Presentation is loading. Please wait.

Presentation is loading. Please wait.

More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.

Similar presentations


Presentation on theme: "More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft."— Presentation transcript:

1 More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft

2 What We Will Cover Brief background on the Microsoft Security Development Lifecycle (SDL) SDL processes and tools currently used to protect online services Preview future SDL online initiatives

3 Session Prerequisites Knowledge of basic web application vulnerabilities Familiarity with web programming concepts ASP.NET is a plus Level 300

4 SDL Background What is the SDL? EducationToolsProcess

5 SDL Background SQL Server Before the SDL

6 SDL Background SQL Server After the SDL

7 Online Service Requirements OWASP Top Ten Cross-Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object References Cross-Site Request Forgery Information Leakage Broken Authentication Insecure Cryptography Insecure Communications Failure to Restrict URL Access

8 Cross-Site Scripting (XSS) Input Validation Ensure the data is what the application expects FormatLength Regular expressions (can) work great here System.Text.RegularExpressions.RegexSystem.Web.UI.WebControls.RegularExpressionValidator

9 Cross-Site Scripting (XSS) Use of Regular Expressions Incorrect use of Regex: if (Regex.IsMatch(userInput, "[<>]")) // reject input Correct use of Regex: if (Regex.IsMatch(userInput, “^[a-zA-Z]{1,9}$")) // accept input

10 Cross-Site Scripting (XSS) ValidateRequest Page directive Web.config setting More of a defense-in-depth measure

11 Cross-Site Scripting (XSS) Encode Output Harder than it sounds! 7 different cases Plain HTML HTML attribute URLJavaScriptVBScriptXML XML attribute Use Microsoft AntiXSS Library

12 Demonstration 1 Microsoft AntiXSS Library

13 Cross-Site Scripting (XSS) Static Analysis XSSDetect Code Analysis Tool Analyzes source-to-sink dataflow Standalone or integrated into Visual Studio

14 SQL Injection Use Stored Procedures Bad code: SqlCommand command = new SqlCommand( "SELECT * FROM Customers WHERE CustomerId = '" + customerId + "'"); "SELECT * FROM Customers WHERE CustomerId = '" + customerId + "'"); Good code: SqlCommand command = new SqlCommand("GetCustomer"); command.CommandType = CommandType.StoredProcedure; command.Parameters.Add(new

15 SQL Injection Avoid Moving the string concatenation to the stored proc code still leaves you vulnerable… EXEC ('SELECT * FROM Customers WHERE CustomerId = ''' + ''') The only approved use of EXEC is to call other stored procedures

16 SQL Injection Remove Database Privileges Allow only EXECUTE privileges on the necessary stored procedures All other privileges on all objects must be removed This is defense in depth

17 Cross-Domain Scripting Same Origin Policy Two frames/windows can only communicate with each other if they have the same origin Origin is defined as having the same: DomainPortProtocol Also applies to XMLHttpRequest

18 Cross-Domain Scripting Same Origin Policy Example If my page is PageAllowed?Why? domain https://www.mysite.com/page.aspxNoDifferent protocol port domain ok Take a guess…

19 Cross-Domain Scripting Document.Domain Two cooperating pages can lower their domain so they can talk to each other Do not lower document.domain to the “two- dots” level or lower foo.site.com is allowed site.com is prohibited.com is right out (prohibited by browsers too)

20 Cross-Domain Scripting Cross-Domain Access Policies Used by Flash, Silverlight crossdomain.xmlclientaccesspolicy.xml

21 Cross-Site Request Forgery ViewStateUserKey Built-in canary defense for ASP.NET pages protected void Page_Init(object sender, EventArgs e) { this.ViewStateUserKey = Session.SessionID; this.ViewStateUserKey = Session.SessionID;}

22 Demonstration 2 ViewStateUserKey

23 Future SDL Initiatives SDL for Agile Development SDL originally designed for long projects Difficult to implement 100+ SDL requirements in two-week-long release cycles

24 Future SDL Initiatives SDL for Agile Development cont’d Break SDL into two “classes” Non-negotiable “every-sprint” requirements “Bucket” requirements Complete at least one from each bucket Complete all requirements every six months

25 Session Summary SDL can dramatically lower the number and severity of vulnerabilities in online services Validate user input Encode output Use stored procedures Avoid Limit cross-domain access Use ViewStateUserKey

26 For More Information SDL Web Site SDL Blog MSDN Magazine September 2008, “Security Briefs: SDL Embraces the Web” November 2008, “Agile SDL: Streamline Security Practices for Agile Development”

27 Questions and Answers Submit text questions using the “Ask” button. Don’t forget to fill out the survey. For upcoming and previously live webcasts: Got webcast content ideas? Contact us at:

28


Download ppt "More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft."

Similar presentations


Ads by Google