Cert-In Training Program For Government, Psus and Critical Sector Oragnizations
Cert-In Training Program For Government, Psus and Critical Sector Oragnizations
Cert-In Training Program For Government, Psus and Critical Sector Oragnizations
NET
Cert-In Training Program for
Government, PSUs and Critical Sector
Oragnizations
In Collaboration With: Data Security Council of India
9/23/2010 4
SDL-IT Tasks: Envisioning Phase
Envisioning Design Build Stabilizing Deploying Production Retire
9/23/2010 5
SDL-IT Tasks: Design Phase
Envisioning Design Build Stabilizing Deploying Production Retire
• Security
• Complete a Threat Model
• Review Security Mandatory Items Checklist
9/23/2010 6
Threat Model
9/23/2010 7
SDL-IT Tasks: Stabilizing Phase
Envisioning Design Build Stabilizing Deploying Production Retire
• Security
• Conduct Pre-Production Limited Assessment, as a “Best
Practice”
• Microsoft Baseline Security Analyzer (MBSA) + Partial manual
checks
• Full manual server checks
• Security Team conducts Security Comprehensive Assessment
• Candidates are applications where:
• Security Impact = Medium / High
• Security Release = Yes
9/23/2010 8
SDL-IT Tasks: Deploying Phase
Envisioning Design Build Stabilizing Deploying Production Retire
• Security
• Conduct Production Limited Assessment, as
a “Best Practice”
• Update inventory application:
• Actual release date
• Version status to “In Production”
9/23/2010 9
SDL-IT Tasks: Production Phase
Envisioning Design Build Stabilizing Deploying Production Retire
9/23/2010 10
SDL-IT Tasks: Retire Phase
Envisioning Design Build Stabilizing Deploying Production Retire
9/23/2010 11
Fundamentals
Authentication
16
Fiddler Lab
9/23/2010 17
Secure Sockets Layer
18
Authentication Best Practices
• Network eavesdropping
• Use authentication mechanisms that do not
transmit the password over the network such
as Kerberos protocol
• Make sure passwords are encrypted (if you
must transmit passwords over the network)
for example with SSL
19
Authentication Best Practices
20
Authentication Best Practices
21
Authorization
22
Authorization Issues
• Direct Object Reference (Normal execution)
Authorization Issues
• Direct Object Reference (What attacker does)
Authorization Issues
• Direct Object Reference
• Unique identifier is used to retrieve and
update data for an object. This unique
identifier is an incrementing integer (or easily
available).
• No explicit authorization check is performed to
ensure current user has access to the object.
Authorization Lab
9/23/2010 26
Authorization Issues
• Disabling Controls in the Web site to
enforce authorization (Normal execution)
Authorization Issues
• Disabling Controls in the Web site to
enforce authorization (What attacker does)
Authorization Issues
• Disabling HTML text boxes, buttons in only
a visual indication, not a security control
• Need to perform explicit authorization
checks on the server side
Authorization Issues
• Forceful browsing
• No authorization checks implemented on
pages
• Security based on the fact that user does not
know the URL
Authorization Issues
• Missing authorization in web services in
multi- tier applications
• Principle of Exclusions
• Principle of Inclusions
Consequences of Inappropriate
Input Handling
• Lead to a realization of various attack
patterns
• Cross-Site Scripting (XSS)
• One-Click Attacks
• SQL Injection
• LDAP Injection
• Response Splitting
• Unsafe Filename Handling
Consequences of Inappropriate
Input Handling cont.
• Canonicalization issues
• Buffer overflow or arithmetic errors (Memory
Management issues)
• Format String
• Integer Overflow
• Application Layer Denial of Service
Protection
What is Cross-Site Scripting?
9/23/2010 41
What is SQL Injection?
• SQL injection is:
• The process supplying carefully crafted input to alter (or create)
SQL statements
• Can be used by malicious users to compromise confidentiality,
integrity or availability of your application:
• Probe databases
• Bypass authorization
• Execute multiple SQL statements
• Call built-in stored procedures
Defending Against SQL
Injection
• Abandon Dynamic SQL
• Use stored procedures or SQL parameterized
queries to access data
• Can have SQL Injection in stored procedures
• Sanitize all input
• Consider all input harmful until proven otherwise –
test for valid data and reject everything else
• Run with least privilege
• Never execute as “sa”
• Restrict access to built-in stored procedures
• Do not display errors directly from database.
SQL Injection Lab
9/23/2010 44
What is One-Click Attack?
9/23/2010 49
CAT.NET Demo
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: