Essentials of Application Security

Essentials of Application Security Name Job Title Company What We Will Cover The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines Session Prerequisites Development experience with Microsoft Visual Basic® , Microsoft Visual C++® , or C# Level 200 Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines Trustworthy Computing “Trustworthy Computing has four pillars: Reliability means a computer system is dependable, is available when needed, and performs as expected and at appropriate levels. Security means a system is resilient to attack, and the confidentiality, integrity, and availability of both the system and its data are protected. Privacy means that people can control their personal information and organizations that use the information faithfully protect it. Business integrity is about companies in our industry being responsible to customers and helping them find appropriate solutions for their business issues, addressing problems with products or services, and being open in interactions with customers.” - Bill Gates July 18, 2002 Connection Scenarios and Security Concerns Connection scenarios: Traditional wired networks Mobile workforces Public wireless networks Security concerns: Application reliance on the Internet Business reliance on the Internet Internal security attacks Common Types of Attacks Organizational Attacks Attackers Restricted Data DoS Connection Fails Automated Attacks Accidental Breaches In Security Viruses, Trojan Horses, and Worms Denial of Service (DoS) Examples of Security Intrusions CodeRed ILoveYou Nimda Virus Attacker Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to business reputation Lost consumer confidence Severe financial losses due to lost revenue Challenges When Implementing Security Attacker needs to understand only one vulnerability Defender needs to secure all entry points Attackers have unlimited time Attackers vs. Defenders Defender works with time and cost constraints Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability Do I need security … Developers and management think that security does not add any business value Addressing vulnerabilities just before a product is released is very expensive Security As an Afterthought The Developer Role in Application Security Developers must: Work with solution architects and systems administrators to ensure application security Contribute to security by: Adopting good application security development practices Knowing where security vulnerabilities occur and how to avoid them Using secure programming techniques Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines Holistic Approach to Security Security must be considered at: All stages of a project Design Development Deployment All layers Network Host Application “Security is only as good as the weakest link” Security Throughout Project Lifecycle Analyze threats Secure questions during interviews External review Learn and refine Determine security sign-off criteria Security push Concept Designs Complete Test Plans Complete Code Complete Ship Post-Ship Train team members Review old defects, check-ins checked secure coding guidelines, use tools Security team review Data mutation and least privilege tests =ongoing The SD3 Security Framework SD3 Secure by Design Secure architecture and code Threat analysis Vulnerability reduction Attack surface area reduced Unused features turned off by default Minimum privileges used Protection: Detection, defense, recovery, management Process: How to guides, architecture guides People: Training Secure by Default Secure in Deployment Threat Modeling Threat modeling is: A security-based analysis of an application A crucial part of the design process Threat modeling: Reduces the cost of securing an application Provides a logical, efficient process Helps the development team: Identify where the application is most vulnerable Determine which threats require mitigation and how to address those threats Ongoing Education Provide training about: How security features work How to use the security features to build secure systems What security vulnerabilities look like in order to identify flawed code How to avoid common security vulnerabilities How to avoid repeating mistakes Input Validation Buffer overruns SQL injection Cross-site scripting “All input is evil until proven otherwise!” Demonstration 1 Buffer Overruns Bypassing Security Checks Practices for Improving Security Practice Adopt Threat Modeling Train development team Benefit Identifies of security vulnerabilities Increases awareness of application architecture Avoids common security defects Correct application of security technologies Secures code that Accesses the network Runs by default Uses unauthenticated protocols Runs with elevated privileges Code Review Use tools Use infrastructure solutions Use component solutions Migrate managed code More consistent testing for vulnerabilities More secure with SSL/TLS and IPSec More robust with CAPICOM and .NET Cryptography namespace Avoids common vulnerabilities Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines Overview of Security Technologies Developers need to use and apply: Encryption Hashing Digital signatures Digital certificates Secure communication Authentication Authorization Firewalls Auditing Service packs and updates Encryption Encryption is the process of encoding data To protect a user’s identity or data from being read To protect data from being altered To verify that data originates from a particular user Encryption can be: Asymmetric Symmetric Symmetric vs. Asymmetric Encryption Algorithm Type Uses one key to: Symmetric Encrypt the data Decrypt the data Description Is fast and efficient Uses two mathematically related keys: Public key to encrypt the data Private key to decrypt the data Asymmetric Is more secure than symmetric encryption Is slower than symmetric encryption Verifying Data Integrity with Hashes User A User B Data Hash Algorithm Hash Value If hash values match, data is valid Hash Algorithm Data Hash Value User A sends data and hash value to User B Data Hash Value Digital Signatures User A Hash Algorithm User B Data Hash Algorithm Data User A Public Key Hash Value Hash Value User A Private key Hash Value If hash values match, data came from the owner of the private key and is valid How Digital Certificates Work User Computer Private Key Private/Public Key Pair Public Key Application Service Certification Authority Certified Administrator Secure Communication Technologies Technologies include: IPSec SSL TLS RPC encryption SSL/TLS IPSec RPC Encryption Secure Communication How IPSec Works IPSec Policy IPSec Policy Security Association Negotiation TCP Layer IPSec Driver TCP Layer IPSec Driver Encrypted IP Packets Secure Communication How SSL Works 2 Secure Browser Web Server Root Certificate Message Secure Web Server 3 4 1 1 2 3 4 HTTPS The user browses to a secure Web server by using HTTPS The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate The Web server receives the session key and decrypts it by using the server’s private key After the connection is established, all communication between the browser and Web server is secure Demonstration 2 SSL Server Certificates Viewing a Web Site on a Non-Secure Server Generating a Certificate Request Requesting a Trial Certificate Installing the SSL Certificate Testing the SSL Certificate Authentication Purpose of Authentication Verifies the identity of a principal by: Accepting credentials Validating those credentials Secures communications by ensuring your application knows who the caller is Encrypting the data is not enough! Authentication Authentication Methods Basic Digest Digital signatures and digital certificates Integrated The Kerberos version 5 protocol NTLM Microsoft Passport Biometrics Authentication Basic Authentication Is simple but effective Is supported by all major browsers and servers Is easy to program and set up Manages user credentials Requires SSL/TLS Authentication How Digest Authentication Works Server Password 5 Active Directory 1 6 Request Challenge X$!87ghy5 2 4 Client Password X$!87ghy5 Digest Algorithm 3 Authentication Client Digital Certificates Used in Web applications Server secures communications using SSL/TLS with a X.509 server certificate Server authenticates clients using data in client X.509 certificate, if required Certificate authority issues a certificate for which the server holds a root certificate Used in distributed applications Application uses SSL/TLS communication channel Client and server applications authenticate using certificates Can be deployed on smartcards Authentication When to Use Integrated Authentication Firewall Intranet? Client Yes No Cannot use Integrated Authentication Windows 2000 Or later? Windows Integrated No NTLM Server Authentication Yes Active Directory Domain? Yes No Kerberos Client and Server Authentication Authentication How to Use Kerberos Version 5 Initial Logon KDC Service Request KDC 2 2 ST TGT 1 TGT 1 3 3 ST Target Server 4 Client ST Session established Client TGT cached locally TGT Ticket-Granting Ticket Service Ticket Demonstration 3 IIS Authentication Techniques Using Anonymous Authentication Using Basic Authentication Using Integrated Windows Authentication Authorization Authorization: What is Authorization? Occurs after your client request is authenticated Is the process of confirming that an authenticated principal is allowed access to specific resources Checks rights assigned to files, folders, registry settings, applications, and so on Can be role-based Can be code-based Authorization Common Authorization Techniques IIS Web permissions (and IP/DNS restrictions) .NET role-based security .NET code access security NTFS access control lists (ACL) SQL Server logins SQL Server permissions Authorization Impersonation/Delegation Model Client identity is used to access downstream resources Web or Application Server Database or other resource server A B C A B C Authorization Trusted Subsystem Model Clients are mapped to roles Dedicated Windows service accounts are used for each role when accessing downstream resources Web or Application Server Database or other resource server A B C Role 1 Role 2 1 2 Demonstration 4 Trusted Subsystem Model Authorization Techniques Reviewing the Application Setting Authentication on the Web Server Creating Service Accounts on the Web Server Setting Authorization on the Database Server Firewalls Firewalls can provide: Secure gateway to the Internet for internal clients Packet filtering Circuit-level filtering Application filtering Auditing Firewalls cannot provide: Protection against application-level attacks over HTTP or HTTPS Auditing Auditing actions include tracking: Resource access and usage Successful and unsuccessful logon attempts Application failures Auditing benefits include: Help for administrators to detect intrusions and suspicious activities Traceability for legal, non-repudiation disputes Diagnosis of security breaches Service Packs and Updates Security update Hotfix Description Address a single issue or a small number of issues Can be combined by using QChain Security rollup package Multiple hotfixes packaged for easy installation Provide major updates Cumulative set of previous updates May contain previously unannounced fixes May contain feature changes Service pack Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines Proactive Security Development Integrate security improvements throughout the development process Focus on security and ensure your code can withstand new attacks Promote the key role of education Raise awareness within your team Learn from your mistakes and other’s mistakes Adopt the SD3 Security Framework Secure by Design Build threat models Conduct code reviews, penetration tests Run code with minimal privileges Minimize your attack surface Enable services securely Secure by Default Secure in Deployment Leverage the security best practices Create security guidance Build tools to assess application security Microsoft Java Virtual Machine End of Support Alert Java Support Alert! MSJVM no longer ships with Windows XP SP1a or Windows Server 2003 Microsoft will discontinue support Sept 30, 2004 No security fixes will be made after that date Security issues after that date may require removal of MSJVM Developers should Update MSJVM dependent applications Offer upgrades to customers For more information: http://www.microsoft.com/java Session Summary The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines Next Steps 1. Stay informed about security  Sign up for security bulletins: http://www.microsoft.com/security/security_bulletins/alerts2.asp  Get the latest Microsoft security guidance: http://www.microsoft.com/security/guidance/ 2. Get additional security training  Find online and in-person training seminars: http://www.microsoft.com/seminar/events/security.mspx  Find a local CTEC for hands-on training: http://www.microsoft.com/learning/ For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security Questions and Answers