Writing Secure Code

By

Sam Nasr, MCAD, MCT, MCTS

March 18, 2009

AgendaIntroductionSecurity overviewSecurity

ProceduralCoding

Q&A

About me…Sam Nasr

Independent Software ConsultantNasr Information SystemsSoftware developer since 1995MCAD, MCT, MCTS(WSS/MOSS)President - Cleveland C#/VB.Net User Group

Contact InfoE-mail: sam@nasr.infoBlog: ClevelandDotNet.blogspot.com/

Setting ExpectationsWhat will be covered

Overview of security in .Net FWSome coding techniques, due to timeTake home “Laundry List”Discuss code and organizational policies

What will NOT be coveredCOM, ActivexDB SecurityIdentifying Security Bugs

Why Security?Protect the Data

Credit Card #sCorporate Data (Financial info)Patient Information

Ensure App IntegrityPrevent loss of revenue (i.e. $1 plane tickets)Uptime (DOS Attacks)

Ensure App AuthenticityCustomers run intended applications

What are the odds?

1 Developer vs. Many Hackers

1 Dev Hour vs. Many hacker hours

Salary vs. Personal Pride

Focused vs. Continuous Attempts

Points of Entry

Holistic SecurityPhysical Location of serversALL servers (App & DB) must be configured

for securityTrain users against social engineeringSecurity code reviewSecurity TestingPractice “Active Defense”Recovery PlanKeep your users aware of the security risk

“Active Defense” Monitoring

“Out of bounds” pricing

Excessive # of transactions

After hours access

Extended login time

.Net 101 (know the basics)

Compile code to ?

How does the code execute?

How’s JIT used?

How’s CLR used?

Security NamespacesSystem.SecuritySystem.Web.SecuritySystem.Security.CryptographySystem.Security.PrincipalSystem.Security.PolicySystem.Security.Permissions

DemoILDASM/ILASM

Security Tools

DotFuscator

FX Cop

Anti-Cross Site Scripting Library

Security Assessment Tool

Strong Names

Private and Public keys tokensRegular Name (“BookInventory”)Version Number (“1.0.0.0”)Culture (neutral)Public key Token

Note: Protect Private KeyUtilize “AssemblyDelaySign”

DemoStrong Names

Anti-Cross Site Scripting LibraryA Cross Site Scripting attack (XSS): when a hacker inserts a link in an e-mail or web forum that appears to be legitimate (i.e. cnn.com, google.com). However, the link actually a malicious script code embedded in the URL. When the unsuspecting user clicks the link, the script is executed on the host web site. The script code maybe used to transfer cookies from the victim's PC to the hacker's machine. The cookies may contain user ID's, passwords, or possibly credit card information, all which can be used for illegal purposes.

http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en

DemoFXCop

DemoSecurity Assessment Tool

Conclusion

Let’s recap…ProceduralCoding

ReferencesUnderstanding MSIL

www.ClevelandDotnet.info - Presentations

FXCophttp://www.microsoft.com/downloads/details.aspx?familyid=9AEAA970-F281-4FB0-ABA1-

D59D7ED09772&displaylang=en

Securing Connection Stringsvia code: http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx

via cmd line: http://msdn.microsoft.com/en-us/library/dx0f3cf2(VS.80).aspx

Questions?

Contact InfoSam Nasr

E-mail: sam@nasr.infoBlog: ClevelandDotNet.blogspot.com/

Cleveland C#/VB.Net User GroupWeb: www.ClevelandDotNet.info