Upload
eadoin
View
36
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009. Agenda. Introduction Security overview Security Procedural Coding Q&A. About me…. Sam Nasr Independent Software Consultant Nasr Information Systems Software developer since 1995 MCAD, MCT, MCTS(WSS/MOSS) - PowerPoint PPT Presentation
Citation preview
Writing Secure Code
By
Sam Nasr, MCAD, MCT, MCTS
March 18, 2009
AgendaIntroductionSecurity overviewSecurity
ProceduralCoding
Q&A
About me…Sam Nasr
Independent Software ConsultantNasr Information SystemsSoftware developer since 1995MCAD, MCT, MCTS(WSS/MOSS)President - Cleveland C#/VB.Net User Group
Contact InfoE-mail: [email protected]: ClevelandDotNet.blogspot.com/
Setting ExpectationsWhat will be covered
Overview of security in .Net FWSome coding techniques, due to timeTake home “Laundry List”Discuss code and organizational policies
What will NOT be coveredCOM, ActivexDB SecurityIdentifying Security Bugs
Why Security?Protect the Data
Credit Card #sCorporate Data (Financial info)Patient Information
Ensure App IntegrityPrevent loss of revenue (i.e. $1 plane tickets)Uptime (DOS Attacks)
Ensure App AuthenticityCustomers run intended applications
What are the odds?
1 Developer vs. Many Hackers
1 Dev Hour vs. Many hacker hours
Salary vs. Personal Pride
Focused vs. Continuous Attempts
Points of Entry
Holistic SecurityPhysical Location of serversALL servers (App & DB) must be configured
for securityTrain users against social engineeringSecurity code reviewSecurity TestingPractice “Active Defense”Recovery PlanKeep your users aware of the security risk
“Active Defense” Monitoring
“Out of bounds” pricing
Excessive # of transactions
After hours access
Extended login time
.Net 101 (know the basics)
Compile code to ?
How does the code execute?
How’s JIT used?
How’s CLR used?
Security NamespacesSystem.SecuritySystem.Web.SecuritySystem.Security.CryptographySystem.Security.PrincipalSystem.Security.PolicySystem.Security.Permissions
DemoILDASM/ILASM
Security Tools
DotFuscator
FX Cop
Anti-Cross Site Scripting Library
Security Assessment Tool
Strong Names
Private and Public keys tokensRegular Name (“BookInventory”)Version Number (“1.0.0.0”)Culture (neutral)Public key Token
Note: Protect Private KeyUtilize “AssemblyDelaySign”
DemoStrong Names
Anti-Cross Site Scripting LibraryA Cross Site Scripting attack (XSS): when a hacker inserts a link in an e-mail or web forum that appears to be legitimate (i.e. cnn.com, google.com). However, the link actually a malicious script code embedded in the URL. When the unsuspecting user clicks the link, the script is executed on the host web site. The script code maybe used to transfer cookies from the victim's PC to the hacker's machine. The cookies may contain user ID's, passwords, or possibly credit card information, all which can be used for illegal purposes.
http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en
DemoFXCop
DemoSecurity Assessment Tool
Conclusion
Let’s recap…ProceduralCoding
ReferencesUnderstanding MSIL
www.ClevelandDotnet.info - Presentations
FXCophttp://www.microsoft.com/downloads/details.aspx?familyid=9AEAA970-F281-4FB0-ABA1-
D59D7ED09772&displaylang=en
Securing Connection Stringsvia code: http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx
via cmd line: http://msdn.microsoft.com/en-us/library/dx0f3cf2(VS.80).aspx
Questions?
Contact InfoSam Nasr
E-mail: [email protected]: ClevelandDotNet.blogspot.com/
Cleveland C#/VB.Net User GroupWeb: www.ClevelandDotNet.info