Essentials Of Application Security

Essentials of Application Security Name Job Title Company

What We Will Cover The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Session Prerequisites Development experience with Microsoft Visual Basic® , Microsoft Visual C++® , or C#

Level 200

Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Trustworthy Computing “Trustworthy Computing has four pillars: Reliability means a computer system is dependable, is available when needed, and performs as expected and at appropriate levels. Security means a system is resilient to attack, and the confidentiality, integrity, and availability of both the system and its data are protected. Privacy means that people can control their personal information and organizations that use the information faithfully protect it. Business integrity is about companies in our industry being responsible to customers and helping them find appropriate solutions for their business issues, addressing problems with products or services, and being open in interactions with - Bill Gates customers.” July 18,

Connection Scenarios and Security Concerns Connection scenarios: Traditional wired networks Mobile workforces Public wireless networks

Security concerns: Application reliance on the Internet Business reliance on the Internet Internal security attacks

Common Types of Attacks Organizational Attacks

Attackers

Automated Attacks

Restricted Data

Accidental Breaches In Security Viruses, Trojan Horses, and

DoS Connection Fails

Denial of Service (DoS)

Examples of Security Intrusions CodeRed ILoveYou Nimda

Virus

Attacker

Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to business reputation Lost consumer confidence Severe financial losses due to lost revenue

Challenges When Implementing Security Attacker needs to understand only one vulnerability

Defender needs to secure all entry points

Attackers vs. Defenders

Attackers have unlimited time Defender works with time and cost constraints Secure systems are more difficult to use Complex and strong passwords are difficult to remember

Security vs. Usability

Do I need securi ty…

Users prefer simple passwords

Developers and management think that security does not add any business value

Addressing vulnerabilities just before a product is ecurity As an Afterthoughtreleased is very expensive

The Developer Role in Application Security Developers must: Work with solution architects and systems administrators to ensure application security Contribute to security by: Adopting good application security development practices Knowing where security vulnerabilities occur and how to avoid them Using secure programming techniques

Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Holistic Approach to Security Security must be considered at: All stages of a project Design Development Deployment

All layers Network Host Application “Security is only as good as the weakest link”

Security Throughout Project Lifecycle Analyze threats

Secure questions Determine security sign-off during interviews criteria

Concept

Designs Complete

Train team members Security team review

Learn and refine

External review

Test Plans Complete

Security push

Code Complete

Ship

Post-Ship

Review old defects, checkins checked secure coding guidelines, use tools Data

mutation and least privilege

=ongoing

The SD Security Framework 3

SD3

Secure by Design

Secure architecture and code Threat analysis Vulnerability reduction

Secure by Default

Attack surface area reduced Unused features turned off by default Minimum privileges used

Secure in Deployment

Protection: Detection, defense, recovery, management Process: How to guides, architecture guides People: Training

Threat Modeling Threat modeling is: A security-based analysis of an application A crucial part of the design process

Threat modeling: Reduces the cost of securing an application Provides a logical, efficient process Helps the development team: Identify where the application is most vulnerable Determine which threats require mitigation and how to address those threats

Ongoing Education Provide training about: How security features work How to use the security features to build secure systems What security vulnerabilities look like in order to identify flawed code How to avoid common security vulnerabilities How to avoid repeating mistakes

Input Validation Buffer overruns SQL injection Cross-site scripting

“All input is evil until proven otherwise!”

Demonstration 1 Buffer Overruns Bypassing Security Checks

Practices for Improving Security Practice

Benefit

Adopt Threat Modeling

Identifies of security vulnerabilities Increases awareness of application architecture

Train development team

Avoids common security defects Correct application of security technologies Secures code that

Code Review

Accesses the network Runs by default Uses unauthenticated protocols Runs with elevated privileges

Use tools

More consistent testing for vulnerabilities

Use infrastructure solutions

More secure with SSL/TLS and IPSec

Use component solutions

More robust with CAPICOM and .NET Cryptography namespace

Migrate managed code

Avoids common vulnerabilities

Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Overview of Security Technologies Developers need to use and apply: Encryption Hashing Digital signatures Digital certificates Secure communication Authentication Authorization Firewalls Auditing Service packs and updates

Encryption Encryption is the process of encoding data To protect a user’s identity or data from being read To protect data from being altered To verify that data originates from a particular user

Encryption can be: Asymmetric Symmetric

Symmetric vs. Asymmetric Encryption Algorithm Type

Description Uses one key to:

Symmetric

Encrypt the data Decrypt the data

Is fast and efficient Uses two mathematically related keys: Asymmetric

Public key to encrypt the data Private key to decrypt the data

Is more secure than symmetric encryption Is slower than symmetric encryption

Verifying Data Integrity with Hashes User B

User A

Data

Hash Algorith m

Hash Value If hash values Hash Algorithm match, data is valid

Data Hash Value User A sends data and hash value to User B

Data Hash Value

Digital Signatures User B

User A

Hash Algorithm

Data Hash Algorithm

Hash Value

User A Priv ate key

Data

User A Publ ic Key

Hash Value

Hash Value

If hash values match, data came from the owner of the private key and is valid

How Digital Certificates Work User

Privat e Key Private/Public

Key Pair

Computer

Publi c Key

Application

Service

Certified Administr ator

Certificati on Authority

Secure Communication Technologies

Technologies include: IPSec SSL TLS RPC encryption SSL/TLS

IPSec RPC Encryption

Secure Communication How IPSec Works IPSec Policy

IPSec Policy Security Association Negotiation

TCP Layer IPSec Driver

TCP Layer IPSec Driver

Encrypted IP Packets

Secure Communication How SSL Works 2 Secure Brows er

Web Server Root Certificate

4 1

1 2

Message Secure Web Server

HTTPS

The user browses to a secure Web server by using HTTPS The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate

3

The Web server receives the session key and decrypts it by using the server’s private key

4

After the connection is established, all communication between the browser and

3

Demonstration 2 SSL Server Certificates Viewing a Web Site on a Non-Secure Server Generating a Certificate Request Requesting a Trial Certificate Installing the SSL Certificate Testing the SSL Certificate

Authentication

Purpose of Authentication Verifies the identity of a principal by: Accepting credentials Validating those credentials

Secures communications by ensuring your application knows who the caller is

Encrypting the data is not enough!

Authentication

Authentication Methods Basic Digest Digital signatures and digital certificates Integrated The Kerberos version 5 protocol NTLM

Microsoft Passport Biometrics

Authentication

Basic Authentication Is simple but effective Is supported by all major browsers and servers Is easy to program and set up Manages user credentials Requires SSL/TLS

Authentication

How Digest Authentication Works Password

Server

5

Active Directory

6

1 Request Challenge

X$!87ghy5

2 4

Client Password

3

X$!87ghy5

Digest Algorithm

Authentication

Client Digital Certificates Used in Web applications Server secures communications using SSL/TLS with a X.509 server certificate Server authenticates clients using data in client X.509 certificate, if required Certificate authority issues a certificate for which the server holds a root certificate

Used in distributed applications Application uses SSL/TLS communication channel Client and server applications authenticate using certificates

Can be deployed on smartcards

Authentication

When to Use Integrated Authentication Firewall

Intranet? Client

No

Yes

Windows 2000 No Or later? Windows Integrated

Cannot use Integrate d Authentic ation NTLM Server Authentica tion

Yes No

Active Directory Domain?

Kerberos Yes

Client and Server

Authentication

How to Use Kerberos Version 5 Initial Logon

Service Request

KDC

KDC

2

2 1

ST

TGT

TGT

1

ST

3

Client

TGT cached locally

3 4

Client

Ticket-Granting Ticket ST TGT

Session established

Service Ticket

Target Server

Demonstration 3 IIS Authentication Techniques Using Anonymous Authentication Using Basic Authentication Using Integrated Windows Authentication

Authorization

What is Authorization? Authorization: Occurs after your client request is authenticated Is the process of confirming that an authenticated principal is allowed access to specific resources Checks rights assigned to files, folders, registry settings, applications, and so on Can be role-based Can be code-based

Authorization

Common Authorization Techniques IIS Web permissions (and IP/DNS restrictions) .NET role-based security .NET code access security NTFS access control lists (ACL) SQL Server logins SQL Server permissions

Authorization

Impersonation/Delegation Model Client identity is used to access downstream resources

A

Web or Application Server

A

B

B

C

C

Database or other resource server

Authorization

Trusted Subsystem Model Clients are mapped to roles Dedicated Windows service accounts are used for each role when accessing downstream resources

A B C

Web or Application Server Role 1 Role 2

1 2

Database or other resource server

Demonstration 4 Trusted Subsystem Model Authorization Techniques Reviewing the Application Setting Authentication on the Web Server Creating Service Accounts on the Web Server Setting Authorization on the Database Server

Firewalls Firewalls can provide: Secure gateway to the Internet for internal clients Packet filtering Circuit-level filtering Application filtering Auditing

Firewalls cannot provide: Protection against application-level attacks over HTTP or HTTPS

Auditing Auditing actions include tracking: Resource access and usage Successful and unsuccessful logon attempts Application failures

Auditing benefits include: Help for administrators to detect intrusions and suspicious activities Traceability for legal, non-repudiation disputes Diagnosis of security breaches

Service Packs and Updates Security update

Description

Hotfix

Address a single issue or a small number of issues Can be combined by using QChain

Security rollup package

Multiple hotfixes packaged for easy installation

Service pack

Provide major updates Cumulative set of previous updates May contain previously unannounced fixes May contain feature changes

Agenda The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Proactive Security Development Integrate security improvements throughout the development process Focus on security and ensure your code can withstand new attacks Promote the key role of education Raise awareness within your team Learn from your mistakes and other’s mistakes

Adopt the SD3 Security Framework Secure by Design

Secure by Default

Secure in Deployment

Build threat models Conduct code reviews, penetration tests Run code with minimal privileges Minimize your attack surface Enable services securely

Leverage the security best practices Create security guidance Build tools to assess application

Microsoft Java Virtual Machine End of Support Alert Java Support Alert! MSJVM no longer ships with Windows XP SP1a or Windows Server 2003 Microsoft will discontinue support Sept 30, 2004 No security fixes will be made after that date Security issues after that date may require removal of MSJVM

Developers should Update MSJVM dependent applications Offer upgrades to customers

For more information: http://www.microsoft.com/java

Session Summary The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Next Steps 

Stay informed about security 

Sign up for security bulletins:

http://www.microsoft.com/security/security_bulletins/alerts2.a

Get the latest Microsoft security guidance: http://www.microsoft.com/security/guidance/ 

Get additional security training 

Find online and in-person training seminars: http://www.microsoft.com/seminar/events/security.mspx

Find a local CTEC for hands-on training: http://www.microsoft.com/learning/

For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security

MSDN Security Site (developers) http://msdn.microsoft.com/security

TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security

Questions and Answers