Developing Secure Code on the Microsoft Platform

1
Developing Secure Code on the Microsoft Platform

• Anil Revuru, Microsoft ACE Team
• Steve Yi, Microsoft ISV Architecture Advisor

2
Introductions

• Steve Yi
• Microsoft ISV Architecture Advisor
• steveyi_at_microsoft.com
• http//blogs.msdn.com/steveyi

• Anil Revuru
• Microsoft ACE Team
• Anil.revuru_at_microsoft.com
• http//blogs.msdn.com/ace_team

3
Agenda

• Introduction
• Microsoft ACE Team
• SDL Security Development Lifecycle
• Threat Modeling
• Web Applications
• Application Configuration
• SQL Server
• Authentication Authorization
• Resources
• Next Steps
• QA

4
Who is the ACE Team?

• ACE Team Application Consulting Engineering
• Technologists that provide services in the areas
  of security, privacy performance
• Team enforces ASAP process in Microsoft
• ASAP - Application Software Assurance Program
• Process to ensure security privacy standards
  are met by Line of Business applications.
• ACE Services - Services arm of ACE Team

5
Security Development Lifecycle

• Objective
• Identify and ensure resolution of
  security/privacy vulnerabilities found in
  applications
• Enable Application Risk Management
• Strategic
• Tactical
• Operational
• Legal

6
SDL Inputs Outputs

• Inputs
• Application Information
• Design Documents
• Source Code
• Server Information
• Outputs
• Bugs logged in security/privacy database
• Exception Requests

7
SDL SDLC

• Designed to be inline with the Software
  Development Lifecycle

• SDL
• Risk Assessment
• Threat Model
• Internal Review
• Assess
• Assess

• SDLC
• Envision
• Design
• Develop
• Test
• Release

8
SDL Risk Assessment

• SDLC Envision SDL Risk Assessment
• Objective
• System Inventory
• Determine application risk categorization
• High Risk Security/Privacy Release
• Compulsory threat model/design review white box
  code review and host level scan
• Medium Risk Security/Privacy Release
• White box code review and host level scan
• Low Risk Security/Privacy Release
• Host level scan

9
SDL Threat Model / Design Review

• SDLC Design SDL Threat Model
• Objective
• Consistent methodology for objectively evaluating
  threats to applications
• Review application design to verify compliance
  with security standards and best practices
• Verify application meets application principles
• Confidentiality Integrity
• Authentication Authorization
• Availability
• Non-repudiation

10
SDL Threat Modeling

• Review security checklist/policy
• Team concludes self code review and attack and
  penetration testing
• DEMONSTRATION
• Microsoft Threat Analysis Modeling v2.0 Beta 2

11
SDL Internal Review

• SDLC Develop SDL Internal Review
• Review security checklist/policy
• Team concludes self code review and attack and
  penetration testing

12
SDL Assessment

• SDLC Testing SDL Pre-Production Assessment
• Objective
• Low Risk Applications
• Host Level Scan Windows, IIS, SQL
• Medium/High Risk Applications
• Host Level Scan
• White Box Code Review

13
SDL White Box Code Review

• Process
• Application team provides source code
• Analysts review application code uncovering
  security vulnerabilities
• Vulnerabilities logged in bug database
• Application team addresses all Severity 1 bugs
  prior to release

14
Common Attack Patterns

• White Box Code Review may reveal
• Cross-Site Script vulnerabilities
• SQL Injection
• Buffer Overflow
• Poor Authorization Controls
• Secrets Stored in Clear Text

15
Securing Web Applications

• Cross Site Scripting
• A technique allowing hackers to
• Appear to re-write the text of your web site
• Abuse the users trust in your site to
• Steal web session info and cookies
• Hijack client sessions
• Potentially access the computer
• Execute ActiveX controls

16
Securing Web Applications

• Cross Site Scripting Defense
• Input validation 1st line of defense
• Output encoding
• Platform features
• Server.HtmlEncode() doesnt always protect
• Use Anti-XSS (properly implemented)

Context Non-persistent XSS. The product search
feature of WIDGETCO displays the searchstring
input without sanitizing or encoding Bad
code someLabel.Text "Results for "
searchstring "" Mitigation using
Anti-XSS someLabel.Text "Results for "
AntiXSS.EncodeHtml(searchstring) ""
17
Securing Web App Config

• Secure sensitive configuration information in
  Web.config
• Configuration Sections
• ltappSettingsgt custom application settings.
• ltconnectionStringsgt connection strings.
• ltidentitygt impersonation credentials.
• ltsessionStategtconnection string for the
  out-of-process session state provider.
• How To Encrypt Configuration Sections in ASP.NET
  2.0
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/dnpag2/html/paght000006.asp

18
Securing Web App Config

• aspnet_regiis -pe SectionName" -app
  "/FolderName" -prov ProviderName"
• DPAPI DataProtectionConfigurationProvider
• RSA RSAProtectedConfigurationProvider
• Accessing config data remains the same
• WebConfigurationManager.ConnectionStrings"MyLocal
  SQLServer".ConnectionString
• WebConfigurationManager.AppSettings"presenter1"

19
Securing Databases

• SQL Injection
• Supplying carefully crafted input to alter (or
  create) SQL statements
• If ID read directly from a Web or Windows form,
  the user could enter any of the following
• ALFKI1001
• ALFKI1001 OR 11-

sqlString "SELECT HasShipped FROM" "
OrderDetail WHERE OrderID '" ID "'"
20
Securing Databases

• SQL Injection Defense
• Abandon Dynamic SQL
• Use Stored Procedures or SQL parameterized
  queries
• Sanitize all input

• Mitigation using stored procedures
• SqlParameter parameterCategoryID new
  SqlParameter("_at_CategoryID", SqlDbType.Int, 4)
• myCommand.Parameters.Add(parameterCategoryID)
• SqlDataReader result myCommand.ExecuteReader(Com
  mandBehavior.CloseConnection)
• CREATE Procedure CMRC_ProductsByCategory
• (_at_CategoryID int)
• AS
• SELECT ProductID, ModelName, UnitCost,
  ProductImage
• FROM CMRC_Products WHERE CategoryID _at_CategoryID
  ORDER BY ModelName, ModelNumber
• GO

21
Securing Databases

• Consider all input guilty until proven
  otherwise
• Run with least privilege never as sa
• Restrict access to built-in stored procedures
• Do not display ODBC errors

22
Securing Database Info

• Encrypt sensitive data
• Social Security Numbers
• Credit Card info
• HIPAA Compliance
• SQL Server 2005
• Request/Response encrypted by default
• Native in-database encryption
• Certificate-based, assymetric and symmetric
  encryption
• SQL Server 2005 Books Online

23
Securing Authorization Authentication
Security Application Block

• Encapsulate common application security tasks
• Present a standard, provider model for common
  security tasks
• Minimize the need for custom security-related
  code
• Incorporate best practices for application
  security

Authorization Rule Provider
Authorization Factory
IAuthorization Provider
AzMan Authorization Provider
Security Cache Factory
ISecurity Cache Provider
Caching Store Provider
Caching Application Block
Client Code
ASP.NET
ActiveDirectory Membership Provider
Membership
Membership Provider
Sql Membership Provider
Profile
Profile Provider
Sql Profile Provider
24
Microsoft ACE Team

• Services Offered
• Application Security Code Review
• Threat Modeling / Design Reviews
• Training
• Secure Application Development
• Threat Modeling (coming soon)
• Infrastructure Hacking (coming soon)
• Assistance with developing and deploying SDL
  within your environment solutions

25
Resources

• ACE Team Blog
• http//blogs.msdn.com/ace_team/default.aspx
• Application Threat Modeling
• http//msdn.microsoft.com/security/securecode/thre
  atmodeling/acetm/
• Microsoft Threat Analysis and Modeling v2.0 Beta
  2
• http//www.microsoft.com/downloads/details.aspx?fa
  milyidaa5589bd-fb2c-40cf-aec5-dc4319b491dddispla
  ylangenCustom data sources
• Developer Security Resource Kit
• http//msdn.microsoft.com/security/securityreskit/
  default.aspx
• MSPress Writing Secure Code
• http//www.microsoft.com/mspress/books/5957.asp
• Enterprise Library 2.0
• http//msdn.microsoft.com/practices/

26
Next Steps Conclusion

• Learn More
• Align your development processes and organization
  to develop secure code
• Iterate and improve
• Iterate and improve
• Iterate and improve

27
Windows Vista Code Master Challenge

• Developers and ISVs Build the best new
  application with Windows Vista to win 50,000!
  There are no limits to what you can create, and
  the app is yours to keep or sell. We wont ever
  ask for your coding secrets.
• Prizes
• Grand prize 50,000
• 1st prize 30,000
• 2nd prize 20,000
• 3rd prize 15,000
• 20 Finalists 500 each
• You dont need a completed app to sign upyou
  have until July 31 to finish coding. Register
  today, and well give you the tools you need to
  become a Code Master!
• www.codemasterchallenge.com

28
ISV Developer Training Online, Any Time

• ISV Touchdown Web Seminars
• New content monthly
• Available with live QA or on-demand
• www.isvwebseminars.com

• ISV Touchdown Virtual Labs
• Twenty-five 90 minute labs to choose from
• No complex set up or installation
• www.touchdownvirtuallabs.com

29
Additional Resources for ISVs

• Visit the U.S. ISV Website
• https//www.microsoft.com/partner/usa/isv
• ISV Training and Events
• http//partner.microsoft.com/us/isvtraining
• MSDN ISV Community Center
• http//msdn.microsoft.com/isv

30
Microsoft Windows Vista Training! Attend a Vista
Web Seminar and Win a Dream
Vacation!! For more information
and to register http//www.msreadiness.com/windo
wsvistaisv.asp