Essentials of Application Security - PowerPoint PPT Presentation

About This Presentation

Title:

Essentials of Application Security

Description:

Title: Slide 1 Subject: MGB 2003 Author: Dafydd Description: Template design: aliciad Formatter: Event Date: Event Location: Speech Length: Audience: Key Topics: – PowerPoint PPT presentation

Number of Views:174

Avg rating:3.0/5.0

Slides: 57

Provided by: Daf58

Category:

more less

Transcript and Presenter's Notes

Title: Essentials of Application Security

1
Essentials of Application Security

Name
Job Title
Company

2
What We Will Cover

The Importance of Application Security
Secure Application Development Practices
Security Technologies
Secure Development Guidelines

3
Session Prerequisites

Development experience with MicrosoftVisual
Basic , Microsoft Visual C , or C

Level 200
4
Agenda

The Importance of Application Security
Secure Application Development Practices
Security Technologies
Secure Development Guidelines

5
Trustworthy Computing

Trustworthy Computing has four pillars
Reliability means a computer system is
dependable, is available when needed, and
performs as expected and at appropriate levels.
Security means a system is resilient to attack,
and the confidentiality, integrity, and
availability of both the system and its data are
protected.
Privacy means that people can control their
personal information and organizations that use
the information faithfully protect it.
Business integrity is about companies in our
industry being responsible to customers and
helping them find appropriate solutions for their
business issues, addressing problems with
products or services, and being open in
interactions with customers.

- Bill Gates July 18, 2002
6
Connection Scenarios and Security Concerns

Connection scenarios
Traditional wired networks
Mobile workforces
Public wireless networks
Security concerns
Application reliance on the Internet
Business reliance on the Internet
Internal security attacks

7
Common Types of Attacks
8
Examples of Security Intrusions

CodeRed
ILoveYou
Nimda

Virus
Attacker
9
Consequences of Poor Security

Stolen intellectual property
System downtime
Lost productivity
Damage to business reputation
Lost consumer confidence
Severe financial losses due to lost revenue

10
Challenges When Implementing Security
11
The Developer Role in Application Security

Developers must
Work with solution architects and systems
administrators to ensure application security
Contribute to security by
Adopting good application security development
practices
Knowing where security vulnerabilities occur and
how to avoid them
Using secure programming techniques

12
Agenda

The Importance of Application Security
Secure Application Development Practices
Security Technologies
Secure Development Guidelines

13
Holistic Approach to Security

Security must be considered at
All stages of a project
Design
Development
Deployment
All layers
Network
Host
Application

Security is only as good as the weakest link
14
Security Throughout Project Lifecycle
Learn and refine
External review
Analyze threats
Secure questionsduring interviews
Determine security sign-off criteria
Security push
Concept
Ship
Post-Ship
Test PlansComplete
Designs Complete
Code Complete
Review old defects, check-ins checked secure
coding guidelines, use tools
Train team members
Data mutation and least privilege tests
Security team review
ongoing
15
The SD3 Security Framework
SD3

Secure architecture and code
Threat analysis
Vulnerability reduction

Secure by Design

Attack surface area reduced
Unused features turned off by default
Minimum privileges used

Secure by Default
Secure in Deployment

Protection Detection, defense, recovery,
management
Process How to guides, architecture guides
People Training

16
Threat Modeling

Threat modeling is
A security-based analysis of an application
A crucial part of the design process
Threat modeling
Reduces the cost of securing an application
Provides a logical, efficient process
Helps the development team
Identify where the application is most vulnerable
Determine which threats require mitigation and
how to address those threats

17
Ongoing Education

Provide training about
How security features work
How to use the security features to build secure
systems
What security vulnerabilities look like in order
to identify flawed code
How to avoid common security vulnerabilities
How to avoid repeating mistakes

18
Input Validation

Buffer overruns
SQL injection
Cross-site scripting

All input is evil until proven otherwise!
19
Demonstration 1 Buffer Overruns Bypassing
Security Checks
20
Practices for Improving Security
Practice Benefit
Adopt Threat Modeling Identifies of security vulnerabilities Increases awareness of application architecture
Train development team Avoids common security defects Correct application of security technologies
Code Review Secures code that Accesses the network Runs by default Uses unauthenticated protocols Runs with elevated privileges
Use tools More consistent testing for vulnerabilities
Use infrastructure solutions More secure with SSL/TLS and IPSec
Use component solutions More robust with CAPICOM and .NET Cryptography namespace
Migrate managed code Avoids common vulnerabilities
21
Agenda

The Importance of Application Security
Secure Application Development Practices
Security Technologies
Secure Development Guidelines

22
Overview of Security Technologies

Developers need to use and apply
Encryption
Hashing
Digital signatures
Digital certificates
Secure communication
Authentication
Authorization
Firewalls
Auditing
Service packs and updates

23
Encryption

Encryption is the process of encoding data
To protect a users identity or data from being
read
To protect data from being altered
To verify that data originates from a particular
user
Encryption can be
Asymmetric
Symmetric

24
Symmetric vs. Asymmetric Encryption
Algorithm Type Description
Symmetric Uses one key to Encrypt the data Decrypt the data Is fast and efficient
Asymmetric Uses two mathematically related keys Public key to encrypt the data Private key to decrypt the data Is more secure than symmetric encryption Is slower than symmetric encryption
25
Verifying Data Integrity with Hashes
26
Digital Signatures
If hash values match, data came from the owner of
the private key and is valid
27
How Digital Certificates Work
Private Key
User
Private/Public Key Pair
Computer
Public Key
Service
Application
Certification Authority
Certified Administrator
28
Secure CommunicationTechnologies

Technologies include
IPSec
SSL
TLS
RPC encryption

IPSec RPC Encryption
SSL/TLS
29
Secure Communication How IPSec Works
30
Secure Communication How SSL Works
Web ServerRoot Certificate
2
Message
Secure Web Server
Secure Browser
3
4
HTTPS
1
The user browses to a secure Web server by using
HTTPS The browser creates a unique session key
and encrypts it by using the Web servers public
key, which is generated from the root
certificate The Web server receives the session
key and decrypts it by using the servers private
key After the connection is established, all
communication between the browser and Web server
is secure
1
2
3
4
31
Demonstration 2 SSL Server Certificates
Viewing a Web Site on a Non-Secure
ServerGenerating a Certificate
RequestRequesting a Trial CertificateInstalling
the SSL Certificate Testing the SSL Certificate
32
AuthenticationPurpose of Authentication

Verifies the identity of a principal by
Accepting credentials
Validating those credentials
Secures communications by ensuring your
application knows who the caller is

Encrypting the data is not enough!
33
Authentication Authentication Methods

Basic
Digest
Digital signatures and digital certificates
Integrated
The Kerberos version 5 protocol
NTLM
Microsoft Passport
Biometrics

34
Authentication Basic Authentication

Is simple but effective
Is supported by all majorbrowsers and servers
Is easy to program andset up
Manages user credentials
Requires SSL/TLS

35
Authentication How Digest Authentication Works
36
Authentication Client Digital Certificates

Used in Web applications
Server secures communications using SSL/TLS with
a X.509 server certificate
Server authenticates clients using data in client
X.509 certificate, if required
Certificate authority issues a certificate for
which the server holds a root certificate
Used in distributed applications
Application uses SSL/TLS communication channel
Client and server applications authenticate using
certificates
Can be deployed on smartcards

37
Authentication When to Use Integrated
Authentication
Firewall
Intranet?
No
Cannot use Integrated Authentication
Yes
Windows 2000 Or later?
No
NTLM Server Authentication
Windows Integrated
Yes
Active Directory Domain?
No
Kerberos Client and Server Authentication
Yes
38
Authentication How to Use Kerberos Version 5
Initial Logon
Ticket-Granting Ticket
TGT
39
Demonstration 3 IIS Authentication Techniques
Using Anonymous AuthenticationUsing Basic
Authentication Using Integrated Windows
Authentication
40
AuthorizationWhat is Authorization?

Authorization
Occurs after your client request is authenticated
Is the process of confirming that an
authenticated principal is allowed access to
specific resources
Checks rights assigned to files, folders,
registry settings, applications, and so on
Can be role-based
Can be code-based

41
AuthorizationCommon Authorization Techniques

IIS Web permissions (and IP/DNS restrictions)
.NET role-based security
.NET code access security
NTFS access control lists (ACL)
SQL Server logins
SQL Server permissions

42
Authorization Impersonation/Delegation Model

Client identity is used to access downstream
resources

43
Authorization Trusted Subsystem Model

Clients are mapped to roles
Dedicated Windows service accounts are used for
each role when accessing downstream resources

44
Demonstration 4 Trusted Subsystem Model
Authorization Techniques Reviewing the
ApplicationSetting Authentication on the Web
ServerCreating Service Accounts on the Web
ServerSetting Authorization on the Database
Server
45
Firewalls

Firewalls can provide
Secure gateway to the Internet for internal
clients
Packet filtering
Circuit-level filtering
Application filtering
Auditing
Firewalls cannot provide
Protection against application-level attacks over
HTTP or HTTPS

46
Auditing

Auditing actions include tracking
Resource access and usage
Successful and unsuccessful logon attempts
Application failures
Auditing benefits include
Help for administrators to detect intrusions and
suspicious activities
Traceability for legal, non-repudiation disputes
Diagnosis of security breaches

47
Service Packs and Updates
Security update Description
Hotfix Address a single issue or a small number of issues Can be combined by using QChain
Security rollup package Multiple hotfixes packaged for easy installation
Service pack Provide major updates Cumulative set of previous updates May contain previously unannounced fixes May contain feature changes
48
Agenda

The Importance of Application Security
Secure Application Development Practices
Security Technologies
Secure Development Guidelines

49
Proactive Security Development

Integrate security improvements throughout the
development process
Focus on security and ensure your code can
withstand new attacks
Promote the key role of education
Raise awareness within your team
Learn from your mistakes and others mistakes

50
Adopt the SD3 Security Framework
Secure by Design
Build threat models Conduct code reviews,
penetration tests Run code with minimal privileges
Secure by Default
Minimize your attack surface Enable services
securely
Secure in Deployment
Leverage the security best practices Create
security guidance Build tools to assess
application security
51
Microsoft Java Virtual Machine End of Support
Alert