Upload
daniel-newton
View
221
Download
0
Embed Size (px)
DESCRIPTION
Resources Resources Stay informed about security Stay informed about security Microsoft Developers Network Security Center Microsoft Security Guidance Get additional security training Get additional security training Find online and in-person training seminars: y/ y/ y/ Read the book: Writing Secure Code Read the book: Writing Secure Code Michael Howard and David LeBlanc ISBN:
Citation preview
Developer SecurityDeveloper Security
Dave GloverDave GloverMicrosoftMicrosoftBlog: http://blogs.msdn.com/dglover Blog: http://blogs.msdn.com/dglover
The Gartner Group states: The Gartner Group states: "Today over 70% of attacks against a "Today over 70% of attacks against a
company's Web site or Web application company's Web site or Web application come at the 'Application Layer' not the come at the 'Application Layer' not the Network or System layer."Network or System layer."
ResourcesResources Stay informed about securityStay informed about security
Microsoft Developers Network Security CenterMicrosoft Developers Network Security Center http://msdn.microsoft.com/security/http://msdn.microsoft.com/security/ Microsoft Security GuidanceMicrosoft Security Guidance http://www.microsoft.com/security/guidance/ http://www.microsoft.com/security/guidance/
Get additional security trainingGet additional security training Find online and in-person training seminars:Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/securithttp://www.microsoft.com/seminar/events/security/ y/
Read the book: Writing Secure CodeRead the book: Writing Secure Code Michael Howard and David LeBlancMichael Howard and David LeBlanc ISBN: 0-7356-1722-8ISBN: 0-7356-1722-8
““Threats and Counter Measures”Threats and Counter Measures”andand
“Securing Web Apps and Web Services”“Securing Web Apps and Web Services”
Documents available fromDocuments available from
http://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practices Threats_Countermeasures.pdfThreats_Countermeasures.pdf
AgendaAgenda Typical AttacksTypical Attacks SOA and Web Services SecuritySOA and Web Services Security Future Directions with IndioFuture Directions with Indio MiscellaneousMiscellaneous
Common Application ThreatsCommon Application Threats80:20 Rule80:20 Rule
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?frame=true#c10618429_004http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?frame=true#c10618429_004i
ThreatThreat ExamplesExamples
SQL injectionSQL injection Including DROP TABLE command in text typed into Including DROP TABLE command in text typed into an input fieldan input field
Cross-site Cross-site scriptingscripting
Using malicious client-side script to steal cookiesUsing malicious client-side script to steal cookies
Hidden-field Hidden-field tamperingtampering
Maliciously changing the value of a hidden fieldMaliciously changing the value of a hidden field
EavesdroppingEavesdropping Using a packet sniffer to steal passwords and Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connectionscookies from traffic on unencrypted connections
Session hijackingSession hijacking Using a stolen session ID cookie to access someone Using a stolen session ID cookie to access someone else's session stateelse's session state
Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to pose Using a stolen forms authentication cookie to pose as another useras another user
Information Information disclosuredisclosure
Allowing client to see a stack trace when an Allowing client to see a stack trace when an unhandled exception occursunhandled exception occurs
SQL Injection AttackSQL Injection Attack““SELECT * From Users where ID = “ + ID SELECT * From Users where ID = “ + ID
“and Password = “ + Password“and Password = “ + Password
DEMODEMO
Services Orientated Services Orientated Architectures Architectures
and and
Web Service Security Web Service Security StandardsStandards
The Tenets of SOThe Tenets of SO Boundaries are ExplicitBoundaries are Explicit Services are autonomousServices are autonomous Share schema & contract, Share schema & contract,
not classnot class Compatibility based on policyCompatibility based on policy
Web Services ProtocolsWeb Services Protocols (WS-*) (WS-*) Makes SO feasibleMakes SO feasible Platform independencePlatform independence Loose couplingLoose coupling Self description, and discovery Self description, and discovery
Service OrientationService Orientation
PeoplePeople
Existing Existing ApplicationsApplications
Spanning Spanning BoundariesBoundaries
SO – Security ChallengesSO – Security Challenges
IdentityIdentity
FederatioFederationnAuthN/AuthZAuthN/AuthZ ProtocolsProtocols
WS-* Protocol ArchitectureWS-* Protocol Architecture
Transports HTTP
XML XML, XSD, XPath
Messaging SOAP, WS-Addressing
SecurityWS-Security
WS-TrustWS-Federation
ReliabilityWS-ReliableMessaging
TransactionsWS-BusinessActivity
WS-CoordinationWS-AtomicTransaction
Met
adat
aW
SD
L, W
S-P
olic
y
Web Service Security Web Service Security FoundationsFoundations
Authentication – who are you?Authentication – who are you? Authorization – what are you allowed Authorization – what are you allowed
to do?to do? Secure CommunicationSecure Communication
Confidentiality – can anyone else Confidentiality – can anyone else understand what your saying?understand what your saying?
Integrity – has the message been Integrity – has the message been tampered with?tampered with?
Secure CommunicationSecure CommunicationProtocol-level securityProtocol-level security
Encrypts the entire messageEncrypts the entire message Sender must trust all intermediariesSender must trust all intermediaries Restricts protocols that can be usedRestricts protocols that can be used
SSL SecuritySSL Security SSL SecuritySSL Security
Secure CommunicationSecure CommunicationMessage-level securityMessage-level security
End to end message security End to end message security independent of transportindependent of transport
Supports multiple protocols and Supports multiple protocols and multiple encryption technologiesmultiple encryption technologies
Encrypt only parts of the messageEncrypt only parts of the message Sender need only trust endpointSender need only trust endpoint
Web Services Security Web Services Security StandardsStandards WS-SecurityWS-Security XML EncryptionXML Encryption WS-SecurityPolicyWS-SecurityPolicy WS-TrustWS-Trust WS-SecureConversationWS-SecureConversation
The .NET Framework implements Web services security inMicrosoft.Web.Services2.Security
Security TokensSecurity Tokens Tokens assert claims about identity, Tokens assert claims about identity,
capability, privilegescapability, privileges
SignedSigned
……
X.509X.509 KerberosKerberosSecret/Shared KeySecret/Shared Key
PasswordPassword
Proof ofProof ofPossessionPossession
Security Security ContextContext
UnsignedUnsigned
……UsernameUsername
SAMLSAML XrMLXrML
Authenticating With TokensAuthenticating With Tokens Tokens carry claims that are backed by Tokens carry claims that are backed by
“proof of possession”“proof of possession” Shared secret (password, symmetric key)Shared secret (password, symmetric key) Private key signed by trusted Private key signed by trusted
third-party servicethird-party service Authenticating involves checking for Authenticating involves checking for
this knowledgethis knowledge Validating username token passwordsValidating username token passwords Verifying the digital signatureVerifying the digital signature
Authentication With Authentication With Username TokensUsername Tokens ..\..\My Documents\Visual Studio Projects\India\ ..\..\My Documents\Visual Studio Projects\India\UserNameToken\UserNameToken.slnUserNameToken\UserNameToken.sln
WS-PolicyWS-Policy
Defining Security PolicyDefining Security PolicyPolicyPolicy
WS-Policy is an XML syntax to WS-Policy is an XML syntax to describes the requirements of describes the requirements of a servicea service
Higher level than WSDLHigher level than WSDL Policy can be applied on the send side Policy can be applied on the send side
or receive sideor receive side Reduces the amount of code Reduces the amount of code
developers need to writedevelopers need to write
PolicyPolicyWS-SecurityPolicyWS-SecurityPolicy
Describes the security requirements of Describes the security requirements of a web servicea web service
Provides a way of specifyingProvides a way of specifying Supported Token typesSupported Token types Signing and encryption requirementsSigning and encryption requirements Role-based authorization decisionsRole-based authorization decisions Secure Conversation requirementsSecure Conversation requirements
Configuring Security PolicyConfiguring Security Policyand setting theand setting the Thread.CurrentPrincipalThread.CurrentPrincipal ..\..\My Documents\Visual Studio Projects\India\ ..\..\My Documents\Visual Studio Projects\India\UserNameToken\UserNameToken.slnUserNameToken\UserNameToken.sln
Binary TokensBinary TokensX509 TokensX509 Tokens Provides a way to encode Provides a way to encode
X509 certificatesX509 certificates Supplied by Certificate Authority such Supplied by Certificate Authority such
as Windows Certificate Servicesas Windows Certificate Services Contains public key and digital Contains public key and digital
signature from Certificate Authoritysignature from Certificate Authority Supports asymmetric encryption Supports asymmetric encryption
and signingand signing
XML Encryption For PrivacyXML Encryption For Privacy Parts of a message can be encrypted to Parts of a message can be encrypted to
ensure confidentialityensure confidentiality Plain text replaced with cipher textPlain text replaced with cipher text
Encryption With X509 CertificatesEncryption With X509 Certificates
..\..\My Documents\Visual Studio ..\..\My Documents\Visual Studio Projects\India\XPathSecurity\Projects\India\XPathSecurity\XPathSecurity.slnXPathSecurity.sln
Acquiring Security Tokens Acquiring Security Tokens WS-TrustWS-Trust
Defines a protocol for issuing and Defines a protocol for issuing and obtaining security tokensobtaining security tokens
Uses a Security Token Service (STS) Uses a Security Token Service (STS) to issue Tokensto issue Tokens Manages security across trust boundariesManages security across trust boundaries Client and server can each trust STS Client and server can each trust STS
avoiding having to manage direct trustavoiding having to manage direct trust STS can manage exchanging one security STS can manage exchanging one security
token type for anothertoken type for another
Scope of trust
Scope of trust
Acquiring Security TokensAcquiring Security Tokens Exchange Token TypesExchange Token Types Map tokensMap tokens
ClientClient
Security Security Token Token
ServiceService
ServiceService
1. RST1. RST
2. RSTR2. RSTR
3. Message3. Message
Creating Security ContextsCreating Security Contexts Asymmetric keys are slow for Asymmetric keys are slow for
multiple messagesmultiple messages WS-SecureConversation defines a WS-SecureConversation defines a
SecurityContext token (SCT)SecurityContext token (SCT) Based on a symmetric keyBased on a symmetric key Faster for multiple callsFaster for multiple calls
Secure ConversationSecure Conversation
Request for SCTRequest for SCT
SCT Issued to clientSCT Issued to client
Series of messages Series of messages signed with issued SCTsigned with issued SCTClientClient ServerServer
The Future is Indigo...The Future is Indigo... A set of .NET technologies for building A set of .NET technologies for building
and managing Service-oriented and managing Service-oriented systemssystems
Broadly interoperableBroadly interoperable WSE 3 will be wire level compatible WSE 3 will be wire level compatible
with Indigowith Indigo A unified programming model and A unified programming model and
runtimeruntime
Indigo ArchitectureIndigo Architecture
Connector
Communications Manager (Port)
Transport Channels(IPC, HTTP, TCP…)
Channels (Datagram, Reliable, Peer, …)
Policy Engine
MessageEncoder
ChannelSecurity
Service Model
Hosting Environments
Instance Manager
Context Manager
TypeIntegration
ServiceMethods
DeclarativeBehaviors
TransactedMethods
ASP.NET .container .exe NT Service DllHost
Messaging Services
System Services
Queuing
Routing
Eventing
…
Transaction
Federation
…
Next StepsNext Steps Stay informed about securityStay informed about security
Microsoft Developers Network Security CenterMicrosoft Developers Network Security Center http://http://msdn.microsoft.commsdn.microsoft.com/security//security/ Microsoft Security GuidanceMicrosoft Security Guidance http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/
Get additional security trainingGet additional security training Find online and in-person training seminars:Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/securithttp://www.microsoft.com/seminar/events/security/y/
Read the book: Writing Secure CodeRead the book: Writing Secure Code Michael Howard and David LeBlancMichael Howard and David LeBlanc ISBN: 0-7356-1722-8ISBN: 0-7356-1722-8
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Security Best PracticesSecurity Best Practices All input is Evil - Guard againstAll input is Evil - Guard against
Cross-site ScriptingCross-site Scripting SQL InjectionSQL Injection
Use Hashing to Store your PasswordsUse Hashing to Store your Passwords Store Secure Information in the RegistryStore Secure Information in the Registry
Keys etcKeys etc Use Sessions, but Not Cookie-less Sessions Use Sessions, but Not Cookie-less Sessions Do Some Housekeeping for ProductionDo Some Housekeeping for Production
Disable tracingDisable tracing customErrors mode="RemoteOnly" customErrors mode="RemoteOnly"
http://msdn.microsoft.com/security/http://msdn.microsoft.com/security/ Application GuidesApplication Guides
SecureCRT LibrariesSecureCRT Libraries Safer C++ Runtime Libraries Safer C++ Runtime Libraries
Microsoft’s implementation of the Standard C++ Libraries (aka Microsoft’s implementation of the Standard C++ Libraries (aka STL) now defaults to a more safe mode that detects buffer STL) now defaults to a more safe mode that detects buffer overruns automatically, and disallows risky usages. As with the C overruns automatically, and disallows risky usages. As with the C library, the unsafe usages are deprecated, and the user can library, the unsafe usages are deprecated, and the user can disable the deprecation as they need to.disable the deprecation as they need to.
In a _DEBUG build, we have integrated much deeper self-In a _DEBUG build, we have integrated much deeper self-consistency checks to detect common programming errors when consistency checks to detect common programming errors when using STLusing STL
There have been minor changes in other C++ Libraries (ATL, There have been minor changes in other C++ Libraries (ATL, MFC) where specific functions were found to have unsafe design.MFC) where specific functions were found to have unsafe design.
The Microsoft C Runtime Library and the ISO C Standard library The Microsoft C Runtime Library and the ISO C Standard library contains a number of functions that are inherently ‘unsafe’, and contains a number of functions that are inherently ‘unsafe’, and prone to coding patterns vulnerable to buffer overruns. In VS prone to coding patterns vulnerable to buffer overruns. In VS 2005, we are deprecating these functions (by default). So when 2005, we are deprecating these functions (by default). So when the user recompiles their existing applications, they will see the user recompiles their existing applications, they will see compiler warnings when they use these inherently unsafe compiler warnings when they use these inherently unsafe functions.functions.
Submitted to ISO Standard C library for standardization. Submitted to ISO Standard C library for standardization. Microsoft is taking a leadership role in this effort. It has broad Microsoft is taking a leadership role in this effort. It has broad support from the ISO C Committee members and the current plan support from the ISO C Committee members and the current plan is to go for ‘registration’ in March 05.is to go for ‘registration’ in March 05.
2004 E-Crime Watch2004 E-Crime Watch Shows significant increase in electronic crimesShows significant increase in electronic crimes 43% report an increase in e-crimes and intrusions versus the 43% report an increase in e-crimes and intrusions versus the
previous yearprevious year 70% report at least one e-crime or intrusion was committed 70% report at least one e-crime or intrusion was committed
against their organizationagainst their organization 56% report operational losses, 25% state financial loss, 12% 56% report operational losses, 25% state financial loss, 12%
declare other types of lossesdeclare other types of losses 30% don’t know if they were attacked by insiders or outsiders30% don’t know if they were attacked by insiders or outsiders Those who DO know say 71% of attacks come from outsiders Those who DO know say 71% of attacks come from outsiders
compared to 29% from insiderscompared to 29% from insiders 40% believe “Hackers” are the biggest security threats 40% believe “Hackers” are the biggest security threats 31% believe it is former employees or contractors31% believe it is former employees or contractors 36% experienced unauthorized access to information, systems, 36% experienced unauthorized access to information, systems,
or networks by an insideror networks by an insider ……. compared to 27% committed by outsiders. compared to 27% committed by outsiders
Both sabotage and extortion are committed equally by insiders Both sabotage and extortion are committed equally by insiders and outsidersand outsiders
http://www.csoonline.com/releases/ecrimewatch04.pdfhttp://www.csoonline.com/releases/ecrimewatch04.pdf
/GS and Strongly Named DLLs/GS and Strongly Named DLLs /GS Switch/GS Switch
Used to mitigate buffer overruns exploitsUsed to mitigate buffer overruns exploits Considerable Enhancements in VS 2005:Considerable Enhancements in VS 2005:
stack reorderingstack reordering parameter shadowingparameter shadowing etc.etc.
Used to recompile Windows XPSP2Used to recompile Windows XPSP2 On by default in VS 2005On by default in VS 2005
Strongly named redistributable DLLs: Strongly named redistributable DLLs: Whidbey C++ libraries are ‘fusionized’ and ‘strongly Whidbey C++ libraries are ‘fusionized’ and ‘strongly
named’. named’. DLLs (MFC, CRT etc) are installed in the WinSxS cache.DLLs (MFC, CRT etc) are installed in the WinSxS cache. Allows us to globally service these libraries if necessary.Allows us to globally service these libraries if necessary.
MiscMisc Threat Modelling ToolThreat Modelling Tool Enterprise LibraryEnterprise Library
SOAP Tracing Tool from Mike TaultySOAP Tracing Tool from Mike Taulty http://blogs.msdn.com/kaevans/archive/http://blogs.msdn.com/kaevans/archive/
2004/08/20/217707.aspx 2004/08/20/217707.aspx WSE 2 Hands On Lab WSE 2 Hands On Lab
Search MSDN.Microsoft.com for Search MSDN.Microsoft.com for ““WSE - HOLDEVL34”WSE - HOLDEVL34”
DEMODEMO
Threat Modelling ToolThreat Modelling Toolhttp://msdn.microsoft.com/security/securecode/threatmodeling/http://msdn.microsoft.com/security/securecode/threatmodeling/
default.aspxdefault.aspx
Threat Modeling ToolThreat Modeling Tool
Class-basedPolymorphismEncapsulation
Interface-basedDynamic LoadingRuntime Metadata
Message-basedMessage-basedSchema+ContractSchema+ContractBinding via PolicyBinding via Policy
ObjectObjectOrientationOrientation
(1980s)(1980s)
ComponentsComponents(1990s)(1990s)
ServiceServiceOrientationOrientation
(Today)(Today)
The Road to ServicesThe Road to Services
Creating A Digital SignatureCreating A Digital Signature
Hash Hash Function Function
(SHA, MD5)(SHA, MD5)
Jrf843kjfgf*Jrf843kjfgf*££$&Hdif*7oU$&Hdif*7oUsd*&@:<CHsd*&@:<CHDFHSD(**DFHSD(**
Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”
WSE WSE provides provides
great security great security for servicesfor services
AsymmetricAsymmetricEncryptionEncryption
Message or FileMessage or File Digital SignatureDigital Signature128 bits 128 bits Message DigestMessage Digest
privatprivatee
Verifying A Digital SignatureVerifying A Digital Signature
Jrf843kjfJrf843kjfgf*£$&Hdgf*£$&Hdif*7oUsdif*7oUsd
*&@:<CHD*&@:<CHDFHSD(**FHSD(**
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
Asymmetric Asymmetric DecryptionDecryption
Digital SignatureDigital Signature
WSE WSE provides provides
great great security for security for
servicesservices
Same Hash Same Hash functionfunction
Original MessageOriginal MessagePy75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
? == ?? == ?Are They Same?Are They Same?
publicpublic
Sent with Sent with messagemessage
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
Message EncryptionMessage EncryptionSenderSender
SymmetricSymmetric
EncryptEncrypt
WSE WSE provides provides
great great security for security for
servicesservices
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
EncryptEncrypt
Encrypted KeyEncrypted Key
publicpublic Receiver'sReceiver'sPublic KeyPublic Key
Generated KeyGenerated Key
Message EncryptionMessage EncryptionReceiverReceiver
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs” DecryptDecrypt
Encrypted KeyEncrypted Keypublicpublic Receiver'sReceiver's
Private KeyPrivate Key
SymmetricSymmetric
WSE WSE provides provides
great great security for security for
servicesservicesDecryptDecrypt
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
Binary TokensBinary TokensKerberos TokensKerberos Tokens Encodes Kerberos TicketsEncodes Kerberos Tickets Supports signing and encryption using Supports signing and encryption using
a symmetric keya symmetric key Retrieved from Kerberos Retrieved from Kerberos
Distribution CentreDistribution Centre WSE automatically creates PrincipalWSE automatically creates PrincipalCustom TokensCustom Tokens WSE supports custom Binary and WSE supports custom Binary and
XML tokensXML tokens