Essentials of Application

Security

Name
Job Title
Company
What We Will Cover

The Importance of Application Security

Secure Application Development
Practices
Security Technologies
Secure Development Guidelines
Session Prerequisites

Development experience with Microsoft

Visual Basic® , Microsoft Visual C++® ,
or C#

Level 200
Agenda

The Importance of Application Security

Secure Application Development
Practices
Security Technologies
Secure Development Guidelines
Trustworthy Computing

“Trustworthy Computing has four pillars:

Reliability means a computer system is
dependable, is available when needed, and
performs as expected and at appropriate levels.
Security means a system is resilient to attack, and
the confidentiality, integrity, and availability of both
the system and its data are protected.
Privacy means that people can control their
personal information and organizations that use the
information faithfully protect it.
Business integrity is about companies in our
industry being responsible to customers and
helping them find appropriate solutions for their
business issues, addressing problems with products
or services, and being open in interactions with
customers.” - Bill Gates
July 18,
Connection Scenarios and Security
Concerns
Connection scenarios:
Traditional wired networks
Mobile workforces
Public wireless networks
Security concerns:
Application reliance on the Internet
Business reliance on the Internet
Internal security attacks
Common Types of Attacks

Organizational
Attacks Attackers

Automated
Restricted Attacks
Data

DoS
Accidental
Connection Fails
Breaches
In Security Denial of
Viruses, Service
Trojan (DoS)
Horses,
and
Examples of Security Intrusions

CodeRed
ILoveYou
Nimda

Virus

Attacker
Consequences of Poor Security

Stolen intellectual property

System downtime
Lost productivity
Damage to business reputation
Lost consumer confidence
Severe financial losses due to lost
revenue
 Challenges When Implementing
Security
Attacker needs to understand only one
vulnerability
Defender needs to secure all entry points
Attackers have unlimited time
Attackers vs. Defenders
Defender works with time and cost constraints

Secure systems are more difficult to use

Complex and strong passwords are difficult to
remember
Security vs. Usability Users prefer simple passwords

Do I
Developers and management think that security
need
securi
does not add any business value
ty…
Addressing vulnerabilities just before a product is
ecurity As an Afterthoughtreleased is very expensive
The Developer Role in Application
Security
Developers must:
Work with solution architects and systems
administrators to ensure application
security
Contribute to security by:
Adopting good application security development
practices
Knowing where security vulnerabilities occur
and how to avoid them
Using secure programming techniques
Agenda

The Importance of Application Security

Secure Application Development
Practices
Security Technologies
Secure Development Guidelines
Holistic Approach to Security

Security must be considered at:

All stages of a project
Design
Development
Deployment
All layers
Network
Host
Application

“Security is only as good as the weakest link”

 Security Throughout Project Lifecycle

Analyze External Learn and

threats review refine

Secure questions Determine

security sign-off
during interviews Security push
criteria

Concept Designs Test Plans Code Ship Post-Ship

Complete Complete Complete
Review old defects, check-
Train team ins checked
members secure coding guidelines,
Data use tools
Security mutation
team review and least
privilege =ongoing
The SD Security Framework
3

SD3
Secure architecture and code
Secure Threat analysis
by Design Vulnerability reduction

Attack surface area reduced

Secure Unused features turned off by default
by Default Minimum privileges used

Protection: Detection, defense,

Secure in recovery, management
Deployment Process: How to guides, architecture
guides
People: Training
Threat Modeling

Threat modeling is:

A security-based analysis of an application
A crucial part of the design process
Threat modeling:
Reduces the cost of securing an application
Provides a logical, efficient process
Helps the development team:
Identify where the application is most
vulnerable
Determine which threats require mitigation and
how to address those threats
Ongoing Education

Provide training about:

How security features work
How to use the security features to build
secure systems
What security vulnerabilities look like in
order to identify flawed code
How to avoid common security
vulnerabilities
How to avoid repeating mistakes
Input Validation

Buffer overruns
SQL injection
Cross-site scripting

“All input is evil until proven

otherwise!”
Demonstration 1
Buffer Overruns
Bypassing Security Checks
Practices for Improving Security
Practice Benefit
Identifies of security vulnerabilities
Adopt Threat Modeling
Increases awareness of application architecture
Avoids common security defects
Train development team
Correct application of security technologies

Secures code that

Accesses the network
Code Review Runs by default
Uses unauthenticated protocols
Runs with elevated privileges

Use tools More consistent testing for vulnerabilities

Use infrastructure solutions More secure with SSL/TLS and IPSec

More robust with CAPICOM and .NET Cryptography
Use component solutions namespace
Migrate managed code Avoids common vulnerabilities
Agenda
The Importance of Application Security
Secure Application Development
Practices
Security Technologies
Secure Development Guidelines
Overview of Security Technologies

Developers need to use and apply:

Encryption
Hashing
Digital signatures
Digital certificates
Secure communication
Authentication
Authorization
Firewalls
Auditing
Service packs and updates
Encryption

Encryption is the process of encoding

data
To protect a user’s identity or data from
being read
To protect data from being altered
To verify that data originates from a
particular user
Encryption can be:
Asymmetric
Symmetric
Symmetric vs. Asymmetric
Encryption
Algorithm Type Description
Uses one key to:
Encrypt the data
Symmetric Decrypt the data
Is fast and efficient
Uses two mathematically related keys:
Public key to encrypt the data
Asymmetric Private key to decrypt the data
Is more secure than symmetric encryption
Is slower than symmetric encryption
Verifying Data Integrity with Hashes

User A User B

Data Hash
Algorith
Hash Value
m
If hash
values
Hash Algorithm match, data
is valid

Data
Data
Hash Value
Hash Value
User A sends data
and hash value to
User B
Digital Signatures
User A User B
Hash
Algorithm
Data
Data

Hash
Algorithm
User
A
Publ
ic Hash Value
Key
Hash Value
If hash values
User match, data
A came from the
Priv owner of the
ate Hash Value
private key and
key
is valid
How Digital Certificates Work
Privat
User e KeyPrivate/Public
Key Pair
Computer
Publi
c
Key

Service
Application
Certificati
on
Authority
Certified
Administr
ator
Secure Communication
Technologies
Technologies include:
IPSec
SSL
TLS
RPC encryption
SSL/TLS IPSec
RPC Encryption
Secure Communication
How IPSec Works
IPSec IPSec
Policy Policy

Security
Association
Negotiation

TCP TCP
Layer Layer
IPSec IPSec
Driver Driver

Encrypted IP
Packets
Secure Communication
How SSL Works
2 Web Server Message
Root Certificate
Secure Secure
Brows Web 3
er 4 Server

HTTPS
1
The user browses to a secure Web server by
using HTTPS
1
The browser creates a unique session key
and encrypts it by using the Web server’s
2 public key, which is generated from the root
certificate
3 The Web server receives the session key and
decrypts it by using the server’s private key
4 After the connection is established, all
communication between the browser and
 Demonstration 2
SSL Server Certificates
Viewing a Web Site on a Non-Secure Server
Generating a Certificate Request
Requesting a Trial Certificate
Installing the SSL Certificate
Testing the SSL Certificate
Authentication
Purpose of Authentication
Verifies the identity of a principal by:
Accepting credentials
Validating those credentials
Secures communications by ensuring
your application knows who the caller is

Encrypting the data is not enough!

Authentication
Authentication Methods
Basic
Digest
Digital signatures and digital certificates
Integrated
The Kerberos version 5 protocol
NTLM
Microsoft Passport
Biometrics
Authentication
Basic Authentication
Is simple but effective
Is supported by all major
browsers and servers
Is easy to program and
set up
Manages user credentials
Requires SSL/TLS
Authentication
How Digest Authentication Works
Password
5 Active
Server
Directory

6
1 Request

Challenge
X$!87ghy5
2
4
Client Password
X$!87ghy5

3
Digest Algorithm
Authentication
Client Digital Certificates
Used in Web applications
Server secures communications using SSL/TLS with
a X.509 server certificate
Server authenticates clients using data in client
X.509 certificate, if required
Certificate authority issues a certificate for which
the server holds a root certificate
Used in distributed applications
Application uses SSL/TLS communication channel
Client and server applications authenticate using
certificates
Can be deployed on smartcards
Authentication
When to Use Integrated Authentication
Firewall

No Cannot
Intranet? use
Integrate
Client d
Yes Authentic
ation
Windows 2000 No NTLM
Or later? Server
Authentica
tion
Windows Yes
Integrated
No
Active Directory
Domain?
Kerberos
Yes Client and
Server
Authentication
How to Use Kerberos Version 5
Initial Logon Service Request

KDC KDC

2
2
ST
TGT Target
TGT
1 Server
3
1
ST

3 4
TGT
Client cached Client Session
locally established

Ticket-Granting Ticket ST
TGT Service Ticket
 Demonstration 3
IIS Authentication Techniques

Using Anonymous Authentication

Using Basic Authentication
Using Integrated Windows Authentication
Authorization
What is Authorization?
Authorization:
Occurs after your client request is
authenticated
Is the process of confirming that an
authenticated principal is allowed access to
specific resources
Checks rights assigned to files, folders,
registry settings, applications, and so on
Can be role-based
Can be code-based
Authorization
Common Authorization Techniques
IIS Web permissions (and IP/DNS
restrictions)
.NET role-based security
.NET code access security
NTFS access control lists (ACL)
SQL Server logins
SQL Server permissions
Authorization
Impersonation/Delegation Model

Client identity is used to access downstream

resources

Web or Database or
Application other resource
Server server
A A
B B
C C
Authorization
Trusted Subsystem Model

Clients are mapped to roles

Dedicated Windows service accounts are
used for each role when accessing
downstream resources

Web or Database or
Application other resource
Server server
A Role 1
1
B
Role
C 2 2
 Demonstration 4
Trusted Subsystem Model
Authorization Techniques
Reviewing the Application
Setting Authentication on the Web Server
Creating Service Accounts on the Web Server
Setting Authorization on the Database Server
Firewalls

Firewalls can provide:

Secure gateway to the Internet for
internal clients
Packet filtering
Circuit-level filtering
Application filtering
Auditing
Firewalls cannot provide:
Protection against application-level attacks
over HTTP or HTTPS
Auditing

Auditing actions include tracking:

Resource access and usage
Successful and unsuccessful logon
attempts
Application failures
Auditing benefits include:
Help for administrators to detect intrusions
and suspicious activities
Traceability for legal, non-repudiation
disputes
Diagnosis of security breaches
Service Packs and Updates

Security
Description
update

Address a single issue or a small number of issues

Hotfix
Can be combined by using QChain

Security rollup Multiple hotfixes packaged for easy installation

package

Provide major updates

Cumulative set of previous updates
Service pack
May contain previously unannounced fixes
May contain feature changes
Agenda

The Importance of Application Security

Secure Application Development
Practices
Security Technologies
Secure Development Guidelines
Proactive Security Development

Integrate security improvements

throughout the development process
Focus on security and ensure your code
can withstand new attacks
Promote the key role of education
Raise awareness within your team
Learn from your mistakes and other’s
mistakes
Adopt the SD3 Security Framework

Build threat models

Secure Conduct code reviews, penetration
by Design tests
Run code with minimal privileges

Secure Minimize your attack surface

by Default Enable services securely

Leverage the security best

Secure in practices
Deployment Create security guidance
Build tools to assess application
Microsoft Java Virtual Machine
End of Support Alert
Java Support Alert!
MSJVM no longer ships with Windows XP SP1a or
Windows Server 2003
Microsoft will discontinue support Sept 30, 2004
No security fixes will be made after that date
Security issues after that date may require removal of
MSJVM
Developers should
Update MSJVM dependent applications
Offer upgrades to customers
For more information:
http://www.microsoft.com/java
Session Summary

The Importance of Application Security

Secure Application Development
Practices
Security Technologies
Secure Development Guidelines
Next Steps
 Stay informed about security
 Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.a
Get the latest Microsoft security guidance:
http://www.microsoft.com/security/guidance/
 Get additional security training
 Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx
Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
For More Information

Microsoft Security Site (all audiences)

http://www.microsoft.com/security
MSDN Security Site (developers)
http://msdn.microsoft.com/security
TechNet Security Site (IT professionals)
http://www.microsoft.com/technet/security
Questions and Answers