Presentation is loading. Please wait.

Presentation is loading. Please wait.

Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009.

Similar presentations

Presentation on theme: "Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009."— Presentation transcript:

1 Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009

2 Agenda Introduction Security overview Security Procedural Coding Q&A

3 About me… Sam Nasr Independent Software Consultant Nasr Information Systems Software developer since 1995 MCAD, MCT, MCTS(WSS/MOSS) President - Cleveland C#/VB.Net User Group Contact Info Blog:

4 Setting Expectations What will be covered Overview of security in.Net FW Some coding techniques, due to time Take home Laundry List Discuss code and organizational policies What will NOT be covered COM, Activex DB Security Identifying Security Bugs

5 Why Security? Protect the Data Credit Card #s Corporate Data (Financial info) Patient Information Ensure App Integrity Prevent loss of revenue (i.e. $1 plane tickets) Uptime (DOS Attacks) Ensure App Authenticity Customers run intended applications

6 What are the odds? 1 Developer vs. Many Hackers 1 Dev Hour vs. Many hacker hours Salary vs. Personal Pride Focused vs. Continuous Attempts

7 Points of Entry

8 Holistic Security Physical Location of servers ALL servers (App & DB) must be configured for security Train users against social engineering Security code review Security Testing Practice Active Defense Recovery Plan Keep your users aware of the security risk



11 Active Defense Monitoring Out of bounds pricing Excessive # of transactions After hours access Extended login time

12 .Net 101 (know the basics) Compile code to ? How does the code execute? Hows JIT used? Hows CLR used?

13 Security Namespaces System.Security System.Web.Security System.Security.Cryptography System.Security.Principal System.Security.Policy System.Security.Permissions


15 Security Tools DotFuscator FX Cop Anti-Cross Site Scripting Library Security Assessment Tool

16 Strong Names Private and Public keys tokens Regular Name (BookInventory) Version Number ( ) Culture (neutral) Public key Token Note: Protect Private Key Utilize AssemblyDelaySign

17 Demo Strong Names

18 Anti-Cross Site Scripting Library A Cross Site Scripting attack (XSS): when a hacker inserts a link in an or web forum that appears to be legitimate (i.e., However, the link actually a malicious script code embedded in the URL. When the unsuspecting user clicks the link, the script is executed on the host web site. The script code maybe used to transfer cookies from the victim's PC to the hacker's machine. The cookies may contain user ID's, passwords, or possibly credit card information, all which can be used for illegal purposes. 7AD9-496C-9A89-AF08DE2E5982&displaylang=en

19 Demo FXCop

20 Demo Security Assessment Tool

21 Conclusion Lets recap… Procedural Coding

22 References Understanding MSIL - Presentations FXCop D59D7ED09772&displaylang=en Securing Connection Strings via code: via cmd line:

23 Questions?

24 Contact Info Sam Nasr Blog: Cleveland C#/VB.Net User Group Web:

Download ppt "Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009."

Similar presentations

Ads by Google