Security - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Security

Description:

Law #1: If a bad guy can persuade you to run his program on your computer, it's ... Better control of add-ons. Improves wireless support. 10/7/09. Use Least Privilege ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 19
Provided by: ecl114
Category:

less

Transcript and Presenter's Notes

Title: Security


1
Security
Microsoft Application Developers of Texas
  • A Developers Guide

2
Agenda
  • 10 Immutable Laws of Security
  • Why Security is Difficult
  • Security Core Principles
  • Resources

3
10 Immutable Laws of Security
  • Law 1 If a bad guy can persuade you to run his
    program on your computer, it's not your computer
    anymore
  • Law 2 If a bad guy can alter the operating
    system on your computer, it's not your computer
    anymore
  • Law 3 If a bad guy has unrestricted physical
    access to your computer, it's not your computer
    anymore

4
10 Immutable Laws of Security
  • Law 4 If you allow a bad guy to upload programs
    to your website, it's not your website any more
  • Law 5 Weak passwords trump strong security
  • Law 6 A computer is only as secure as the
    administrator is trustworthy
  • Law 7 Encrypted data is only as secure as the
    decryption key

5
10 Immutable Laws of Security
  • Law 8 An out of date virus scanner is only
    marginally better than no virus scanner at all
  • Law 9 Absolute anonymity isn't practical, in
    real life or on the Web
  • Law 10 Technology is not a panacea
  • http//www.microsoft.com/technet/archive/communit
    y/columns/security/essays/10imlaws.mspx

6
Effective Bit Size of Password
Required password length for 56-bit key
7
Why Security is Difficult
  • Attackers have unlimited resources
  • Attackers need to master only one attack
  • Defenders can not take the offensive
  • Defenders must serve business goals
  • Defenders must win all of the time!

8
Security Core Principles
  • Secure Your Workstation
  • Use Least Privilege
  • Apply Defense in Depth
  • Do Not Trust User Input
  • Fail Securely
  • Reduce Your Attack Surface
  • Keep Secrets Secret

9
Secure Your Workstation
  • Install Windows XP Service Pack 2
  • Keep Your Anti-Virus Software Updated
  • Apply Microsoft Security Updates

10
10 Reasons to Install SP2
  • Helps protect your PC from harmful attachments
  • Improves your privacy when youre o the web
  • Avoids potentially unsafe downloads
  • Reduces annoying pop-ups
  • Gives firewall protection from startup to shutdown

11
10 Reasons to Install SP2
  • Take control of your security settings
  • Get the latest updates easily
  • Helps protect your email address
  • Better control of add-ons
  • Improves wireless support

12
Use Least Privilege
  • By running processes using accounts with minimal
    privileges and access rights, you significantly
    reduce the capabilities of an attacker if the
    attacker manages to compromise security and run
    code.
  • Never work as Admin
  • Use sp_ExecProc

13
Apply Defense In Depth
  • Do not rely on a single layer of security.
  • Encrypt your keys
  • Do not put your keys or connection strings in
    your code
  • Make it challenging
  • Change default ports

14
Do Not Trust User Input
  • Assume all input is malicious
  • Centralize your approach
  • Do not rely on client-side validation
  • Be careful with canonicalization issues
  • Constrain, reject and sanitize your input

15
Fail Securely
  • If an application fails, do not leave sensitive
    data accessible.
  • Return friendly errors to end to users
  • Log details of errors in a secure location
  • Never return passwords or other secure
    information as part of an error message

16
Reduce Your Attack Surface
  • If you do not use it, remove it or disable it.
  • Remove or disable unused services, protocols and
    functionality
  • Close unused ports
  • Delete samples

17
Keep Secrets Secret
  • Use SSL
  • Do not write your own encryption routines
  • Do not store sensitive data in cookies or query
    strings
  • Do not store plain text passwords in web.config
    or machine.config files

18
Resources
  • Microsoft Windows Security Resource Kit ISBN
    0-7356-1868-2
  • Writing Secure Code, Second Edition ISBN
    0-7356-1722-8
  • Improving Web Application Security, Threats and
    Countermeasures ISBN 0-7356-1842-9
  • Visual Basic.NET Code Security Handbook IBSN
    1-86100-747-7
  • http//www.microsoft.com/security/
Write a Comment
User Comments (0)
About PowerShow.com