370 likes | 724 Views
Essentials of Application Security. Rames Gantanant Puumsoft, Director of Business Solutions Microsoft, Regional Director Thailand. What We Will Cover. The Importance of Application Security Security Technologies Secure Development Guidelines. Session Prerequisites.
E N D
Essentials of Application Security Rames Gantanant Puumsoft, Director of Business Solutions Microsoft, Regional Director Thailand
What We Will Cover • The Importance of Application Security • Security Technologies • Secure Development Guidelines
Session Prerequisites • Development experience with MicrosoftVisual Basic® , Microsoft Visual C++® , or C# Level 200
Agenda • The Importance of Application Security • Security Technologies • Secure Development Guidelines
Organizational Attacks Attackers Automated Attacks Restricted Data DoS Accidental Breaches In Security Connection Fails Denial of Service (DoS) Viruses, Trojan Horses, and Worms Common Types of Attacks
Consequences of Poor Security • Stolen intellectual property • System downtime • Lost productivity • Damage to business reputation • Lost consumer confidence • Severe financial losses due to lost revenue
Attacker needs to understand only one vulnerability Defender needs to secure all entry points Attackers have unlimited time Defender works with time and cost constraints Attackers vs. Defenders Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability Do I need security… Developers and management think that security does not add any business value Addressing vulnerabilities just before a product is released is very expensive Security As an Afterthought Challenges When Implementing Security
The Developer Role in Application Security • Developers must: • Work with solution architects and systems administrators to ensure application security • Contribute to security by: • Adopting good application security development practices • Knowing where security vulnerabilities occur and how to avoid them • Using secure programming techniques
Holistic Approach to Security • Security must be considered at: • All stages of a project • Design • Development • Deployment • All layers • Network • Host • Application “Security is only as good as the weakest link”
Security Throughout Project Lifecycle Learn and refine Analyze threats External review Secure questionsduring interviews Determine security sign-off criteria Security push Concept Ship Post-Ship Designs Complete TestPlansComplete Code Complete Review old defects, check-ins checked secure coding guidelines, use tools Train team members Data mutation and least privilege tests Security team review =ongoing
Agenda • The Importance of Application Security • Security Technologies • Secure Development Guidelines
Overview of Security Technologies • Developers need to use and apply: • Encryption • Hashing • Digital signatures • Digital certificates • Secure communication • Authentication • Authorization • Firewalls • Auditing • Service packs and updates
Encryption • Encryption is the process of encoding data • To protect a user’s identity or data from being read • To protect data from being altered • To verify that data originates from a particular user • Encryption can be: • Asymmetric • Symmetric
User B User A Data Data Data Hash Algorithm Hash Value If hash values match, data is valid Hash Algorithm Hash Value Hash Value User A sends data and hash value to User B Verifying Data Integrity with Hashes
How Digital Certificates Work Private Key User Private/Public Key Pair Computer Public Key Service Application Certification Authority Certified Administrator
Secure CommunicationTechnologies • Technologies include: • IPSec • SSL • TLS • RPC encryption IPSec RPC Encryption SSL/TLS
Secure CommunicationHow SSL Works Web ServerRoot Certificate 2 Message Secure Browser Secure Web Server 3 4 HTTPS 1 The user browses to a secure Web server by using HTTPS The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate The Web server receives the session key and decrypts it by using the server’s private key After the connection is established, all communication between the browser and Web server is secure 1 2 3 4
Demonstration 1SSL Server CertificatesViewing a Web Site on a Non-Secure ServerGenerating a Certificate RequestRequesting a Trial CertificateInstalling the SSL Certificate Testing the SSL Certificate
AuthenticationPurpose of Authentication • Verifies the identity of a principal by: • Accepting credentials • Validating those credentials • Secures communications by ensuring your application knows who the caller is • Encrypting the data is not enough!
Authentication Authentication Methods • Basic • Digest • Digital certificates • Integrated • The Kerberos version 5 protocol • NTLM • Microsoft Passport • Biometrics
Authentication Basic Authentication • Is simple but effective • Is supported by all majorbrowsers and servers • Is easy to program andset up • Manages user credentials • Requires SSL/TLS
Client AuthenticationWhen to Use Integrated Authentication Firewall Intranet? No Cannot use Integrated Authentication Yes Windows 2000 Or later? No NTLM Server Authentication Windows Integrated Yes Active Directory Domain? No Kerberos Client and Server Authentication Yes
AuthorizationWhat is Authorization? • Authorization: • Occurs after your client request is authenticated • Is the process of confirming that an authenticated principal is allowed access to specific resources • Checks rights assigned to files, folders, registry settings, applications, and so on • Can be role-based • Can be code-based
AuthorizationCommon Authorization Techniques • IIS Web permissions (and IP/DNS restrictions) • .NET role-based security • .NET code access security • NTFS access control lists (ACL) • SQL Server logins • SQL Server permissions
Web or Application Server Database or other resource server A A B B C C AuthorizationImpersonation/Delegation Model • Client identity is used to access downstream resources
Demonstration 2IIS Authentication Techniques Using Anonymous AuthenticationUsing Basic Authentication Using Integrated Windows Authentication
Agenda • The Importance of Application Security • Security Technologies • Secure Development Guidelines
Proactive Security Development • Integrate security improvements throughout the development process • Focus on security and ensure your code can withstand new attacks • Promote the key role of education • Raise awareness within your team • Learn from your mistakes and other’s mistakes
Adopt the SD3 Security Framework Secure by Design • Build threat models • Conduct code reviews, penetration tests • Run code with minimal privileges Secure by Default • Minimize your attack surface • Enable services securely Secure in Deployment • Leverage the security best practices • Create security guidance • Build tools to assess application security
Session Summary • The Importance of Application Security • Security Technologies • Secure Development Guidelines
For More Information • Microsoft Security Site (all audiences) • http://www.microsoft.com/security • MSDN Security Site (developers) • http://msdn.microsoft.com/security • TechNet Security Site (IT professionals) • http://www.microsoft.com/technet/security