Jeff ZadoJeff Zadojzado@microsoft.com jzado@microsoft.com Sr. Product Manager Development ToolsSr. Product Manager Development ToolsMicrosoft CanadaMicrosoft Canada

Security Risks beyond the Network: Security Risks beyond the Network: Developing Secure SolutionsDeveloping Secure Solutions

Abstract

Ensuring that your organization’s applications are Ensuring that your organization’s applications are secure is no longer just about firewalls, networks secure is no longer just about firewalls, networks

and simple authentication. Security is a big and simple authentication. Security is a big challenge for organizations and the price of challenge for organizations and the price of

failure could mean disastrous results for failure could mean disastrous results for companies and shareholders. But I am sure that companies and shareholders. But I am sure that you all know this, as you are security experts. you all know this, as you are security experts.

However, developing secure software is a However, developing secure software is a relatively new discipline that organizations are relatively new discipline that organizations are

adopting and integrating throughout the adopting and integrating throughout the software development lifecycle. In this talk we software development lifecycle. In this talk we will look at common application security issues, will look at common application security issues, how companies can identify them earlier in the how companies can identify them earlier in the

development lifecycle and how Microsoft development lifecycle and how Microsoft solutions can be leveraged to assist you and our solutions can be leveraged to assist you and our

organizations. organizations.

““We cannot adopt the way of living We cannot adopt the way of living that was satisfactory a hundred that was satisfactory a hundred

years ago. The world in which we years ago. The world in which we live has changed, and we must live has changed, and we must

change with it. “change with it. “

Felix AdlerFelix Adler

State of the Industry

““Over 70 percent of security vulnerabilities exist at the Over 70 percent of security vulnerabilities exist at the application layer, not the network layer”application layer, not the network layer”GartnerGartner

““The battle between hackers and security professionals has The battle between hackers and security professionals has moved from the network layer to the Web applications moved from the network layer to the Web applications themselves“ themselves“ Network World Network World

““Hacking has moved from a hobbyist pursuit with a goal of Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money”notoriety to a criminal pursuit with a goal of money”Counterpane Internet SecurityCounterpane Internet Security

““64 percent of developers are not confident in their ability to 64 percent of developers are not confident in their ability to write secure applications”write secure applications”Microsoft Developer ResearchMicrosoft Developer Research

Security BreachesAffecting Businesses and Consumers

Britain warns ofmajor e-mail attack

Hackers seen aiming at government, corporate networksThe Associated PressUpdated: 1:42 p.m. ET June 16, 2005

40M credit

cards hacked

Breach at third party

payment processor

affects 22 million

Visa cards and 14

million MasterCards.

June 20, 2005: 3:18 PM EDT

By Jeanne Sahadi, CNN/Money senior writer

In 2004, 78% of enterprises hit by viruses, 49% had laptops stolen, 37% reported unauthorized access to information

--2004 CSI and FBI Computer Crime and Security Survey

The FTC reports 1,000 cases The FTC reports 1,000 cases a daya day of ID of ID theft theft

A recent FBI operation put an end to a A recent FBI operation put an end to a scheme in which nearly 150,000 victims scheme in which nearly 150,000 victims lost more than $215 million lost more than $215 million

The number of phishing e-mail messages The number of phishing e-mail messages intercepted by a prominent web security intercepted by a prominent web security company grew 300% since June 2004 company grew 300% since June 2004

Over 80% of the top 100 financial Over 80% of the top 100 financial institutions have reported external institutions have reported external attacks on their IT systems in the past attacks on their IT systems in the past year year

June 23, 2006 Another Government Security Breach

"There ought to be an assumption "There ought to be an assumption that data is encrypted when it is that data is encrypted when it is at rest or in transit," Kurtz said. at rest or in transit," Kurtz said. "With encryption, a stolen laptop "With encryption, a stolen laptop is simply a stolen laptop." is simply a stolen laptop."

People: Providing guidance on secure application

development

Tools: Providing the most innovative tools

Process: Security cannot be an afterthought

Elements that Drive Change

EducationTrain every Developer and IT Professional on security

Patterns & PracticesDedicated team focused on security

guidance

MSDN and TechNetSharing whitepapers and “how tos”

People: Education as a Driver

Process: Security Development Lifecycle (SDL)

Reduce the number of security errorsReduce the number of security errorsReduce the severity of any security errors not Reduce the severity of any security errors not foundfoundReduce the attack surfaceReduce the attack surface

A PROCESS by which Microsoft develops A PROCESS by which Microsoft develops software and defines security requirements software and defines security requirements

and milestonesand milestones

Accountability and Incentives

Microsoft Developer Research: Almost 40 percent of developers say that their Microsoft Developer Research: Almost 40 percent of developers say that their companies do not think it is “very important” to write secure applicationscompanies do not think it is “very important” to write secure applications

CXOs and management say it is very importantCXOs and management say it is very important

Current incentives on performance and ship datesCurrent incentives on performance and ship dates

Must be driven top-downMust be driven top-down

5555

1717

455455

Engineering ExcellenceFocus Yielding Results

Tools facilitate creating secure applications

Tools: Utilizing InnovationTools: Utilizing Innovation

Static AnalysisStatic Analysis

Scan your code for Scan your code for security security

vulnerabilitiesvulnerabilities

Seamless create Seamless create applications for a applications for a

custom zonecustom zone

Create non-admin appsCreate non-admin apps Secure by Secure by DefaultDefault

Secure Software Secure Software Development Lifecycle Development Lifecycle

ProcessProcess

Nurturing the Partner Ecosystem

Canadian Events and Expertise

MSDN, Technet and Security MSDN, Technet and Security Events and web resourcesEvents and web resources

Threat Modeling: Threat Modeling: http://msdn.microsoft.com/securithttp://msdn.microsoft.com/security/securecode/threatmodeling/acety/securecode/threatmodeling/acetm/video/m/video/

Consequences of Inappropriate Input Handling

Lead to a realization of various Lead to a realization of various attack patternsattack patterns Cross-Site Scripting (XSS)Cross-Site Scripting (XSS) One-Click AttacksOne-Click Attacks SQL Injection SQL Injection Canonicalization issuesCanonicalization issues Buffer overflow or arithmetic errors Buffer overflow or arithmetic errors

(Memory Management issues)(Memory Management issues) Denial of ServiceDenial of Service

What is Cross-Site Scripting?

A technique that allows attackers A technique that allows attackers to:to: Appear to rewrite the text of your Appear to rewrite the text of your

web siteweb site Abuse the user’s trust in your Abuse the user’s trust in your

website to…website to… Steal Web session information and Steal Web session information and

cookiescookies Hijack client sessionsHijack client sessions Potentially access the client computerPotentially access the client computer

Defending Against Cross-Site Scripting Attacks

Do not:Do not: Trust user inputTrust user input Echo client-supplied data without encodingEcho client-supplied data without encoding Store secret information in cookiesStore secret information in cookies

Do:Do: Take advantage of ASP.NET’s RequestValidationTake advantage of ASP.NET’s RequestValidation Take advantage of ASP.NET’s ViewStateUserKeyTake advantage of ASP.NET’s ViewStateUserKey Consider IOSec for data encoding (Consider IOSec for data encoding (

http://toolbox/details/details.aspx?ToolID=22241http://toolbox/details/details.aspx?ToolID=22241))

Use the HttpOnly cookie optionUse the HttpOnly cookie option Use the <frame> security attributeUse the <frame> security attribute

What is One-Click Attack?

Site offers persistent sign-in option Site offers persistent sign-in option (cookies)(cookies)

Victim user navigates to (or opens) an Victim user navigates to (or opens) an HTML page – perhaps a “once in a HTML page – perhaps a “once in a lifetime offer”lifetime offer”

One or more actions are carried out One or more actions are carried out using the trust of the victim user which using the trust of the victim user which is completely unsuspecting to that useris completely unsuspecting to that user

Defending Against One-Click Attack

Browser’s cross-frame security Browser’s cross-frame security limits this to a “write-only” attacklimits this to a “write-only” attack

Concept for defense: require a Concept for defense: require a data element in the request which data element in the request which the attacker can’t supplythe attacker can’t supply (Overkill) Re-authenticate the user(Overkill) Re-authenticate the user Can ask for confirmationCan ask for confirmation

Check Check ReferrerReferrer field field document.locationdocument.location or or window.open()window.open() don’t don’t

post post ReferrerReferrer

Defending Against One-Click Attack (cont.)

Classic ASPClassic ASP Generate a unique session ID once user Generate a unique session ID once user

authenticates, encrypt it and bind it to authenticates, encrypt it and bind it to each response sent to usereach response sent to user

In .Net 1.1 use ViewStateUserKeyIn .Net 1.1 use ViewStateUserKey Value assigned to it must be unique to Value assigned to it must be unique to

the current user the current user This value is used as a factor in the This value is used as a factor in the

ViewState MACViewState MACoverride protected void override protected void OnInit(OnInit(EventArgs EventArgs e)e){{// ...// ...

ViewStateUserKeyViewStateUserKey == User.Identity.Name;User.Identity.Name;// ...// ...}}

override protected void override protected void OnInit(OnInit(EventArgs EventArgs e)e){{// ...// ...

ViewStateUserKeyViewStateUserKey == User.Identity.Name;User.Identity.Name;// ...// ...}}

What is SQL Injection?

SQL injection is:SQL injection is: The process supplying carefully The process supplying carefully

crafted input to alter (or create) SQL crafted input to alter (or create) SQL statementsstatements

Can be used by malicious users to Can be used by malicious users to compromise confidentiality, integrity compromise confidentiality, integrity or availability of your application:or availability of your application: Probe databasesProbe databases Bypass authorizationBypass authorization Execute multiple SQL statementsExecute multiple SQL statements Call built-in stored proceduresCall built-in stored procedures

Defending Against SQL Injection

Abandon Dynamic SQLAbandon Dynamic SQL Use stored procedures or SQL parameterized Use stored procedures or SQL parameterized

queries to access dataqueries to access data Can have SQL Injection in stored proceduresCan have SQL Injection in stored procedures

Sanitize all inputSanitize all input Consider all input harmful until proven Consider all input harmful until proven

otherwise – test for valid data and reject otherwise – test for valid data and reject everything elseeverything else

Run with least privilegeRun with least privilege Never execute as “sa”Never execute as “sa” Restrict access to built-in stored proceduresRestrict access to built-in stored procedures

Do not display ODBC errorsDo not display ODBC errors

What are Memory Management Issues

Buffer OverrunBuffer Overrun Exists primarily in unmanaged Exists primarily in unmanaged

(C/C++) code(C/C++) code Can lead to a host-level exploits – Can lead to a host-level exploits –

keep your host patched and up-to-keep your host patched and up-to-datedate

Arithmetic ErrorsArithmetic Errors

What are Arithmetic Errors

Occur when the limitations of a Occur when the limitations of a variable are exceededvariable are exceeded E.g., Assign the value 300 to a byteE.g., Assign the value 300 to a byte

Lead to serious runtime issuesLead to serious runtime issues Are often overlooked and Are often overlooked and

underestimatedunderestimated Include:Include:

Overflow – value too large for data typeOverflow – value too large for data type Underflow – value too small for data Underflow – value too small for data

typetype

Logging

Application Security is more then setting Application Security is more then setting up perimeter defenseup perimeter defense

Keep a log trail of authentication Keep a log trail of authentication attemptsattempts Both successful and failedBoth successful and failed

Keep a log trail of all accesses to assetsKeep a log trail of all accesses to assets Log as close to an asset as possibleLog as close to an asset as possible

SQL Server Stored ProcedureSQL Server Stored Procedure Sometimes… a log trail is the only Sometimes… a log trail is the only

mitigationmitigation Identify “who, what, where & when”…Identify “who, what, where & when”…

What you Log

““Fire and Forget” – Asynchronous loggingFire and Forget” – Asynchronous logging MSMQMSMQ

Don’t write sensitive information in logsDon’t write sensitive information in logs PasswordsPasswords

Identify the (“who, what, where & when”):Identify the (“who, what, where & when”): IdentityIdentity ActionAction Component/Service/Object/MethodComponent/Service/Object/Method TimestampTimestamp

Audit

Logs identify the “who, what, Logs identify the “who, what, where & when”where & when”

Audit the logs to determine “why”Audit the logs to determine “why” Setup a process whereby logs are Setup a process whereby logs are

auditedaudited Monitor & Response ProcessMonitor & Response Process

Can be automated to some extentCan be automated to some extent Log files are an asset!Log files are an asset!

A (Quick) Summary

Use existing technologies that Use existing technologies that meet your needs…meet your needs… But implement appropriately!But implement appropriately!

Think cynical – don’t trust outside Think cynical – don’t trust outside sourcessources Application usersApplication users External dependenciesExternal dependencies