![Page 1: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/1.jpg)
Application Security Best Practices Application Security Best Practices At MicrosoftAt Microsoft
Ensuring the lowest possible exposure Ensuring the lowest possible exposure and vulnerability to attacksand vulnerability to attacks
Published: January 2003Published: January 2003
![Page 2: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/2.jpg)
Solution OverviewSolution OverviewSolution OverviewSolution Overview
Faced with the daunting task of inventorying, cataloging, assessing , and securing each LOB Faced with the daunting task of inventorying, cataloging, assessing , and securing each LOB application, the Microsoft IT group needed to create an organizational framework for handling application, the Microsoft IT group needed to create an organizational framework for handling the jobthe job
SituationSituation
BenefitsBenefits
Microsoft IT developed the Application Security Assurance Program (ASAP) to Microsoft IT developed the Application Security Assurance Program (ASAP) to inventory, assess and – when necessary – ensure the resolution inventory, assess and – when necessary – ensure the resolution of security vulnerabilities found in LOB applicationsof security vulnerabilities found in LOB applications
Lower cost of recovery and lost productivityLower cost of recovery and lost productivity Minimize loss of dataMinimize loss of data Improve customer confidenceImprove customer confidence Decrease legal risksDecrease legal risks
SolutionSolution
![Page 3: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/3.jpg)
Motivation For Motivation For Application SecurityApplication SecurityMotivation For Motivation For Application SecurityApplication Security Cost of recovery and lost productivityCost of recovery and lost productivity Loss of dataLoss of data Impact on consumer confidenceImpact on consumer confidence Legal risksLegal risks
![Page 4: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/4.jpg)
Security Principles Security Principles Security Principles Security Principles
ConfidentialityConfidentiality IntegrityIntegrity AuthenticationAuthentication AuthorizationAuthorization AvailabilityAvailability Non-repudiationNon-repudiation
![Page 5: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/5.jpg)
Managing RiskManaging RiskManaging RiskManaging Risk
Strategic Strategic Tactical Tactical OperationalOperational LegalLegal
![Page 6: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/6.jpg)
Overview Of ASAPOverview Of ASAPOverview Of ASAPOverview Of ASAP
Wide variety of LOB applications designed by Wide variety of LOB applications designed by Microsoft IT or individual business unit IT teamsMicrosoft IT or individual business unit IT teams
Securing applications and data has grown in Securing applications and data has grown in significance and complexitysignificance and complexity
LOB applications function in a complex operational LOB applications function in a complex operational and legal environment with an equally complex and legal environment with an equally complex underlying infrastructureunderlying infrastructure
Every organization should develop its own plan for Every organization should develop its own plan for securing applicationssecuring applications
![Page 7: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/7.jpg)
ASAP DeploymentASAP DeploymentASAP DeploymentASAP Deployment
Risk assessmentRisk assessment Design reviewDesign review Pre-production assessmentsPre-production assessments Post-production followupPost-production followup
![Page 8: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/8.jpg)
Assessment CriteriaAssessment CriteriaAssessment CriteriaAssessment Criteria
Definition of an applicationDefinition of an application Scope of assessmentsScope of assessments
High-riskHigh-risk Medium-riskMedium-risk Low-riskLow-risk
![Page 9: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/9.jpg)
Assessment CriteriaAssessment CriteriaAssessment CriteriaAssessment Criteria
Types of Assessments Types of Assessments Limited assessmentsLimited assessments Comprehensive assessmentsComprehensive assessments
![Page 10: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/10.jpg)
ParticipantsParticipantsParticipantsParticipants
Security PolicySecurity Policy Threat ModelingThreat Modeling
CorporateCorporateSecuritySecurity
ApplicationApplicationReviewReviewTeamTeam
OperationsOperationsITIT
BusinessBusinessUnit ITUnit ITGroupsGroups
Risk AssessmentRisk Assessment AuditsAudits
Action on AuditAction on AuditFindingsFindings
Action on AuditAction on AuditFindingsFindings
![Page 11: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/11.jpg)
Application Security Application Security Process FrameworkProcess FrameworkApplication Security Application Security Process FrameworkProcess Framework
Verify In Production ApplicationsVerify In Production Applications
Design, Develop, Test, and Verify Secure AppsDesign, Develop, Test, and Verify Secure Apps
Educate IT ProfessionalsEducate IT Professionals
Maintain and Publish Policies and GuidelinesMaintain and Publish Policies and Guidelines
Respond to Security Exposure IncidentsRespond to Security Exposure Incidents
Apply Lessons LearnedApply Lessons Learned
![Page 12: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/12.jpg)
Application Management – Secure Application Management – Secure InfrastructureInfrastructureApplication Management – Secure Application Management – Secure InfrastructureInfrastructureNETWORKNETWORK HOSTHOST APPLICATIONAPPLICATION ACCOUNTACCOUNT TRUSTTRUST
ArchitectureArchitecture TransportTransport Network device Network device Access control Access control
list (ACL) list (ACL) permission permission settingssettings
Operating Operating systemsystem
ServicesServices Internet Internet
Information Information Services (IIS)Services (IIS)
Simple Mail Simple Mail Transfer Transfer Protocol Protocol (SMTP)(SMTP)
File Transfer File Transfer Protocol (FTP)Protocol (FTP)
NetBIOS/NetBIOS/Remote Remote procedure call procedure call (RPC)(RPC)
TerminalTerminal ServicesServices
Microsoft Microsoft SQL Server SQL Server TMTM
Input validationInput validation Clear text Clear text
protocolprotocol AuthenticationAuthentication AuthorizationAuthorization CryptographyCryptography Auditing and Auditing and
logginglogging
Unused Unused accountsaccounts
Weak or blank Weak or blank passwordspasswords
Shared Shared accountsaccounts
Access Access privilegesprivileges
Rogue trustsRogue trusts
![Page 13: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/13.jpg)
Building Secure Networks – ConfigurationBuilding Secure Networks – ConfigurationBuilding Secure Networks – ConfigurationBuilding Secure Networks – Configuration
Network segmentationNetwork segmentation FirewallsFirewalls Routers and switchesRouters and switches
![Page 14: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/14.jpg)
Building Secure Networks – Intrusion Building Secure Networks – Intrusion Detections Systems And Network EncryptionDetections Systems And Network EncryptionBuilding Secure Networks – Intrusion Building Secure Networks – Intrusion Detections Systems And Network EncryptionDetections Systems And Network Encryption
Detection systems should monitor forDetection systems should monitor for Reconnaissance attacksReconnaissance attacks Exploit attacksExploit attacks Denial of service attacks Denial of service attacks
Network encryptionNetwork encryption Key tool in preventing sensitive data from being read Key tool in preventing sensitive data from being read Sensitive communication should be encryptedSensitive communication should be encrypted Industry-standard encryption methods: Secure Sockets Industry-standard encryption methods: Secure Sockets
Layer (SSL), secure shell program such as SSH, Internet Layer (SSL), secure shell program such as SSH, Internet Protocol Security (IPSec)Protocol Security (IPSec)
![Page 15: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/15.jpg)
Building Secure Hosts For ApplicationsBuilding Secure Hosts For ApplicationsBuilding Secure Hosts For ApplicationsBuilding Secure Hosts For Applications
Patch managementPatch management ConfigurationConfiguration PermissionsPermissions Simple Network Management Protocol Simple Network Management Protocol
community stringscommunity strings Antivirus softwareAntivirus software Server auditing and loggingServer auditing and logging Server backup and restoreServer backup and restore
![Page 16: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/16.jpg)
Application Layer RequirementsApplication Layer RequirementsApplication Layer RequirementsApplication Layer Requirements
Input validationInput validation Session managementSession management Authentication and authorizationAuthentication and authorization Design and code reviewDesign and code review Application and server error handlingApplication and server error handling Application auditing and loggingApplication auditing and logging Application backup and restoreApplication backup and restore Private data encryptionPrivate data encryption
![Page 17: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/17.jpg)
Common Application Development IssuesCommon Application Development IssuesCommon Application Development IssuesCommon Application Development Issues
User input validationUser input validation Cookies, authentication, and accessCookies, authentication, and access PasswordsPasswords Access control listsAccess control lists COM+ application configurationCOM+ application configuration Auditing and loggingAuditing and logging
![Page 18: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/18.jpg)
Threat ModelingThreat ModelingThreat ModelingThreat Modeling
Provides a consistent methodology for objectively Provides a consistent methodology for objectively evaluating threats to applicationsevaluating threats to applications
Microsoft IT uses STRIDE to identify threatsMicrosoft IT uses STRIDE to identify threats Spoofing identitySpoofing identity Tampering with dataTampering with data RepudiationRepudiation Information disclosureInformation disclosure Denial of serviceDenial of service Elevation of privilegeElevation of privilege
![Page 19: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/19.jpg)
Architecture ModelingArchitecture ModelingArchitecture ModelingArchitecture Modeling
Component selection Component selection Component location Component location
UntrustedUntrusted SemitrustedSemitrusted TrustedTrusted
Connection identificationConnection identification UntrustedUntrusted SemitrustedSemitrusted TrustedTrusted
Environment component identificationEnvironment component identification
![Page 20: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/20.jpg)
Lessons LearnedLessons LearnedLessons LearnedLessons Learned If you wait until an application is already in production to make it secure, you If you wait until an application is already in production to make it secure, you
are too lateare too late Good security practices take into account both the host and the application Good security practices take into account both the host and the application
clientclient Create clearly written and easily accessible security guideline documentationCreate clearly written and easily accessible security guideline documentation Create security checklists that include Create security checklists that include
step-by-step instructionsstep-by-step instructions Develop a thoroughly considered policy exception tracking processDevelop a thoroughly considered policy exception tracking process Education is crucial to the success of a security programEducation is crucial to the success of a security program Processes and reporting are required to ensure that inventory information is Processes and reporting are required to ensure that inventory information is
maintainedmaintained Security is an ongoing, always changing, concernSecurity is an ongoing, always changing, concern
![Page 21: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/21.jpg)
PoliciesPoliciesPoliciesPolicies Applications should comply with application security policies and guidelinesApplications should comply with application security policies and guidelines Applications should go through a security design review processApplications should go through a security design review process Third-party application vendors should provide assurances that the software does not contain Third-party application vendors should provide assurances that the software does not contain
anything that could be used to compromise security controlsanything that could be used to compromise security controls Internet-facing applications should use existing methods of authenticationInternet-facing applications should use existing methods of authentication Applications that reside on the corporate network should rely on Windows integrated Applications that reside on the corporate network should rely on Windows integrated
authentication authentication Applications that cannot use Windows integrated authentication should either encrypt or hash Applications that cannot use Windows integrated authentication should either encrypt or hash
the password stores the password stores Credentials should never be stored or sent unencryptedCredentials should never be stored or sent unencrypted User input should be filtered and examined at the Web serverUser input should be filtered and examined at the Web server Web applications should use strong, nonpredictable session IDsWeb applications should use strong, nonpredictable session IDs Web applications should use an inactivity timeoutWeb applications should use an inactivity timeout Cookies that contain sensitive data should be marked as secure and nonpersistentCookies that contain sensitive data should be marked as secure and nonpersistent
![Page 22: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/22.jpg)
Future Security ConsiderationsFuture Security ConsiderationsFuture Security ConsiderationsFuture Security Considerations
Authorization ManagerAuthorization Manager Constrained DelegationConstrained Delegation
![Page 23: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/23.jpg)
SummarySummarySummarySummary
Business relies more and more on information technology Business relies more and more on information technology to operateto operate
Securing access to critical resources ensures that they Securing access to critical resources ensures that they continue to function as expectedcontinue to function as expected
Microsoft IT put policies and guidelines in place to help Microsoft IT put policies and guidelines in place to help Microsoft development teams secure their existing Microsoft development teams secure their existing applicationsapplications
Documenting and sharing the lessons that are learned by Documenting and sharing the lessons that are learned by organizations are central to maintaining security both organizations are central to maintaining security both within and among businesseswithin and among businesses
![Page 24: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/24.jpg)
For More InformationFor More InformationFor More InformationFor More Information
Additional content on Microsoft IT deployments Additional content on Microsoft IT deployments and best practices can be found on and best practices can be found on http://www.microsoft.comhttp://www.microsoft.com Microsoft TechNet Microsoft TechNet
http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase Microsoft Case Study ResourcesMicrosoft Case Study Resources
http://www.microsoft.com/resources/casestudieshttp://www.microsoft.com/resources/casestudies E-Mail iT ShowcaseE-Mail iT Showcase
[email protected]@microsoft.com
![Page 25: Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003](https://reader035.vdocument.in/reader035/viewer/2022062511/551a82035503466b3a8b4825/html5/thumbnails/25.jpg)
This document is provided for informational purposes only. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2003 Microsoft Corporation. All rights reserved. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. owners.