Application Security Part 1 Threat Defense In Client Server Applications With .NET

Application Security? Not Physical Security Not Network Security Not Just Protocol Security (i.e. SSL / HTTPS) Not CAS – at least not directly Coding Practices and Techniques

Who are the Attackers? Disgruntled staff or developers “ Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack Motivated criminal attackers, such as organized crime Criminal attackers without motive against your organization, such as defacers Script kiddies

Application Security – Part 1 Tonight’s Focus – Protecting against common application attacks Threat Modeling Types of Attacks Defenses against Attacks Tools and Resources

Threat Modeling Identifying points of your application that are subject to attack Create overview of the application architecture Document Trust Boundaries Identify the assets that need protecting Document the application entry points Document the application’s trust levels Decompose the application with DFDs Identify and Rank Threats Build an attack tree for each threat

Threat Modeling – Classify Threats STRIDE - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege

Threat Modeling – Ranking Threats DREAD – Threat ranking http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp Damage Potential How great is the damage if the vulnerability is exploited? Reproducibility How easy is it to reproduce the attack? Exploitability How easy is it to launch an attack? Affected Users As a rough percentage, how many users are affected? Discoverability How easy is it to find the vulnerability?

Common Application Attacks Authentication Attacks Buffer Overruns Circumvention of expected logic flow Cross-Site Scripting (XSS) Denial of Service HTML Injection Input Manipulation Attacks LDAP Injection Message Replay Repudiation SQL Injection

Authentication Attack Types of applications vulnerable: All requiring authentication

Authentication Attack Brute Force & Dictionary Attacks Mitigate by Require strong passwords Store passwords as salted, non-reversible hashes Use the new SecureString class to hold password values Account lockout with multiple failed login attempts Don’t reveal that the account is locked out. This only assists the attacker by telling them they have guessed an account name correctly. Upon a failed login, do not reveal which part of a login was incorrect. Utilize multi-factor authentication. Keep logs of login attempts, successful and failed. Monitor logs for patterns of hacking attempts.

Authentication Attack Session Hijacking Types of applications vulnerable: Any utilizing Sessions keys over a communication channel Mitigate by Using encrypted communication channel (SSL / HTTPS or encrypted TCP/IP Channel for Remoting) Incorporating session timeouts at the lowest tolerable level Timeout attribute in the web.config <sessionstate>

Authentication Attack Credential Theft Mitigate by Utilizing two-factor / multi-factor authentication However, read Bruce Schneier’s caveats at http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html

Authentication Attack Resources Strong Passwords http://www.microsoft.com/athome/security/privacy/password.mspx https://www.grc.com/passwords Extreme example! How can I store passwords in a custom user database (Hashing and Salting) http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/ Secure Password Programming with .NET http://www.developersdex.com/gurus/articles/829.asp ASP.NET Membership API http://msdn.microsoft.com/msdnmag/issues/05/11/Membership/default.aspx Using the New Security Controls in ASP.NET 2.0 http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST Wikipedia on Two-Factor Authentication http://en.wikipedia.org/wiki/Two-factor_authentication RSA’s SecureID (not a product endorsement – just an example of an two-factor authentication product) http://www.rsasecurity.com/node.asp?id=1156

Buffer Overflow Attacks Types of applications vulnerable: Unmanaged Mitigate by Use 100% Managed Code Careful use of non-managed code when necessary

Circumvention of Expected Logic Flow Attack Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services Mitigate by Careful management of session / state information Don’t trust the client Authorize every action / transaction / message

Cross Site Scripting Attack (XSS) Types of applications vulnerable: ASP.NET Mitigate by: HTML Encoding or URL Encoding all text and parameter output. Demo Resources Microsoft Anti-Cross Site Scripting Library V1.0 http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en Allows only known “good” text. Encodes all other text. This contrasts with the corresponding methods in the HttpUtility class which targets known “bad” text. CERT Advisory http://www.cert.org/advisories/CA-2000-02.html

Exception Management Mitigate by: Standardize error handling code ASP.NET custom error page Last-chance exception catching Log detailed data needed for problem diagnosis.

HTML Injection Attack The purpose of HTML Injection is for site defacement. Types of applications vulnerable: ASP.NET Mitigate by: HTML Encoding or URL Encoding all text and parameter output – same as XSS

Input Manipulation Attack & Trusting the Client’s Authorization Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services Items subject to Input Manipulation ASP.NET ViewState POST / GET Fields including hidden Fields Cookies ALL input!

Input Manipulation Attack & Trusting the Client’s Authorization Mitigate by Checking Data for Validity Constrain Reject Sanitize Centralized approach

Trust Boundary Chokepoints Use chokepoints between Trust Boundaries Channel all input (and output) through the chokepoints

LDAP Injection Attack Types of applications vulnerable: All using LDAP server for authentication and/or authorization data SPI Dynamics White Paper - http://www.spidynamics.com/whitepapers/LDAPinjection.pdf

Message Replay Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services Mitigate by Uniquely identifying messages with a signature. Cache messages for a period of time. Check new messages signatures against the cache and reject duplicates. Resources Implementing Message Replay Detection in WSE 3.0 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wss_ch5_impmsgreplaydet_wse30.asp

Repudiation Types of applications vulnerable: All Mitigate by Strong authentication Logging transactions with user information. Message digital signatures Bad example – ARS to iSeries SPs Resources Definition: http://en.wikipedia.org/wiki/Non-repudiation

SQL Injection Attack Occurs when your application uses input to construct dynamic SQL statements to access the database. Types of applications vulnerable: All using SQL-based databases

SQL Injection Attack Mitigate by: Employing the principal of least privilege to database server access Using stored procedures SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); parm.Value = Login.Text;

SQL Injection Attack Using parameterized queries SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", conn); SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); parm.Value = Login.Text; Escape user input used in dynamic queries private string SafeSqlLiteral(string inputSQL) { return inputSQL.Replace("'", "''"); }

SQL Injection Attack Resources SPI Dynamics Whitepaper http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf Stop SQL Injection Attacks Before They Stop You http://msdn.microsoft.com/msdnmag/issues/04/09/sqlinjection/default.aspx How To: Protect From SQL Injection in ASP.NET http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.asp Improving Web Application Security: Threats and Countermeasures: Chapter 14 – Building Secure Data Access http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Resources Organizations and Web Sites Open Web Application Security Project http://www.owasp.org – Generally focused http://www.owasp.net - .NET focused but light on content SecurityFocus http://www.securityfocus.com Institute for Security and Open Methodologies http://www.isecom.org

Resources Threat Modeling MSDN Patterns and Practices - Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp MS Threat Modeling Tool http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en MS Threat Modeling Security Home http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx Microsoft Application Threat Modeling Blog http://blogs.msdn.com/threatmodeling/ Larry Osterman’s Blog – Security Category http://blogs.msdn.com/larryosterman/archive/category/5905.aspx Threat Modeling chapter in Writing Secure Code Threat Modeling chapter in The .NET Developer's Guide to Windows Security OWASP Guide chapter on “THREAT RISK MODELING”

Resources Books and Papers Writing Secure Code (Michael Howard, David LeBlanc) http://www.amazon.com/gp/product/0735617228/qid=1141268042/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155 The .NET Developer's Guide to Windows Security (Keith Brown) http://www.amazon.com/gp/product/0321228359/qid=1141268134/sr=11-1/ref=sr_11_1/102-8030941-6365719?s=books&v=glance&n=283155 OWASP Guide to Building Secure Web Applications and Web Services 2.0 http://www.owasp.org/documentation/guide.html OWASP Top Ten Project http://www.owasp.org/documentation/topten.html

Resources Mailing Lists Penetration Testing and Web Application Security lists at SecurityFocus.com http://www.securityfocus.com/archive

Resources Testing Tools Web and Web Services Microsoft Fiddler http://www.fiddlertool.com/fiddler/ Paros Proxy http://www.parosproxy.org TamperIE http://www.bayden.com/other/ SPI Dynamics http://www.spidynamics.com (commercial tools)

Resources Web Casts Microsoft Digital Blackbelt Security Series http://www.microsoft.com/events/series/digitalblackbelt.mspx Writing Secure Code – Threat Defense http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032253724&culture=en-us

Resources Blogs Anil John http://www.securesoa.com/blog/default.aspx J.D. Meier http://blogs.msdn.com/jmeier/default.aspx Especially enjoyable – Security approaches that don’t work http://blogs.msdn.com/jmeier/archive/2005/10/11/479490.aspx .NET Security Blog http://blogs.msdn.com/shawnfa/default.aspx Michael Howard http://blogs.msdn.com/michael_howard/default.aspx

Resources Practice Applications OWASP WebGoat (http://www.owasp.org/software/webgoat.html) Maven Security WebMaven (http://www.mavensecurity.com/webmaven) FoundStone http://www.foundstone.com/resources/freetools.htm) HacmeBank - The Hacme Books application simulates a ‘real-world’ eCommerce bookstore. HacmeBooks - Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme Bank simulates a "real-world" online banking application.

Resources Other Documents and Articles Writing Secure Code on MSDN http://msdn.microsoft.com/security/securecode/default.aspx patterns & practices Security Guidance for Applications Index http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityGuidanceIndex.asp patterns & practices Security How Tos Index http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityHowTosIndex.asp Microsoft Developer Security Resource Kit http://msdn.microsoft.com/security/securityreskit/default.aspx Secure Coding Guidelines for the .NET Framework http://msdn.microsoft.com/security/securecode/bestpractices/default.aspx?pull=/library/en-us/dnnetsec/html/seccodeguide.asp Visual Studio 2005 Security Features and Tools http://msdn.microsoft.com/security/vs2005security/default.aspx Security Enhancements in the .NET Framework 2.0 http://msdn.microsoft.com/msdnmag/issues/06/00/SecurityBriefs/default.aspx Using the New Security Controls in ASP.NET 2.0 http://www.devx.com/codemag/Article/29353?trk=DXRSS_LATEST Security Headaches? Take ASP.NET 2.0! (Keith Brown) http://msdn.microsoft.com/msdnmag/issues/04/06/ASPNET20Security/ The Trustworthy Computing Security Development Lifecycle http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp ASP.NET Security: 8 Ways to Avoid Attack http://www.devx.com/security/Article/20898/0/page/1 Web Service Security: Scenarios, Patterns, and Implementation Guidance: Home http://www.gotdotnet.com/codegallery/codegallery.aspx?id=67f659f6-9457-4860-80ff-0535dffed5e6

Resources Code Libraries Microsoft Anti-Cross Site Scripting Library V1.0 http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en Training Security Training Modules (beta) http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityTrainingModules

Principals Least Privilege http://en.wikipedia.org/wiki/Principle_of_least_privilege http://web.mit.edu/Saltzer/www/publications/protection/ Defense in Depth http://en.wikipedia.org/wiki/Defense_in_depth Incorporate security into your entire SDLC Train your developers in secure coding practices and give them patterns to follow Learn to think like an attacker Jack of all trades quiz http://www.isecom.org/projects/jack.shtml

Application Security Part 1 Threat Defense In Client Server Applications With .NET

More Related Content

What's hot (20)

Similar to Application Security Part 1 Threat Defense In Client Server Applications With .NET (20)

More from Greg Sohl (11)

Recently uploaded (20)

Application Security Part 1 Threat Defense In Client Server Applications With .NET