MSPP Developing Secure Code

Developing Secure Code on the Microsoft Platform : Developing Secure Code on the Microsoft Platform Anil Revuru, Microsoft ACE Team Steve Yi, Microsoft ISV Architecture Advisor


Introductions : Introductions Steve Yi Microsoft ISV Architecture Advisor steveyi@microsoft.com http://blogs.msdn.com/steveyi Anil Revuru Microsoft ACE Team Anil.revuru@microsoft.com http://blogs.msdn.com/ace_team


Agenda : Agenda Introduction Microsoft ACE Team SDL – Security Development Lifecycle Threat Modeling Web Applications Application Configuration SQL Server Authentication andamp; Authorization Resources Next Steps Qandamp;A


Who is the ACE Team? : Who is the ACE Team? ACE Team – Application Consulting andamp; Engineering Technologists that provide services in the areas of security, privacy andamp; performance Team enforces ASAP process in Microsoft ASAP - Application Software Assurance Program Process to ensure security andamp; privacy standards are met by Line of Business applications. ACE Services - Services arm of ACE Team


Security Development Lifecycle : Security Development Lifecycle Objective: Identify and ensure resolution of security/privacy vulnerabilities found in applications Enable Application Risk Management Strategic Tactical Operational Legal


SDL – Inputs & Outputs : SDL – Inputs andamp; Outputs Inputs Application Information Design Documents Source Code Server Information Outputs Bugs logged in security/privacy database Exception Requests


SDL & SDLC : SDL andamp; SDLC Designed to be inline with the Software Development Lifecycle SDLC Envision Design Develop Test Release SDL Risk Assessment Threat Model Internal Review Assess Assess


SDL: Risk Assessment : SDL: Risk Assessment SDLC Envision : SDL Risk Assessment Objective System Inventory Determine application risk categorization High Risk Security/Privacy Release Compulsory threat model/design review; white box code review and host level scan Medium Risk Security/Privacy Release White box code review and host level scan Low Risk Security/Privacy Release Host level scan


SDL: Threat Model / Design Review : SDL: Threat Model / Design Review SDLC Design : SDL Threat Model Objective Consistent methodology for objectively evaluating threats to applications Review application design to verify compliance with security standards and best practices Verify application meets application principles Confidentiality andamp; Integrity Authentication andamp; Authorization Availability Non-repudiation


SDL: Threat Modeling : SDL: Threat Modeling Review security checklist/policy Team concludes ‘self’ code review and attack and penetration testing DEMONSTRATION: Microsoft Threat Analysis andamp; Modeling v2.0 Beta 2


SDL: Internal Review : SDL: Internal Review SDLC Develop : SDL Internal Review Review security checklist/policy Team concludes ‘self’ code review and attack and penetration testing


SDL: Assessment : SDL: Assessment SDLC Testing : SDL Pre-Production Assessment Objective Low Risk Applications Host Level Scan: Windows, IIS, SQL Medium/High Risk Applications Host Level Scan White Box Code Review


SDL: White Box Code Review : SDL: White Box Code Review Process Application team provides source code Analysts review application code uncovering security vulnerabilities Vulnerabilities logged in bug database Application team addresses all Severity 1 bugs prior to release


Common Attack Patterns : Common Attack Patterns White Box Code Review may reveal: Cross-Site Script vulnerabilities SQL Injection Buffer Overflow Poor Authorization Controls Secrets Stored in Clear Text


Securing Web Applications : Securing Web Applications Cross Site Scripting A technique allowing hackers to: Appear to re-write the text of your web site Abuse the user’s trust in your site to: Steal web session info and cookies Hijack client sessions Potentially access the computer Execute ActiveX controls


Securing Web Applications : Securing Web Applications Cross Site Scripting Defense Input validation – 1st line of defense Output encoding Platform features Server.HtmlEncode() doesn’t always protect Use Anti-XSS (properly implemented) Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding: Bad code: someLabel.Text = 'Results for ' + searchstring + ':'; Mitigation using Anti-XSS: someLabel.Text = 'Results for ' + AntiXSS.EncodeHtml(searchstring) + ':';


Securing Web App Config : Securing Web App Config Secure sensitive configuration information in Web.config Configuration Sections andlt;appSettingsandgt;: custom application settings. andlt;connectionStringsandgt;: connection strings. andlt;identityandgt;: impersonation credentials. andlt;sessionStateandgt;:connection string for the out-of-process session state provider. How To: Encrypt Configuration Sections in ASP.NET 2.0 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000006.asp


Securing Web App Config : Securing Web App Config aspnet_regiis -pe 'SectionName' -app '/FolderName' -prov 'ProviderName' DPAPI: DataProtectionConfigurationProvider RSA: RSAProtectedConfigurationProvider Accessing config data remains the same WebConfigurationManager.ConnectionStrings['MyLocalSQLServer'].ConnectionString; WebConfigurationManager.AppSettings['presenter1'];


Securing Databases : Securing Databases SQL Injection Supplying carefully crafted input to alter (or create) SQL statements If ID read directly from a Web or Windows form, the user could enter any of the following: ALFKI1001 ALFKI1001’ OR 1=1- sqlString = 'SELECT HasShipped FROM' + ' OrderDetail WHERE OrderID ='' + ID + ''';


Securing Databases : Securing Databases SQL Injection Defense Abandon Dynamic SQL Use Stored Procedures or SQL parameterized queries Sanitize all input Mitigation using stored procedures … SqlParameter parameterCategoryID = new SqlParameter('@CategoryID', SqlDbType.Int, 4); myCommand.Parameters.Add(parameterCategoryID); SqlDataReader result = myCommand.ExecuteReader(CommandBehavior.CloseConnection); CREATE Procedure CMRC_ProductsByCategory (@CategoryID int) AS SELECT ProductID, ModelName, UnitCost, ProductImage FROM CMRC_Products WHERE CategoryID = @CategoryID ORDER BY ModelName, ModelNumber GO


Securing Databases : Securing Databases Consider all input ‘guilty until proven otherwise’ Run with least privilege – never as ‘sa’ Restrict access to built-in stored procedures Do not display ODBC errors


Securing Database Info : Securing Database Info Encrypt sensitive data Social Security Numbers Credit Card info HIPAA Compliance SQL Server 2005 Request/Response encrypted by default Native in-database encryption Certificate-based, assymetric and symmetric encryption SQL Server 2005 Books Online


Securing Authorization & Authentication : Securing Authorization andamp; Authentication Encapsulate common application security tasks Present a standard, provider model for common security tasks Minimize the need for custom security-related code Incorporate best practices for application security ASP.NET Client Code Security Application Block Membership Profile Membership Provider Profile Provider Authorization Factory Security Cache Factory IAuthorization Provider ISecurity Cache Provider Authorization Rule Provider Caching Store Provider AzMan Authorization Provider ActiveDirectory Membership Provider Sql Membership Provider Sql Profile Provider Caching Application Block


Microsoft ACE Team : Microsoft ACE Team Services Offered: Application Security Code Review Threat Modeling / Design Reviews Training Secure Application Development Threat Modeling (coming soon) Infrastructure Hacking (coming soon) Assistance with developing and deploying SDL within your environment andamp; solutions


Resources : Resources ACE Team Blog: http://blogs.msdn.com/ace_team/default.aspx Application Threat Modeling http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/ Microsoft Threat Analysis and Modeling v2.0 Beta 2 http://www.microsoft.com/downloads/details.aspx?familyid=aa5589bd-fb2c-40cf-aec5-dc4319b491ddandamp;displaylang=enCustom data sources Developer Security Resource Kit http://msdn.microsoft.com/security/securityreskit/default.aspx MSPress: Writing Secure Code http://www.microsoft.com/mspress/books/5957.asp Enterprise Library 2.0 http://msdn.microsoft.com/practices/


Next Steps & Conclusion : Next Steps andamp; Conclusion Learn More Align your development processes and organization to develop secure code Iterate and improve Iterate and improve Iterate and improve


Windows Vista Code Master Challenge : Windows Vista Code Master Challenge Developers and ISVs: Build the best new application with Windows Vista to win $50,000! There are no limits to what you can create, and the app is yours to keep or sell. We won’t ever ask for your coding secrets. Prizes: Grand prize: $50,000 1st prize: $30,000 2nd prize: $20,000 3rd prize: $15,000 20 Finalists $500 each You don’t need a completed app to sign up—you have until July 31 to finish coding. Register today, and we’ll give you the tools you need to become a Code Master! www.codemasterchallenge.com


ISV Developer Training Online, Any Time : ISV Developer Training Online, Any Time ISV Touchdown Web Seminars New content monthly Available with live Qandamp;A or on-demand www.isvwebseminars.com ISV Touchdown Virtual Labs Twenty-five 90 minute labs to choose from No complex set up or installation www.touchdownvirtuallabs.com


Additional Resources for ISV’s : Additional Resources for ISV’s Visit the U.S. ISV Website https://www.microsoft.com/partner/usa/isv ISV Training and Events http://partner.microsoft.com/us/isvtraining MSDN ISV Community Center http://msdn.microsoft.com/isv


Slide30 : Microsoft Windows Vista Training! Attend a Vista Web Seminar and Win a Dream Vacation!! For more information and to register: http://www.msreadiness.com/windowsvistaisv.asp