1 / 24

Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009

Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009. Agenda. Introduction Security overview Security Procedural Coding Q&A. About me…. Sam Nasr Independent Software Consultant Nasr Information Systems Software developer since 1995 MCAD, MCT, MCTS(WSS/MOSS)

eadoin
Download Presentation

Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009

  2. Agenda • Introduction • Security overview • Security • Procedural • Coding • Q&A

  3. About me… • Sam Nasr • Independent Software Consultant • Nasr Information Systems • Software developer since 1995 • MCAD, MCT, MCTS(WSS/MOSS) • President - Cleveland C#/VB.Net User Group • Contact Info • E-mail: sam@nasr.info • Blog: ClevelandDotNet.blogspot.com/

  4. Setting Expectations • What will be covered • Overview of security in .Net FW • Some coding techniques, due to time • Take home “Laundry List” • Discuss code and organizational policies • What will NOT be covered • COM, Activex • DB Security • Identifying Security Bugs

  5. Why Security? • Protect the Data • Credit Card #s • Corporate Data (Financial info) • Patient Information • Ensure App Integrity • Prevent loss of revenue (i.e. $1 plane tickets) • Uptime (DOS Attacks) • Ensure App Authenticity • Customers run intended applications

  6. What are the odds? • 1 Developer vs. Many Hackers • 1 Dev Hour vs. Many hacker hours • Salary vs. Personal Pride • Focused vs. Continuous Attempts

  7. Points of Entry

  8. Holistic Security • Physical Location of servers • ALL servers (App & DB) must be configured for security • Train users against social engineering • Security code review • Security Testing • Practice “Active Defense” • Recovery Plan • Keep your users aware of the security risk

  9. “Active Defense” Monitoring • “Out of bounds” pricing • Excessive # of transactions • After hours access • Extended login time

  10. .Net 101 (know the basics) • Compile code to ? • How does the code execute? • How’s JIT used? • How’s CLR used?

  11. Security Namespaces • System.Security • System.Web.Security • System.Security.Cryptography • System.Security.Principal • System.Security.Policy • System.Security.Permissions

  12. Demo ILDASM/ILASM

  13. Security Tools • DotFuscator • FX Cop • Anti-Cross Site Scripting Library • Security Assessment Tool

  14. Strong Names • Private and Public keys tokens • Regular Name (“BookInventory”) • Version Number (“1.0.0.0”) • Culture (neutral) • Public key Token • Note: Protect Private Key • Utilize “AssemblyDelaySign”

  15. Demo Strong Names

  16. Anti-Cross Site Scripting Library A Cross Site Scripting attack (XSS): when a hacker inserts a link in an e-mail or web forum that appears to be legitimate (i.e. cnn.com, google.com). However, the link actually a malicious script code embedded in the URL. When the unsuspecting user clicks the link, the script is executed on the host web site. The script code maybe used to transfer cookies from the victim's PC to the hacker's machine. The cookies may contain user ID's, passwords, or possibly credit card information, all which can be used for illegal purposes. http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en

  17. Demo FXCop

  18. Demo Security Assessment Tool

  19. Conclusion Let’s recap… • Procedural • Coding

  20. References • Understanding MSIL • www.ClevelandDotnet.info - Presentations • FXCop http://www.microsoft.com/downloads/details.aspx?familyid=9AEAA970-F281-4FB0-ABA1-D59D7ED09772&displaylang=en • Securing Connection Strings • via code: http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx • via cmd line: http://msdn.microsoft.com/en-us/library/dx0f3cf2(VS.80).aspx

  21. Questions?

  22. Contact Info • Sam Nasr • E-mail: sam@nasr.info • Blog: ClevelandDotNet.blogspot.com/ Cleveland C#/VB.Net User Group • Web: www.ClevelandDotNet.info

More Related