chris’s top ten security tips

Chris’s Top Ten Chris’s Top Ten Security TipsSecurity Tips

Chris SearyChris SearyCISSPCISSPMVPMVP

MeMe

Securing large enterprise Securing large enterprise applicationsapplications

DeveloperDeveloper

ISO 27001 Lead AuditorISO 27001 Lead Auditor

10.What is an X509 10.What is an X509 certificate?certificate?

10.What is an X509 10.What is an X509 certificate?certificate?

Message

Message

Jhbsx^8

Encrypt

Decrypt

10.What is an X509 10.What is an X509 certificate?certificate?

Message

Message

Jhbsx^8

Encrypt

Decrypt

Public

Private

10.What is an X509 10.What is an X509 certificate?certificate?

Message

Message

Jhbsx^8

Encrypt

Decrypt

Public

Private

Usually includes encryption of symmetric key!

10.What is an X509 10.What is an X509 certificate?certificate?

Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..

Certificate

10.What is an X509 10.What is an X509 certificate?certificate?

Certificate store

Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..

Certificate

Private key

10.What is an X509 10.What is an X509 certificate?certificate?

Certificate store

Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..

Certificate

Private key

Private key is the essential component!

10.What is an X509 10.What is an X509 certificate?certificate?

Local machineLocal machine– Certificates used by systemCertificates used by system

Demo uses Network ServiceDemo uses Network Service

Current userCurrent user– Logged on userLogged on user

Permissions have to be granted for other Permissions have to be granted for other users to access private keysusers to access private keys

9.What is a PKI?9.What is a PKI?

9.What is a PKI?9.What is a PKI?

Brad Jennifer

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

Kvhdxa6e6t4g

Encryptsmessage

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

Kvhdxa6e6t4g

Messagesent

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

MessageStuff

Brad’s privatekey

Decrypts

9.What is a PKI?9.What is a PKI?

Brad Jennifer

AngelinaMan in the middle attack

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickey

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickey

Gvvwh336fwd

Encryptsmessage

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickey

Gvvwh336fwd

Sendsmessage

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickeyDecrypts

message

Messagestuff

Angelina’s privatekey

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickeyChanges

message

MessageNew

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickeyEncrypts

Using Brad’spublic key

Hjbsxa687svscv

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickeySends message

Hjbsxa687svscv

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

AngelinaMan in the middle attack

Angelina’s publickey

Brad decryptsUsing hisPrivate key

MessageNew

9.What is a PKI?9.What is a PKI?

Brad Jennifer

CA

Brad’s publickey

9.What is a PKI?9.What is a PKI?

Brad Jennifer

CA

Brad’s publickey

Digitallysigns

9.What is a PKI?9.What is a PKI?

Brad Jennifer

CA

Brad’s publickey

Digitallysigns

CA certPlaced incert store

CA certPlaced incert store

Trust Trust

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

CA

9.What is a PKI?9.What is a PKI?

Brad Jennifer

Brad’s publickey

CA

ChecksSignatureOn certAgainstCA certPublickey

Definitely Brad!

8. Best way to 8. Best way to implement cryptographyimplement cryptography Don’t write your own algorithmDon’t write your own algorithm Use policy where possibleUse policy where possible

– WS-SecurityWS-Security Use configuration where possibleUse configuration where possible

– IIS and SSLIIS and SSL Use simple APIs that perform crypto in one Use simple APIs that perform crypto in one

stepstep– CAPICOMCAPICOM– Enterprise librariesEnterprise libraries

7.How do we store 7.How do we store secrets?secrets? Encryption!Encryption!

But……But……

How do we store the encryption key?How do we store the encryption key?

7.How do we store 7.How do we store secrets?secrets? DPAPIDPAPI

– Get from nuggetGet from nugget

6. what’s the one hop 6. what’s the one hop problem?problem? I can authenticate to the web serverI can authenticate to the web server

I can’t authenticate to the database I can’t authenticate to the database on another serveron another server

Webserver

SQL

6. what’s the one hop 6. what’s the one hop problem?problem?

Webserver

SQL

UsernamePassword

6. what’s the one hop 6. what’s the one hop problem?problem?

Webserver

SQL

UsernamePassword

NTLMauth

6. what’s the one hop 6. what’s the one hop problem?problem?

Webserver

SQL

DigestAD certmapping

6. what’s the one hop 6. what’s the one hop problem?problem?

Webserver

SQL

Null session

DigestAD certmapping

6. what’s the one hop 6. what’s the one hop problem?problem?

Webserver

SQL

Null session

DigestAD certmapping

6. what’s the one hop 6. what’s the one hop problem?problem?

Protocol transitionProtocol transition– KerberosKerberos– Protocol transitionProtocol transition

6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!

Webserver

SQL

Any IISauthenticationMethod:BasicCertsDigest

6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!

Webserver

SQL

Any IISauthenticationMethod:BasicCertsDigest

Kerberosauth

6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!

Patterns and Practices ‘Web Service Patterns and Practices ‘Web Service Security: Scenarios, Patterns and Security: Scenarios, Patterns and Implementation Guidance for Web Implementation Guidance for Web Services Enhancements (WSE) 3.0’Services Enhancements (WSE) 3.0’– From MSDNFrom MSDN

6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!

5.ACL, DACL and SACL – 5.ACL, DACL and SACL – wossat?wossat?

4.Validation, validation, 4.Validation, validation, validationvalidation CICOCICO Crap In Crap OutCrap In Crap Out

4.Validation, validation, 4.Validation, validation, validationvalidation White list validationWhite list validation

– Check for what you will allowCheck for what you will allow RegexRegex

– Many functions available on netMany functions available on net Replace bad inputReplace bad input

– Escape charactersEscape characters HTMLEncode outputHTMLEncode output

– Not a cure, but a patchNot a cure, but a patch Negotiate acceptable input with business Negotiate acceptable input with business

when gathering requirementswhen gathering requirements

3.Warning, Will 3.Warning, Will Robinson!Robinson!

2.Using SQL2.Using SQL

Run downRun down

10. what is an X509 cert?10. what is an X509 cert? 9.What is a PKI?9.What is a PKI? 8.Best way to implement cryptography8.Best way to implement cryptography 7.How do we store secrets?7.How do we store secrets? 6.What’s the one hop problem?6.What’s the one hop problem? 5.ACL, DACL and SACL5.ACL, DACL and SACL 4.Validation, validation, validation4.Validation, validation, validation 3.Warning, Will Robinson!3.Warning, Will Robinson! 2.Using SQL2.Using SQL

1.Don’t develop as 1.Don’t develop as admin!admin!