.NET Security

About This Presentation

Title:

.NET Security

Description:

.NET Security By R.S ... NET Framework 2.0 provides a set of managed classes in the System.Net.Security namespace to enable secure ... Code Access Security CAS is a ... – PowerPoint PPT presentation

Number of Views:159

Avg rating:3.0/5.0

Slides: 68

Provided by: sank50

Learn more at: https://www.cs.odu.edu

Category:

more less

Transcript and Presenter's Notes

Title: .NET Security

1
.NET Security

2
Security

What is Security ?
Security in general means freedom from risk
and Danger.
So What does Security in Software field means?
Software security is the effort to create a
secure computing platform, designed so that
agents (users or programs) can only perform
actions that have been allowed .
Simply put, protecting hardware and software from
being misused or corrupted .
As a software engineer/programmer what should I
know about software security ?
Risks

3
Risks ?

When Software Security is breached, what risks do
I have and what is the importance of identifying
these risks?
Risks may vary depending on
Whether I am user working on my personal
computer/laptop or I am a company employee
working on my company computer.
What permissions do I have on the machine that I
am working on (Admin, power user, normal user,
domain user etc)
In case 1, I am risking my home computers
integrity , my personal information, etc
Case 2, as a company Employee , I am risking
everything , including my Job
Importance
Prevent loss and misery of any kind.

4
Software Security Breach and Nightmares in an
organization

Irrespective of what an organizations business
is, security breach could potentially cause a lot
of loss to the organization starting from
customers to .
Think about somebody hacking into an online bank
where you have saved all your money and getting
hold of your account.
Now the bank has to go through a lot trying to
comfort its other customers who wants to end
their business with them , bare the loss ,
fire people that didnt do their job right in
providing security ,fix loop holes in the system
to make it more secured etc .

5
What to Do ?

Alright, Software security breach doesnt sounds
good. So we decided to enforce security .
The Question is WHERE and HOW ?
Security is not a single entity , rather is a
connection of several entities , like a Chain.
Remember , The strength of a Chain depends on its
weakest link.
Simple Example A house with multiple doors.
Securing all the doors and windows is not
sufficient .

6
How much should I secure?

Securing every inch of your house of course
provides closer to 100 security.
It also increases the cost of living, maintenance
, stress etc.
Answer is
Think if its really worth providing so much of
security .
Dont have to spend 50 a month to protect your 3
month old tooth brush.

7
Where to Start ?

Most likely from the weakest link
Securing an organization involves securing its
networks, different applications that it
uses/creates , securing the servers , databases ,
securing the development machines etc including
securing the premise of the organization itself .
Identify and make a list of areas that easily
opens the door for a malicious user .
Prioritize the list
Delegate the tasks to the individual groups
responsible
Team Work ?

8
Where do we come into play ?

Where does the software programmers role begins ?
What do we have to offer to our organization?
What are our tools ?

9
Contd.

Our role as software engineers begins from
understanding the organizations operations.
Once we know that , we have a solid ground to
stand on to make suggestions on what the company
needs to do to ensure security.
The suggestions could be modifying an existing
applications modules to increase security or
redesigning the entire application to cope up
with the current security trends.
Dont be afraid to express yourself, you are only
trying to help the company.
Always have proofs to support your claims . In
other words , Dont try to redesign the
application to ensure your job security instead
of the company security.
Be a Good team player. Understand your team mates
and their approaches. This has a lot to do with
being more efficient programmers and building
trust among the team members.
If you dont trust your team , how can you expect
the company to trust you and how can you expect
the end users to trust the application created by
your team ????

10
Teams Role

A software team should identify existing problems
and loop holes within an existing system.
Recommend solutions for those problems.
Should undertake software projects approved by
the organization
Should have a solid strategy for developing and
implementing the project.
Must have knowledge of the developing trends of
the platform they use.
Must have knowledge of the current security
threats.
Must have the knowledge about available tools ,no
matter ,whether the tool is a software/Graphics
design tool to aid them in implementing their
project or a security tool that will help them to
secure their project.
The team must have a solid understanding of the
environment where the application will be
deployed.
Last but not least , a software team must know
what they are trying to accomplish through their
project.

11
Preparing Yourself

Learn about different kinds of threats , old or
new .
Find out how those threats are put to sleep.
Learn about the software updates, whats new in
it , how it solves an existing problem/vulnerabili
ty.
Understand your platform , its pros and cons ,
its vulnerability in particular if any.
Example Do you know of any disadvantages of
programming in C or C??
C - Pointers
C - Ability to regenerate the entire source code
from the exe file using reflection.

12
.NET and Security

There are many technologies used to build .NET
applications. To build effective
application-level authentication and
authorization strategies, you need to understand
how to fine-tune the various security features
within each product and technology area, and how
to make them work together to provide an
effective, defense-in-depth security strategy.
Know the available .NET tools first then learn
what those tools can do for you .

13
Contd..

What are the typical deployment patterns adopted
by .NET Web applications?
What security features are provided by the
various technologies that I use to build .NET Web
applications?
What gatekeepers should I be aware of and how do
I use them to provide a defense-in-depth security
strategy?

14
The Design Phase

Though the requirement phase comes first, the
actual role of the software programmers begins
(except in special conditions) from the design
phase.
With the requirements at hand , the design phase
can begin .
This is when you can design your project flow,
identify different objects required , their
importance, functionalities , properties etc
This is also where you can identify different
areas where your projects needs to be secured,
possible loop holes etc
But this is just the beginning .

15
Contd..

Once after identifying required objects and areas
that needs to be secured , you are ready to
prepare a game plan that would help you secure
your project.
What is the game plan ?
Do some research and find out if there are any
current security threats that your application
may fall a victim for.
Find out if there are any available solutions,
updates for your hosting platform that would help
you take care of the threat from the operating
system level.
Make sure to have all the latest updates on your
development machines.
Next , Analyze the Security tools that .NET
offers.

16
Contd..

After analyzing the available tools carefully and
in depth, pick the ones that you think will help
you improve the security of your application.
Since you already know where to secure your
application, this shouldnt be a tough task.
Please keep in mind that you dont want to do too
much of anything. Just what is required to ensure
security .

17
3 Most Important areas to Secure

As a software engineers , we should worry about
the following three areas .
The Code which includes your code/class design ,
design documents , source control etc
The Databases used by the code (application)
The communication layer in a distributed
application environment (Why ??)

18
Creating Secured Code

Assume the architectural design is completed and
presented to the programmers. This means you
already know where to secure and what to secure.
Concentrate on creating secured code based on the
design using the tools provided by .NET.

19
Restrict Class and Member visibility

Restrict access to the members and methods of a
class( or object).
Private, protected , internal etc
Sealed classes are safer
Seal virtual methods in derived classes which
also improves performance through in lining.

20
Sealed class Example

A Sealed Class ..
public sealed class FileModifierClass
public FileModifierClass()
This class cannot be inherited

21
Sealed Method example

Only methods in derived classes can be sealed.
public class ParentFileModifierClass
public FileModifierClass()
public virtual void Modify()
public sealed class FileModifierClass
public FileModifierClass()
sealed override public void Modify()
Classes inheriting FileModifierClass will not be
able to override the Modify method.

22
Use properties to expose fields

Using properties facilitates validating a value
to be set to a field .
Permission can also be demanded for these fields.
Use Read/Write and read-Only properties to access
fields.
Private fields are enforced during compile time.
Code running in fully trusted environment can
bypass this property using reflection and
unmanaged pointers.

23
Do Not Trust user inputs

Do not trust user input . Never!!!!!
Validate for type , length format and range
Use Regular Expressions to validate user inputs
Avoid un trusted input for file names and file
paths.
If you accept file names, validate them.
Use absolute file paths where you can.
Consider constraining file I/O within your
application's context.

24
Contd.

Use GetfullPath on a windows application.
GetFullPath performs the following checks
It checks that the file name does not contain any
invalid characters, as defined by
Path.InvalidPathChars.
It checks that the file name represents a file
and not another device type, such as a physical
drive, a named pipe, a mail slot, or a DOS device
such as LPT1, COM1, AUX, and other devices.
It checks that the combined path and file name is
not too long.
It removes redundant characters such as trailing
dots.
It rejects file names that use the //?/ format.
Use Request.MapPath on a server.
Note The MapPath property potentially contains
sensitive information about the hosting
environment. The return value should not be
displayed to users.

25
Contd..

Validate Input from All Sources Like QueryString,
Cookies, and HTML Controls
These validation can help prevent injection
attacks.
Prefer server side validation to client side
validation. If required, combine the client side
validation with the server side validation.
Prevent using user input for file names and path
inputs.

26
Injection Attacks

Injection attacks are attacks initiated by a user
using malicious input which was not validated by
the application in context.
These attacks can vary from injecting such
malicious inputs into applications to change
their behavior or into a database to corrupt or
read sensitive data.

27
Most common Injection Attacks

SQL injection. If you generate dynamic SQL
queries based on user input, an attacker could
inject malicious SQL commands that can be
executed by the database.
Cross-site scripting. Cross-site scripting (XSS)
attacks exploit vulnerabilities in Web page
validation by injecting client-side script code.
This code is subsequently sent to an unsuspecting
user's computer and executed on the browser.
Because the browser downloads the script code
from a trusted site, the browser has no way of
determining whether the code is legitimate.
Unauthorized file access. If your code accepts
input from a caller, a malicious user could
potentially manipulate your code's file
operations, such as accessing a file they should
not access or exploiting your code by injecting
bad data.

28
Preventing Injection Attacks in ASP.NET

Simple Rule Accept good input, reject bad input
If your application accepts user inputs, assume
that ,every input is invalid and malicious and
validate them n the server side.
Define valid input for every field. This means
that, define the range, format length and type
of the input.
Verify the input against the list of acceptable
characters
HTML encode the html outputs before displaying

29
Contd..

Follow these steps to validate user input.
Constrain Check for type, length , range and
format . Use Asp.NET Validator on server
controls. For other resources, use regular
expressions.
Reject Reject any data that failed validation
Sanitize Change potentially malicious input to
good input . Example Allow few HTML tags ( ltbgt
, ltigt, etc) and eliminate other HTML tags.
How and where to enable request validation ?
In Machine.Config and Web.Config as follows
ltpages validateRequest"true" ... /gt
Confirm that you have not disabled request
validation by overriding the default settings in
your server's Machine.config file or your
application's Web.config file.

30
ASP.NET Validators

Text Fields RegularExpressionValidator
ltform id"WebForm" method"post" runat"server"gt
ltaspTextBox id"txtName" runat"server"gtlt/aspTex
tBoxgt ltaspRegularExpressionValidator
id"nameRegex" runat"server" ControlToValidate"t
xtName" ValidationExpression"a-zA-Z'.\s1,40
" ErrorMessage"Invalid name"gt lt/aspregularexpres
sionvalidatorgt
lt/formgt
Regex Class
// Instance method
Regex reg new Regex(_at_"a-zA-Z'.\s1,40")
Response.Write(reg.IsMatch(txtName.Text)) //
Static method
if (!Regex.IsMatch(txtName.Text,_at_"a-zA-Z'.\s1
,40"))
// Name does not match expression

31
Contd..

Numeric Fields Range Validator
ltaspRangeValidator ID"RangeValidator1"
Runat"server" ErrorMessage"Invalid range.
Number must be between 0 and 255."
ControlToValidate"rangeInput" MaximumValue"255"
MinimumValue"0" Type"Integer" /gt
Test in your Code for range as follows (only in
Framework 2.0)
Int32 i
if (Int32.TryParse(txtInput.Text, out i)
false) // Conversion failed
(Older versions of Framework , use
Int32.TryParse or Convert.ToInt32 inside a try
catch bolck. Catch any formatexception inside the
catch block and throw an exception to the user.)

32
CustomValidator

lt_at_ Page Language"C" gt
ltscript runat"server"gt
void ValidateDateInFuture(object source,
ServerValidateEventArgs args)
DateTime dt // Check for valid date and that
the date is in the future if ((DateTime.TryParse(a
rgs.Value, out dt) false) (dt lt
DateTime.Today)) args.IsValid false
lt/scriptgt
lthtmlgt
ltbodygt
ltform id"form1" runat"server"gt
ltdivgt
ltaspLabel ID"Label1" Runat"server"
Text"Future Date"gtlt/aspLabelgt ltaspTextBox
ID"futureDatetxt" Runat"server"gtlt/aspTextBoxgt
ltaspCustomValidator ID"CustomValidator1"
Runat"server" ErrorMessage"Invalid date. Enter
a date in the future." ControlToValidate"futureDa
tetxt" OnServerValidate"ValidateDateInFuture"gt
lt/aspCustomValidatorgt ltbr /gt ltaspButton
ID"submitBtn" Runat"server" Text"Submit" /gt
lt/divgt
lt/formgt
lt/bodygt
lt/htmlgt

33
Html Encode

void submitBtn_Click(object sender, EventArgs e)
// Encode the string input
StringBuilder sb new StringBuilder(
HttpUtility.HtmlEncode(htmlInputTxt.Text))
// Selectively allow and ltigt
sb.Replace("ltbgt", "ltbgt")
sb.Replace("lt/bgt", "")
sb.Replace("ltigt", "ltigt")
sb.Replace("lt/igt", "")
Response.Write(sb.ToString())

34
Query String Validation

void Page_Load(object sender, EventArgs e)
if (!System.Text.RegularExpressions.Regex.IsMatch(
Request.QueryString"Name", _at_"a-zA-Z'.\s1,40
")) Response.Write("Invalid name parameter")
else
Response.Write("Name is " Request.QueryString"
Name")

35
Request.MapPath

Use the Overloaded Request.MapPath method to read
file paths.
Try
string mappedPath Request.MapPath(
inputPath.Text, Request.ApplicationPath, false)
catch (HttpException ex)
// Cross-application mapping attempted
The false parameter will prevent the user from
using file paths that contains .. to traverse
outside your app directory.
For server controls, use the Control.MapPathSecure
method to retrieve the physical path .
Control.MapPathSecure uses code access security
and throws an HttpException if the server control
does not have permissions to read the resulting
mapped file.
NOTE An Applications trust level can be set to
medium by an administrator if he/she wants to
restrict its File I/O to its own virtual
directory.
lttrust levelmedium/gt (Web.Config or
machine.Config)

36
Validating Urls

Use Regular expressions..
(?httphttpsftp)//a-zA-Z0-9\.\-(?\\d1,5
)?(?A-Za-z0-9\.\\\_at_\\\\\,\?/u0-9A-Fa-f
40-9A-Fa-f2)
Use HttpUtility.HtmlEncode and
HttpUtility.UrlEncode( urlString ) to putput html
output and URL output respectively
Note Get yourself familiar with Regular
expressions if you are planning to specialize in
security oriented programming .

37
SQL Injection

"SQL Injection" is subset of the
unverified/unsanitized user input vulnerability
("buffer overflows" are a different subset), and
the idea is to convince the application to run
SQL code that was not intended. If the
application is creating SQL strings naively on
the fly and then running them, it's
straightforward to create some real surprises .
Is it that bad ???
Of course . If you loose the integrity of your
database, you loose everything.
If the database gets corrupted, I can guarantee
that 100 of the users will be affected . This
statement is not true when it comes to a
corrupted client side script .

38
SQL Injection Example

SQL injection is caused mainly by inputs that are
not sanitized .
Consider the following Query,
Select from Users where Username
username.Text and Passwordpassword.Text
What is wrong with this query and how can I
inject code into this SQL statement ?
Nothing wrong , untill I enter the following
values for Username.Text and Password.Text,
Username.Text something or 11--
Password.Textpassword
Select from Users where Username
username.Text and Passwordpassword.Text
The code generated on the fly will now look like
Select from Users where Usernamesomething or
11-- and Passwordpassword
This condition in the statement will always
result in true returning all the rows from the
users table.
If the inputs in the Username and password field
are validated and sanitized this injection could
have been prevented.

39
Contd

We can also inject a complete SQL statement in
the fields to drop tables, insert records into
the tables etc.
You can guess the table names, fields, passwords
etc or any other valuable information.
Using Stored procedures necessarily dont provide
protection against SQL Injection.

40
Data Access Tips

Do not hard code connection strings.
Consider encrypting connection strings.
Do not generate dynamic SQL queries
To help prevent SQL injection, you should
validate input and use parameterized stored
procedures for data access. The use of parameters
(for example, SqlParameterCollection) ensures
that input values are checked for type and length
and values outside the range throw an exception.
Parameters are also treated as safe literal
values and not as executable code within the
database.
Avoid stored procedures that accept a single
parameter as an executable query. Instead, pass
query parameters only.
Use structured exception handling to catch errors
that occur during database access, and prevent
them from being returned to the client. A
detailed error message may reveal valuable
information such as the connection string, SQL
server name, or table and database naming
conventions. Attackers can use this information
to construct more precise attacks.
As an additional precaution, use a least
privileged account to access the database, so
that even if your application is compromised, the
impact will be reduced.

41
SQLParameterCollection sample

using System.Data
using System.Data.SqlClient
using (SqlConnection connection new
SqlConnection(connectionString))
DataSet userDataset new DataSet()
SqlDataAdapter myAdapter new SqlDataAdapter(
"LoginStoredProcedure", connection)
myAdapter.SelectCommand.CommandType
CommandType.StoredProcedure
myAdapter.SelectCommand.Parameters.Add("_at_au_id",
SqlDbType.VarChar, 11)
myAdapter.SelectCommand.Parameters"_at_au_id".Val
ue SSN.Text
myAdapter.Fill(userDataset)

42
SQlParameters with Dynamic SQL

using System.Data
using System.Data.SqlClient
using (SqlConnection connection new
SqlConnection(connectionString))
DataSet userDataset new DataSet()
SqlDataAdapter myDataAdapter new
SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors
WHERE au_id _at_au_id",
connection)
myDataAdapter.SelectCommand.Parameters.Add("_at_au_
id", SqlDbType.VarChar, 11)
myDataAdapter.SelectCommand.Parameters"_at_au_id"
.Value SSN.Text
myDataAdapter.Fill(userDataset)

43
Exceptions

Please keep in mind not to give any valuable
information when you throw exceptions to the user
. Prefer giving a generic error rather than
returning the exception stack which would
actually let the malicious user guess more about
your database.
Example In this specific scenario , if
submitting the form with the injected code return
a server error , it Indicates your query is
malformed. But this gives away the truth that you
are constructing your query on the fly which
would encourage a malicious user to keep on
trying with his attacks until he finds something
useful.

44
Authentication

Forms Authentication Cookie based
authentication system where username and password
are stored in XML/Text file or in the database.
Passport authentication Single Authentication
point through Microsoft.
Windows Authentication Authentication mode that
uses local/domain windows users .
Web.Config file is used to tells the web
application which mode of authentication should
be used.

45
Forms Authentication

Prefer Membership providers over custom
authentication.
Communication through SSL should be preferred
while using Forms authentication.
Use strong passwords.
Encrypt username passwords in the user store.
Do not persist cookies

46
Membership Providers

ActiveDirectoryMembershipProvider
SqlMembershipProvider

47
ActiveDirectoryMembershipProvider

ActiveDirectoryMembershipProvider Uses Microsoft
Active Directory directory service to maintain
user information .Used in Intranet applications.
To use this provider , first, configure the forms
authentication using the web.config as follows.
ltauthentication mode"Forms"gt
ltforms loginUrl"Login.aspx"
protection"All"
timeout"30"
name"AppNameCookie"
path"/FormsAuth"
requireSSL"false"
slidingExpiration"true"
defaultUrl"default.aspx"
cookieless"UseCookies"
enableCrossAppRedirects"false"/gt
lt/authenticationgt
ltauthorizationgt
ltdeny users"?" /gt
ltallow users"" /gt
lt/authorizationgt

48
Contd (Step 2)

Configure the ActiveDirectoryMembershipProvider
as follows ,
ltconnectionStringsgt
ltadd name"ADConnectionString"
connectionString
"LDAP//domain.testing.com/CNUsers,DCdomain,
DCtesting,DCcom" /gt
lt/connectionStringsgt
ltsystem.webgt
...
ltmembership defaultProvider"MembershipADProvider
"gt
ltprovidersgt
ltadd
name"MembershipADProvider"
type"System.Web.Security.ActiveDirectoryMem
bershipProvider, System.Web,
Version2.0.0.0, Cultureneutral,
PublicKeyTokenb03f5f7f11d50a3a"
connectionStringName"ADConnection
String"
connectionUsername"ltdomainNamegt\a
dministrator"
connectionPassword"password"/gt
lt/providersgt

49
Creating Users

Using Website administration tool (ASP.NET
configuration) in visual Studio 2005 toolbar.
CreateUserWizard Control on a web page.
Membership API (to create users programmatically)
.
Membership.CreateUser("UserName_at_DomainName",
"P_at_ssw0rd", "userName_at_emailAddress")

50
Authenticating Users

Using Login Control in ASP.NET 2.0 (uses
membership providers by default without writing
any additional code)
Custom login page call Membership.validateUser
to authenticate users.
if (Membership.ValidateUser(userName.Text,
password.Text))
if (Request.QueryString"ReturnUrl" ! null)
FormsAuthentication.RedirectFromLoginPage(user
Name.Text, false) )//false to prevent creating
persistant cookies
else
FormsAuthentication.SetAuthCookie(userName.Tex
t, false
else
Response.Write("Invalid UserID and Password")

51
SQLMembershipProvider

Used for applications facing internet where users
dont have Active directory account.User
credentials are stored in the database.
Steps
Configure forms authentication. (Same as for
ADMP)
Install the membership database.
Configure the SqlMembershipProvider.
Create users.
Authenticate users.

52
Install Membership database

Log on to SQLServer with a database admin
account.
Run the following command aspnet_regsql.exe -E -S
localhost -A m
-E indicates authenticate using the Windows
credentials of the currently logged on user.
-S (server) indicates the name of the server
where the database will be installed or is
already installed.
-A m indicates add membership support. This
creates the tables and stored procedures required
by the membership provider.

53
Configure the SqlMembershipProvider

ltconnectionStringsgt
ltadd name"MySqlConnection" connectionString"Da
ta SourceMySqlServerInitial CatalogaspnetdbInt
egrated SecuritySSPI" /gt
lt/connectionStringsgt
ltsystem.webgt
...
ltmembership defaultProvider"SqlProvider"
userIsOnlineTimeWindow"15"gt
ltprovidersgt
ltclear /gt
ltadd
name"SqlProvider"
type"System.Web.Security.SqlMembershipPro
vider"
connectionStringName"MySqlConnection"
applicationName"MyApplication"
enablePasswordRetrieval"false"
enablePasswordReset"true"
requiresQuestionAndAnswer"true"
requiresUniqueEmail"true"
passwordFormat"Hashed" /gt
lt/providersgt

54
Code Access Security

CAS is a resource constraint model responsible
for restricting the types of system resources
code can access. CAS provides application level
isolation in a shared environment .
Consider code access security for partial trust
applications.
Choose a trust level that does not exceed your
application's requirements.
Create a custom trust policy if your application
needs additional permissions.
Use Medium trust in shared hosting environments
CAS policy is defined by applications trust level
.
lttrust level"FullHighMediumLowMinimal" /gt
Be wary about choosing a trust level for your
application. Remember that , at full trust, CAs
always succeeds.

55
CAS Example

// Allow only this code to read files from
c\YourAppDir
FileIOPermission(SecurityAction.PermitOnly,Read_at_
"c\YourAppDir\") FileIOPermission(SecurityActio
n.PermitOnly, PathDiscovery_at_"c\YourAppDir\")
public static string ReadFile(string filename)
// Use Path.GetFullPath() to canonicalize the
file name
// Use FileStream.OpenRead to open the file
// Use FileStream.Read to access and return the
data
The above code will allow the users to read a
file from the c\YourAppDir and only from that
directory using this method .

56
Saving sensitive Information on a computer

Saving sensitive information on a machine is not
recommended .
Never save sensitive information in plain
text(text files, xml files etc) .
Encrypt the data using the hashing algorithms
before saving them .
Protect the folders and files that has the
sensitive data. (using permission control)
Use names that doesnt describes the content of
the files. (for example , a file containing
password should not be named as passwords
especially if they are plain text).

57
Use Registry

Sometimes, Registry can also be used to save
sensitive data.
Encrypt these data before saving the registry in
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER keys.
Saving under KKEY_CURRENT_USER provides much
better security as it only gives permission to
the current logged in user.

58
Protecting your Assemblies

Assemblies must be protected from being accessed
or executed by malicious users .
Assemblies are vulnerable through .NETs own
Reflection class .
Reverse Engineering add to the misery
Obfuscators provide a cure

59
Strong Names

Strong name signatures provide a unique identity
for code, and they cannot be spoofed. The
identity associated with the signature can be
used to make security decisions. For example, you
could set code access security policy to trust
assemblies signed with your company's strong name
when the assemblies come from a server you
control. Consider the following guidelines for
strong names
Evaluate whether you need strong names.
Do not expect strong names to make your assembly
tamper proof.
Use delay signing appropriately.
Use .pfx files to protect your private key if you
do not use delay signing.
Do not depend on strong name identity permissions
in full trust scenarios.

60
Do Strong Name tamper proof my assembly ?

Do Not Expect Strong Names to Make Your Assembly
Tamper Proof
By adding a strong name to an assembly, you
ensure that it cannot be modified and still
retain your strong name signature. The strong
name does not make your assembly tamper proof. It
is still possible to remove a strong name, modify
the IL code, and then reapply a different strong
name.
However, an attacker cannot recreate a valid
signature from your original publisher's key
unless your publisher's private key has been
compromised. Because the key is part of the
strong name identity, if an attacker strips a
strong name signature, signs the code, and then
installs the code in the global assembly cache,
the code will have a different identity. Any
callers looking for the original assembly will
not bind to an assembly signed with a different
private key. Strong names prevent this type of
substitution attack.
Note Both Authenticode and strong name signing
ensure that if the signed code is tampered with,
the signature will be invalidated. However,
neither technology prevents an attacker from
stripping off the signature, modifying the IL,
and signing the code with the attacker's key.

61
Communication Security

If your application passes sensitive data over
networks, consider the threats of eavesdropping,
tampering, and unauthorized callers accessing
your end point.
.NET Framework 2.0 provides a set of managed
classes in the System.Net.Security namespace to
enable secure communication between hosts when
you are using remoting or raw-sockets based
communication.
This allows you to implement both client and
server-side secure channels using SSPI or SSL.
These classes support mutual authentication, data
encryption, and data signing.

62
Transport Level Encryption

If your servers are not inside a physically
secure data center where the network
eavesdropping threat is considered insignificant,
you need to use an encrypted communication
channel to protect data sent between servers.
You can use SSL or IPSec to encrypt traffic and
help protect communication between servers. Use
SSL when you need granular channel protection for
a particular application, instead of protection
for all applications and services running on a
computer.
Use IPSec to help protect the communication
channel between two servers and to restrict the
computers that can communicate with each other.
For example, you can help protect a database
server by establishing a policy that permits
requests only from a trusted client computer,
such as an application or Web server. You can
also restrict communication to specific IP
protocols and TCP/UDP ports.

63
Event Log

When you write event logging code, consider the
threats of tampering and information disclosure.
For example, can an attacker retrieve sensitive
data by accessing the event logs? Can an attacker
cover tracks by deleting the logs or erasing
particular records?
Windows security restricts direct access to the
event logs using system administration tools,
such as the Event Viewer. Your main concern
should be to ensure that the event logging code
you write cannot be used by a malicious user for
unauthorized access to the event log.
Do not log sensitive data.
Do not expose event log data to unauthorized
users.

64
Reflection

Reflection
.NET reflection is a feature that allows running
code to dynamically discover, load, and generate
assemblies. With reflection, you can enumerate an
assembly's types, methods, and propertiesincludin
g those marked as private. By using
Reflection.Emit, you can generate a new assembly
dynamically at run time and invoke its members.
Reflection is a powerful feature that has a
number of security implications
If your code has the ReflectionPermission, it can
enumerate and invoke non-public members or types
in other assemblies. If you do not use code
access security permission demands to authorize
calling code, an attacker could gain access to
code that would otherwise be inaccessible.
By using reflection, you can dynamically load
assembliesfor example, by using
System.Reflection.Assembly.Load. If you allow
untrusted code or data to influence which
assembly is loaded, an attacker could trick your
code into loading and executing malicious code.
By using reflection, you can dynamically invoke
methods on assembliesfor example, by using
System.Reflection.MethodInfo.Invoke. If you allow
untrusted code or data to influence the method
invocation, an attacker could trick your code
into making unexpected and potentially malicious
method calls.
With Reflection.Emit, your code can dynamically
generate and execute code at run time. If you
allow untrusted code or data to influence the
code generation, an attacker could coerce your
application into generating malicious code.
When you use reflection, consider the following
guidelines
Use full assembly names when you dynamically load
assemblies.
Avoid letting untrusted code or data control
run-time assembly load decisions.
Avoid letting untrusted code or data control
Reflection.Emit.
Consider restricting the permissions of
dynamically generated assemblies.
Only persist dynamically created assemblies if
necessary.
Use ReflectionOnlyLoadFrom if you only need to
inspect code.

65
Summary What should you know??

Know When, Where and how to authenticate
Know When , Where and how to authorize
How to Secure communication ?
Common issues ? How to avoid them?
Top Risks ? How to avoid them ?
Never bypass security to get things to work.
Always follow the best practices starting from
design to implementation and testing.

66
Terminologies

Authentication. Positively identifying the
clients of your application clients might
include end-users, services, processes or
computers.
Authorization. Defining what authenticated
clients are allowed to see and do within the
application.
Secure Communications. Ensuring that messages
remain private and unaltered as they cross
networks.
Impersonation. This is the technique used by a
server application to access resources on behalf
of a client. The client's security context is
used for access checks performed by the server.
Delegation. An extended form of impersonation
that allows a server process that is performing
work on behalf of a client, to access resources
on a remote computer. Security Context. Security
context is a generic term used to refer to the
collection of security settings that affect the
security-related behavior of a process or thread.
The attributes from a process' logon session and
access token combine to form the security context
of the process.
Identity. Identity refers to a characteristic of
a user or service that can uniquely identify it.
For example, this is often a display name, which
often takes the form authority/user name.