1 / 17

Subtle Security flaws: Why you must follow the basic principles of software security.

Subtle Security flaws: Why you must follow the basic principles of software security. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India. Agenda. Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation

harva
Download Presentation

Subtle Security flaws: Why you must follow the basic principles of software security.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Subtle Security flaws: Why you must follow the basic principles of software security. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India

  2. Agenda • Flaw – 1 Custom Authentication • Flaw – 2 Lack of Rule based Authorization • Flaw – 3 Black list input validation • Flaw – 4 Improper use of Crypto • Flaw – 5 App layer DOS attack

  3. Flaw – 1 Custom Authentication • Site implements custom forms authentication • Buggy code • Demo

  4. Flaw – 1 Custom Authentication • Principles:- • Use well known and time tested, system provided methods for authentication. • Avoid writing custom authentication code.

  5. Flaw – 2 Authorization • Authorization implemented by disabling UI • Rule based authorization not considered • Demo

  6. Flaw – 2 Authorization • Principles:- • Do not rely on UI for authorization • Disabled buttons is not authorization • Consider rule based authorization in your design

  7. Flaw – 3 Black list Input Validation • Only set of bad characters are checked for • Becomes vulnerable in special situations • Demo

  8. Flaw – 3 Black list Input Validation • Principles:- • Validate for valid allowed values (white list) • If white list validation is not possible, • Encode to prevent XSS • Parameterize to prevent SQL Injection…

  9. Flaw – 4 Improper use of Crypto • Not knowing what services are provided by what mechanisms • For example, what services do Digital Signatures provide? • Demo

  10. Flaw – 4 Improper use of Crypto Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Signed XML POST Central Payment Site

  11. Flaw – 4 Improper use of Crypto • Principles:- • Know what service each mechanism provides • Do not implement crypto mechanisms yourself • Use system provided methods

  12. Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 1

  13. Flaw – 5 App layer Denial of service Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- …. Click to Book

  14. Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 2

  15. Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 2 after 7 minutes

  16. Flaw – 5 App layer Denial of service • Principles:- • Use CAPTCHA to avoid automated attacks • Design with security in mind

  17. Thank you!

More Related