Essentials of Application Security

Essentials of Application Security Rames Gantanant Puumsoft, Director of Business Solutions Microsoft, Regional Director Thailand What We Will Cover The Importance of Application Security Security Technologies Secure Development Guidelines Session Prerequisites Development experience with Microsoft Visual Basic® , Microsoft Visual C++® , or C# Level 200 Agenda The Importance of Application Security Security Technologies Secure Development Guidelines Common Types of Attacks Organizational Attacks Attackers Restricted Data DoS Connection Fails Automated Attacks Accidental Breaches In Security Viruses, Trojan Horses, and Worms Denial of Service (DoS) Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to business reputation Lost consumer confidence Severe financial losses due to lost revenue Challenges When Implementing Security Attacker needs to understand only one vulnerability Defender needs to secure all entry points Attackers have unlimited time Attackers vs. Defenders Defender works with time and cost constraints Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability Do I need security … Developers and management think that security does not add any business value Addressing vulnerabilities just before a product is released is very expensive Security As an Afterthought The Developer Role in Application Security Developers must: Work with solution architects and systems administrators to ensure application security Contribute to security by: Adopting good application security development practices Knowing where security vulnerabilities occur and how to avoid them Using secure programming techniques Holistic Approach to Security Security must be considered at: All stages of a project Design Development Deployment All layers Network Host Application “Security is only as good as the weakest link” Security Throughout Project Lifecycle Analyze threats Secure questions during interviews External review Learn and refine Determine security sign-off criteria Security push Concept Designs Complete Test Plans Complete Code Complete Ship Post-Ship Train team members Review old defects, check-ins checked secure coding guidelines, use tools Security team review Data mutation and least privilege tests =ongoing Practices for Improving Security Practice Adopt Threat Modeling Train development team Benefit Identifies of security vulnerabilities Increases awareness of application architecture Avoids common security defects Correct application of security technologies Secures code that Accesses the network Runs by default Uses unauthenticated protocols Runs with elevated privileges Code Review Use tools Use infrastructure solutions Use component solutions Migrate managed code More consistent testing for vulnerabilities More secure with SSL/TLS and IPSec More robust with CAPICOM and .NET Cryptography namespace Avoids common vulnerabilities Agenda The Importance of Application Security Security Technologies Secure Development Guidelines Overview of Security Technologies Developers need to use and apply: Encryption Hashing Digital signatures Digital certificates Secure communication Authentication Authorization Firewalls Auditing Service packs and updates Encryption Encryption is the process of encoding data To protect a user’s identity or data from being read To protect data from being altered To verify that data originates from a particular user Encryption can be: Asymmetric Symmetric Symmetric vs. Asymmetric Encryption Algorithm Type Uses one key to: Symmetric Encrypt the data Decrypt the data Description Is fast and efficient Uses two mathematically related keys: Public key to encrypt the data Private key to decrypt the data Asymmetric Is more secure than symmetric encryption Is slower than symmetric encryption Verifying Data Integrity with Hashes User A User B Data Hash Algorithm Hash Value If hash values match, data is valid Hash Algorithm Data Hash Value User A sends data and hash value to User B Data Hash Value How Digital Certificates Work User Computer Private Key Private/Public Key Pair Public Key Application Service Certification Authority Certified Administrator Secure Communication Technologies Technologies include: IPSec SSL TLS RPC encryption SSL/TLS IPSec RPC Encryption Secure Communication How SSL Works 2 Secure Browser Web Server Root Certificate Message Secure Web Server 3 4 1 1 2 3 4 HTTPS The user browses to a secure Web server by using HTTPS The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate The Web server receives the session key and decrypts it by using the server’s private key After the connection is established, all communication between the browser and Web server is secure Demonstration 1 SSL Server Certificates Viewing a Web Site on a Non-Secure Server Generating a Certificate Request Requesting a Trial Certificate Installing the SSL Certificate Testing the SSL Certificate Authentication Purpose of Authentication Verifies the identity of a principal by: Accepting credentials Validating those credentials Secures communications by ensuring your application knows who the caller is Encrypting the data is not enough! Authentication Authentication Methods Basic Digest Digital certificates Integrated The Kerberos version 5 protocol NTLM Microsoft Passport Biometrics Authentication Basic Authentication Is simple but effective Is supported by all major browsers and servers Is easy to program and set up Manages user credentials Requires SSL/TLS Authentication When to Use Integrated Authentication Firewall Intranet? Client Yes No Cannot use Integrated Authentication Windows 2000 Or later? Windows Integrated No NTLM Server Authentication Yes Active Directory Domain? Yes No Kerberos Client and Server Authentication Authorization Authorization: What is Authorization? Occurs after your client request is authenticated Is the process of confirming that an authenticated principal is allowed access to specific resources Checks rights assigned to files, folders, registry settings, applications, and so on Can be role-based Can be code-based Authorization Common Authorization Techniques IIS Web permissions (and IP/DNS restrictions) .NET role-based security .NET code access security NTFS access control lists (ACL) SQL Server logins SQL Server permissions Authorization Impersonation/Delegation Model Client identity is used to access downstream resources Web or Application Server Database or other resource server A B C A B C Demonstration 2 IIS Authentication Techniques Using Anonymous Authentication Using Basic Authentication Using Integrated Windows Authentication Demo 2: IIS Authentication Result IIS Authentication Anonymous Basic Authentication Integrated Authentication Impersonate = “True” MALI\IUSR_MALI MALI\rames MALI\administrator Impersonate = “False” MALI\ASPNET MALI\ASPNET MALI\ASPNET Agenda The Importance of Application Security Security Technologies Secure Development Guidelines Proactive Security Development Integrate security improvements throughout the development process Focus on security and ensure your code can withstand new attacks Promote the key role of education Raise awareness within your team Learn from your mistakes and other’s mistakes Adopt the SD3 Security Framework Secure by Design Build threat models Conduct code reviews, penetration tests Run code with minimal privileges Minimize your attack surface Enable services securely Secure by Default Secure in Deployment Leverage the security best practices Create security guidance Build tools to assess application security Session Summary The Importance of Application Security Security Technologies Secure Development Guidelines For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security