Download - Chris’s Top Ten Security Tips
![Page 1: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/1.jpg)
Chris’s Top Ten Chris’s Top Ten Security TipsSecurity Tips
Chris SearyChris SearyCISSPCISSPMVPMVP
![Page 2: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/2.jpg)
MeMe
Securing large enterprise Securing large enterprise applicationsapplications
DeveloperDeveloper
ISO 27001 Lead AuditorISO 27001 Lead Auditor
![Page 3: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/3.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
![Page 4: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/4.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
Message
Message
Jhbsx^8
Encrypt
Decrypt
![Page 5: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/5.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
Message
Message
Jhbsx^8
Encrypt
Decrypt
Public
Private
![Page 6: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/6.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
Message
Message
Jhbsx^8
Encrypt
Decrypt
Public
Private
Usually includes encryption of symmetric key!
![Page 7: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/7.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
![Page 8: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/8.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
Certificate store
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
Private key
![Page 9: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/9.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
Certificate store
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
Private key
Private key is the essential component!
![Page 10: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/10.jpg)
10.What is an X509 10.What is an X509 certificate?certificate?
Local machineLocal machine– Certificates used by systemCertificates used by system
Demo uses Network ServiceDemo uses Network Service
Current userCurrent user– Logged on userLogged on user
Permissions have to be granted for other Permissions have to be granted for other users to access private keysusers to access private keys
![Page 11: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/11.jpg)
9.What is a PKI?9.What is a PKI?
![Page 12: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/12.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
![Page 13: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/13.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
![Page 14: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/14.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
Kvhdxa6e6t4g
Encryptsmessage
![Page 15: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/15.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
Kvhdxa6e6t4g
Messagesent
![Page 16: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/16.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
MessageStuff
Brad’s privatekey
Decrypts
![Page 17: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/17.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
AngelinaMan in the middle attack
![Page 18: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/18.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
![Page 19: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/19.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
![Page 20: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/20.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
Gvvwh336fwd
Encryptsmessage
![Page 21: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/21.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
Gvvwh336fwd
Sendsmessage
![Page 22: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/22.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeyDecrypts
message
Messagestuff
Angelina’s privatekey
![Page 23: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/23.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeyChanges
message
MessageNew
![Page 24: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/24.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeyEncrypts
Using Brad’spublic key
Hjbsxa687svscv
![Page 25: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/25.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeySends message
Hjbsxa687svscv
![Page 26: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/26.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
Brad decryptsUsing hisPrivate key
MessageNew
![Page 27: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/27.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
CA
Brad’s publickey
![Page 28: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/28.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
CA
Brad’s publickey
Digitallysigns
![Page 29: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/29.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
CA
Brad’s publickey
Digitallysigns
CA certPlaced incert store
CA certPlaced incert store
Trust Trust
![Page 30: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/30.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
CA
![Page 31: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/31.jpg)
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
CA
ChecksSignatureOn certAgainstCA certPublickey
Definitely Brad!
![Page 32: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/32.jpg)
8. Best way to 8. Best way to implement cryptographyimplement cryptography Don’t write your own algorithmDon’t write your own algorithm Use policy where possibleUse policy where possible
– WS-SecurityWS-Security Use configuration where possibleUse configuration where possible
– IIS and SSLIIS and SSL Use simple APIs that perform crypto in one Use simple APIs that perform crypto in one
stepstep– CAPICOMCAPICOM– Enterprise librariesEnterprise libraries
![Page 33: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/33.jpg)
7.How do we store 7.How do we store secrets?secrets? Encryption!Encryption!
But……But……
How do we store the encryption key?How do we store the encryption key?
![Page 34: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/34.jpg)
7.How do we store 7.How do we store secrets?secrets? DPAPIDPAPI
– Get from nuggetGet from nugget
![Page 35: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/35.jpg)
6. what’s the one hop 6. what’s the one hop problem?problem? I can authenticate to the web serverI can authenticate to the web server
I can’t authenticate to the database I can’t authenticate to the database on another serveron another server
![Page 36: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/36.jpg)
Webserver
SQL
6. what’s the one hop 6. what’s the one hop problem?problem?
![Page 37: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/37.jpg)
Webserver
SQL
UsernamePassword
6. what’s the one hop 6. what’s the one hop problem?problem?
![Page 38: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/38.jpg)
Webserver
SQL
UsernamePassword
NTLMauth
6. what’s the one hop 6. what’s the one hop problem?problem?
![Page 39: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/39.jpg)
Webserver
SQL
DigestAD certmapping
6. what’s the one hop 6. what’s the one hop problem?problem?
![Page 40: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/40.jpg)
Webserver
SQL
Null session
DigestAD certmapping
6. what’s the one hop 6. what’s the one hop problem?problem?
![Page 41: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/41.jpg)
Webserver
SQL
Null session
DigestAD certmapping
6. what’s the one hop 6. what’s the one hop problem?problem?
![Page 42: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/42.jpg)
Protocol transitionProtocol transition– KerberosKerberos– Protocol transitionProtocol transition
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
![Page 43: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/43.jpg)
Webserver
SQL
Any IISauthenticationMethod:BasicCertsDigest
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
![Page 44: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/44.jpg)
Webserver
SQL
Any IISauthenticationMethod:BasicCertsDigest
Kerberosauth
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
![Page 45: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/45.jpg)
Patterns and Practices ‘Web Service Patterns and Practices ‘Web Service Security: Scenarios, Patterns and Security: Scenarios, Patterns and Implementation Guidance for Web Implementation Guidance for Web Services Enhancements (WSE) 3.0’Services Enhancements (WSE) 3.0’– From MSDNFrom MSDN
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
![Page 46: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/46.jpg)
5.ACL, DACL and SACL – 5.ACL, DACL and SACL – wossat?wossat?
![Page 47: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/47.jpg)
4.Validation, validation, 4.Validation, validation, validationvalidation CICOCICO Crap In Crap OutCrap In Crap Out
![Page 48: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/48.jpg)
4.Validation, validation, 4.Validation, validation, validationvalidation White list validationWhite list validation
– Check for what you will allowCheck for what you will allow RegexRegex
– Many functions available on netMany functions available on net Replace bad inputReplace bad input
– Escape charactersEscape characters HTMLEncode outputHTMLEncode output
– Not a cure, but a patchNot a cure, but a patch Negotiate acceptable input with business Negotiate acceptable input with business
when gathering requirementswhen gathering requirements
![Page 49: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/49.jpg)
3.Warning, Will 3.Warning, Will Robinson!Robinson!
![Page 50: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/50.jpg)
2.Using SQL2.Using SQL
![Page 51: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/51.jpg)
Run downRun down
10. what is an X509 cert?10. what is an X509 cert? 9.What is a PKI?9.What is a PKI? 8.Best way to implement cryptography8.Best way to implement cryptography 7.How do we store secrets?7.How do we store secrets? 6.What’s the one hop problem?6.What’s the one hop problem? 5.ACL, DACL and SACL5.ACL, DACL and SACL 4.Validation, validation, validation4.Validation, validation, validation 3.Warning, Will Robinson!3.Warning, Will Robinson! 2.Using SQL2.Using SQL
![Page 52: Chris’s Top Ten Security Tips](https://reader036.vdocument.in/reader036/viewer/2022062322/56814ffe550346895dbdc671/html5/thumbnails/52.jpg)
1.Don’t develop as 1.Don’t develop as admin!admin!