInstalling
the SSL Certificate Testing the SSL Certificate
32
AuthenticationPurpose of Authentication

• Verifies the identity of a principal by
• Accepting credentials
• Validating those credentials
• Secures communications by ensuring your
  application knows who the caller is

Encrypting the data is not enough!
33
Authentication Authentication Methods

• Basic
• Digest
• Digital signatures and digital certificates
• Integrated
• The Kerberos version 5 protocol
• NTLM
• Microsoft Passport
• Biometrics

34
Authentication Basic Authentication

• Is simple but effective
• Is supported by all majorbrowsers and servers
• Is easy to program andset up
• Manages user credentials
• Requires SSL/TLS

35
Authentication How Digest Authentication Works
36
Authentication Client Digital Certificates

• Used in Web applications
• Server secures communications using SSL/TLS with
  a X.509 server certificate
• Server authenticates clients using data in client
  X.509 certificate, if required
• Certificate authority issues a certificate for
  which the server holds a root certificate
• Used in distributed applications
• Application uses SSL/TLS communication channel
• Client and server applications authenticate using
  certificates
• Can be deployed on smartcards

37
Authentication When to Use Integrated
Authentication
Firewall
Intranet?
No
Cannot use Integrated Authentication
Yes
Windows 2000 Or later?
No
NTLM Server Authentication
Windows Integrated
Yes
Active Directory Domain?
No
Kerberos Client and Server Authentication
Yes
38
Authentication How to Use Kerberos Version 5
Initial Logon
Ticket-Granting Ticket
TGT
39
Demonstration 3 IIS Authentication Techniques
Using Anonymous AuthenticationUsing Basic
Authentication Using Integrated Windows
Authentication
40
AuthorizationWhat is Authorization?

• Authorization
• Occurs after your client request is authenticated
• Is the process of confirming that an
  authenticated principal is allowed access to
  specific resources
• Checks rights assigned to files, folders,
  registry settings, applications, and so on
• Can be role-based
• Can be code-based

41
AuthorizationCommon Authorization Techniques

• IIS Web permissions (and IP/DNS restrictions)
• .NET role-based security
• .NET code access security
• NTFS access control lists (ACL)
• SQL Server logins
• SQL Server permissions

42
Authorization Impersonation/Delegation Model

• Client identity is used to access downstream
  resources

43
Authorization Trusted Subsystem Model

• Clients are mapped to roles
• Dedicated Windows service accounts are used for
  each role when accessing downstream resources

44
Demonstration 4 Trusted Subsystem Model
Authorization Techniques Reviewing the
ApplicationSetting Authentication on the Web
ServerCreating Service Accounts on the Web
ServerSetting Authorization on the Database
Server
45
Firewalls

• Firewalls can provide
• Secure gateway to the Internet for internal
  clients
• Packet filtering
• Circuit-level filtering
• Application filtering
• Auditing
• Firewalls cannot provide
• Protection against application-level attacks over
  HTTP or HTTPS

46
Auditing

• Auditing actions include tracking
• Resource access and usage
• Successful and unsuccessful logon attempts
• Application failures
• Auditing benefits include
• Help for administrators to detect intrusions and
  suspicious activities
• Traceability for legal, non-repudiation disputes
• Diagnosis of security breaches

47
Service Packs and Updates
Security update Description
Hotfix Address a single issue or a small number of issues Can be combined by using QChain
Security rollup package Multiple hotfixes packaged for easy installation
Service pack Provide major updates Cumulative set of previous updates May contain previously unannounced fixes May contain feature changes
48
Agenda

• The Importance of Application Security
• Secure Application Development Practices
• Security Technologies
• Secure Development Guidelines

49
Proactive Security Development

• Integrate security improvements throughout the
  development process
• Focus on security and ensure your code can
  withstand new attacks
• Promote the key role of education
• Raise awareness within your team
• Learn from your mistakes and others mistakes

50
Adopt the SD3 Security Framework
Secure by Design
Build threat models Conduct code reviews,
penetration tests Run code with minimal privileges
Secure by Default
Minimize your attack surface Enable services
securely
Secure in Deployment
Leverage the security best practices Create
security guidance Build tools to assess
application security
51
Microsoft Java Virtual Machine End of Support
Alert

• Java Support Alert!
• MSJVM no longer ships with Windows XP SP1a or
  Windows Server 2003
• Microsoft will discontinue support Sept 30, 2004
• No security fixes will be made after that date
• Security issues after that date may require
  removal of MSJVM
• Developers should
• Update MSJVM dependent applications
• Offer upgrades to customers
• For more information
• http//www.microsoft.com/java

52
Session Summary

• The Importance of Application Security
• Secure Application Development Practices
• Security Technologies
• Secure Development Guidelines

53
Next Steps

• Stay informed about security
• Sign up for security bulletins
• http//www.microsoft.com/security/security_bullet
  ins/alerts2.asp
• Get the latest Microsoft security guidance
• http//www.microsoft.com/security/guidance/
• Get additional security training
• Find online and in-person training seminars
• http//www.microsoft.com/seminar/events/security.
  mspx
• Find a local CTEC for hands-on training
• http//www.microsoft.com/learning/

54
For More Information

• Microsoft Security Site (all audiences)
• http//www.microsoft.com/security
• MSDN Security Site (developers)
• http//msdn.microsoft.com/security
• TechNet Security Site (IT professionals)
• http//www.microsoft.com/technet/security

55
Questions and Answers
56
(No Transcript)