1 / 35

Essentials of Application Security

Essentials of Application Security. Rames Gantanant Puumsoft, Director of Business Solutions Microsoft, Regional Director Thailand. What We Will Cover. The Importance of Application Security Security Technologies Secure Development Guidelines. Session Prerequisites.

mistico
Download Presentation

Essentials of Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Essentials of Application Security Rames Gantanant Puumsoft, Director of Business Solutions Microsoft, Regional Director Thailand

  2. What We Will Cover • The Importance of Application Security • Security Technologies • Secure Development Guidelines

  3. Session Prerequisites • Development experience with MicrosoftVisual Basic® , Microsoft Visual C++® , or C# Level 200

  4. Agenda • The Importance of Application Security • Security Technologies • Secure Development Guidelines

  5. Organizational Attacks Attackers Automated Attacks Restricted Data DoS Accidental Breaches In Security Connection Fails Denial of Service (DoS) Viruses, Trojan Horses, and Worms Common Types of Attacks

  6. Consequences of Poor Security • Stolen intellectual property • System downtime • Lost productivity • Damage to business reputation • Lost consumer confidence • Severe financial losses due to lost revenue

  7. Attacker needs to understand only one vulnerability Defender needs to secure all entry points Attackers have unlimited time Defender works with time and cost constraints Attackers vs. Defenders Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability Do I need security… Developers and management think that security does not add any business value Addressing vulnerabilities just before a product is released is very expensive Security As an Afterthought Challenges When Implementing Security

  8. The Developer Role in Application Security • Developers must: • Work with solution architects and systems administrators to ensure application security • Contribute to security by: • Adopting good application security development practices • Knowing where security vulnerabilities occur and how to avoid them • Using secure programming techniques

  9. Holistic Approach to Security • Security must be considered at: • All stages of a project • Design • Development • Deployment • All layers • Network • Host • Application “Security is only as good as the weakest link”

  10. Security Throughout Project Lifecycle Learn and refine Analyze threats External review Secure questionsduring interviews Determine security sign-off criteria Security push Concept Ship Post-Ship Designs Complete TestPlansComplete Code Complete Review old defects, check-ins checked secure coding guidelines, use tools Train team members Data mutation and least privilege tests Security team review =ongoing

  11. Practices for Improving Security

  12. Agenda • The Importance of Application Security • Security Technologies • Secure Development Guidelines

  13. Overview of Security Technologies • Developers need to use and apply: • Encryption • Hashing • Digital signatures • Digital certificates • Secure communication • Authentication • Authorization • Firewalls • Auditing • Service packs and updates

  14. Encryption • Encryption is the process of encoding data • To protect a user’s identity or data from being read • To protect data from being altered • To verify that data originates from a particular user • Encryption can be: • Asymmetric • Symmetric

  15. Symmetric vs. Asymmetric Encryption

  16. User B User A Data Data Data Hash Algorithm Hash Value If hash values match, data is valid Hash Algorithm Hash Value Hash Value User A sends data and hash value to User B Verifying Data Integrity with Hashes

  17. How Digital Certificates Work Private Key User Private/Public Key Pair Computer Public Key Service Application Certification Authority Certified Administrator

  18. Secure CommunicationTechnologies • Technologies include: • IPSec • SSL • TLS • RPC encryption IPSec RPC Encryption SSL/TLS

  19. Secure CommunicationHow SSL Works Web ServerRoot Certificate 2 Message Secure Browser Secure Web Server 3 4 HTTPS 1 The user browses to a secure Web server by using HTTPS The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate The Web server receives the session key and decrypts it by using the server’s private key After the connection is established, all communication between the browser and Web server is secure 1 2 3 4

  20. Demonstration 1SSL Server CertificatesViewing a Web Site on a Non-Secure ServerGenerating a Certificate RequestRequesting a Trial CertificateInstalling the SSL Certificate Testing the SSL Certificate

  21. AuthenticationPurpose of Authentication • Verifies the identity of a principal by: • Accepting credentials • Validating those credentials • Secures communications by ensuring your application knows who the caller is • Encrypting the data is not enough!

  22. Authentication Authentication Methods • Basic • Digest • Digital certificates • Integrated • The Kerberos version 5 protocol • NTLM • Microsoft Passport • Biometrics

  23. Authentication Basic Authentication • Is simple but effective • Is supported by all majorbrowsers and servers • Is easy to program andset up • Manages user credentials • Requires SSL/TLS

  24. Client AuthenticationWhen to Use Integrated Authentication Firewall Intranet? No Cannot use Integrated Authentication Yes Windows 2000 Or later? No NTLM Server Authentication Windows Integrated Yes Active Directory Domain? No Kerberos Client and Server Authentication Yes

  25. AuthorizationWhat is Authorization? • Authorization: • Occurs after your client request is authenticated • Is the process of confirming that an authenticated principal is allowed access to specific resources • Checks rights assigned to files, folders, registry settings, applications, and so on • Can be role-based • Can be code-based

  26. AuthorizationCommon Authorization Techniques • IIS Web permissions (and IP/DNS restrictions) • .NET role-based security • .NET code access security • NTFS access control lists (ACL) • SQL Server logins • SQL Server permissions

  27. Web or Application Server Database or other resource server A A B B C C AuthorizationImpersonation/Delegation Model • Client identity is used to access downstream resources

  28. Demonstration 2IIS Authentication Techniques Using Anonymous AuthenticationUsing Basic Authentication Using Integrated Windows Authentication

  29. Demo 2: IIS Authentication Result

  30. Agenda • The Importance of Application Security • Security Technologies • Secure Development Guidelines

  31. Proactive Security Development • Integrate security improvements throughout the development process • Focus on security and ensure your code can withstand new attacks • Promote the key role of education • Raise awareness within your team • Learn from your mistakes and other’s mistakes

  32. Adopt the SD3 Security Framework Secure by Design • Build threat models • Conduct code reviews, penetration tests • Run code with minimal privileges Secure by Default • Minimize your attack surface • Enable services securely Secure in Deployment • Leverage the security best practices • Create security guidance • Build tools to assess application security

  33. Session Summary • The Importance of Application Security • Security Technologies • Secure Development Guidelines

  34. For More Information • Microsoft Security Site (all audiences) • http://www.microsoft.com/security • MSDN Security Site (developers) • http://msdn.microsoft.com/security • TechNet Security Site (IT professionals) • http://www.microsoft.com/technet/security

More Related