Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure...

Preview:

Click to see full reader

Citation preview

Tips and Tricks To Secure .Net Web

Application

Walter Wong

Gain Secure

MVP – Developer Security

walterwws.wordpress.com

walter_wws@hotmail.com

Security Updates Operation Malaysia http://world.yes.my/?id=511&q=ytlc

Agenda

• Introduction to ASP.Net – Security Perspective

• Securing Layers Architecture

• Secure Deployment Environment

• .Net Obfuscation

Introduction to ASP.Net – Security

Perspective

• Preventing XSS input by default

• Tools ensure security level of the application

• Prevent buffer overrun by default

• Application behavior configured via

web.config

Demo Introduction to ASP.Net (Security Perspective)

Securing Layers Architecture

• Standard practice, deploy into at least 3

layers – Web Application, Business Logic,

Database

• How to ensure attackers do not by pass

second layer?

• Identity should be transfer across different

layers

Secure Web Services

• Most of the web services available internal or externally are accepting and allowing anonymous requests

• Security Token should be used to validate the request

• Recommend to use federation to secure the web services

• Microsoft way of implement Federation – Windows Identity Foundation (WIF)

Demo Secure WCF Services using WIF

Secure Application

• Web Application Configuration Analyzer

(WACA)

• Rules based driven scanner

• 3 main categories

– General Application

– IIS

– SQL

Secure Server

• Microsoft Based Security Analyzer 2.2

• Advice based on best practice for

– Windows

– SQL Server

– Desktop Application

• Explanation of

– What was scanned

– Results

– Recommend correction step

Demo Web Application Configuration Analyzer 2.0 Microsoft Baseline Security Analyzer

Obfuscation

• Microsoft.Net Framework is managed

framework

• Assemblies able to “reverse engineer” by

using tools

• Recommend to obfuscate before deploy

Demo Obfuscation

Conclusion

• Users are EVIL

• Obfuscate every deployment projects

• Developers seldom involve in IT

administrative tasks which is not healthy

• Learn how to secure application today

• Learn how to secure server and IIS

Recommended

St. Louis Days of .NET 2013: Visual Studio Tips and Tricks
Technology
QAD .NET UI – Tips n Tricks
Documents
Tricks to Secure your wordpress Site from Hackers
Technology
PK SOFTWARE TIPS & TRICKS | Secure and Powerful …
Documents
Live Webinar: E2E Transition to Net@Work & Sage 300 ERP (Accpac) Tips & Tricks
Technology
Unlimited Microsoft Azure Certification Training | Azure for .Net Developer Tutorial | Dot Net Tricks
Education
NET Windows Development - Everyday Tips, Tricks & Optimization - Krasis Press
Documents
Unlimited Azure DevOps Online Training and Certification | Azure DevOps Tutorial | Dot Net Tricks
Education
EZ-NET Tips & Tricks - etouches · EZ-NET Tips & Tricks Presented By: Ken Hopper QA Manager Co-Presenter: Bhaskar Reddy Technical Manager, Clinical Care Products
Documents
UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND … · 2015-10-06 · UNPACK YOUR TROUBLES:.NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung hartung@eset.pl Eset Poland At Eset:
Documents
C# Performance Tips & Tricks .NET
Software
Visual Studio .NET Tips & Tricks
Documents
Build 2016 - B806 - Debugging Tips and Tricks for .NET Developers with Visual Studio
Technology
Smart tricks to secure good marks in board exams
Education
Top 5 .NET Metrics, Tips & Tricks - Amazon Web …...Top 5 .NET Metrics, Tips & Tricks 5 Getting Started with APM cont’dIt probably seems obvious to you that APM is important, but
Documents
Secure Dot Net Programming
Documents
Secure development in .NET with EPiServer Solita
Software
How to keep kayak fishing gear secure tips and tricks
Travel
Tips and Tricks for Building Secure Mobile Apps
Software
A Secure-Net Holiday incident
Documents