Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003

Solution Overview Faced with the daunting task of inventorying, cataloging, assessing, and securing each LOB application, the Microsoft IT group needed to create an organizational framework for handling the job Situation Benefits Microsoft IT developed the Application Security Assurance Program (ASAP) to inventory, assess and – when necessary – ensure the resolution of security vulnerabilities found in LOB applications Lower cost of recovery and lost productivity Lower cost of recovery and lost productivity Minimize loss of data Minimize loss of data Improve customer confidence Improve customer confidence Decrease legal risks Decrease legal risks Solution

Motivation For Application Security Cost of recovery and lost productivity Cost of recovery and lost productivity Loss of data Loss of data Impact on consumer confidence Impact on consumer confidence Legal risks Legal risks

Security Principles Confidentiality Confidentiality Integrity Integrity Authentication Authentication Authorization Authorization Availability Availability Non-repudiation Non-repudiation

Managing Risk Strategic Strategic Tactical Tactical Operational Operational Legal Legal

Overview Of ASAP Wide variety of LOB applications designed by Microsoft IT or individual business unit IT teams Wide variety of LOB applications designed by Microsoft IT or individual business unit IT teams Securing applications and data has grown in significance and complexity Securing applications and data has grown in significance and complexity LOB applications function in a complex operational and legal environment with an equally complex underlying infrastructure LOB applications function in a complex operational and legal environment with an equally complex underlying infrastructure Every organization should develop its own plan for securing applications Every organization should develop its own plan for securing applications

ASAP Deployment Risk assessment Risk assessment Design review Design review Pre-production assessments Pre-production assessments Post-production followup Post-production followup

Assessment Criteria Definition of an application Definition of an application Scope of assessments Scope of assessments High-risk High-risk Medium-risk Medium-risk Low-risk Low-risk

Assessment Criteria Types of Assessments Types of Assessments Limited assessments Limited assessments Comprehensive assessments Comprehensive assessments

ParticipantsParticipants Security Policy Security Policy Threat Modeling Threat Modeling Corporate Security Application Review Team Operations IT Business Unit IT Groups Risk Assessment Risk Assessment Audits Audits Action on Audit Findings Action on Audit Findings

Application Security Process Framework Verify In Production Applications Design, Develop, Test, and Verify Secure Apps Educate IT Professionals Maintain and Publish Policies and Guidelines Respond to Security Exposure Incidents Apply Lessons Learned

Application Management – Secure Infrastructure NETWORKHOSTAPPLICATIONACCOUNTTRUST Architecture Architecture Transport Transport Network device Network device Access control list (ACL) permission settings Access control list (ACL) permission settings Operating system Operating system Services Services Internet Information Services (IIS) Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) Simple Mail Transfer Protocol (SMTP) File Transfer Protocol (FTP) File Transfer Protocol (FTP) NetBIOS/Rem ote procedure call (RPC) NetBIOS/Rem ote procedure call (RPC) Terminal Services Terminal Services Microsoft SQL Server TM Microsoft SQL Server TM Input validation Input validation Clear text protocol Clear text protocol Authentication Authentication Authorization Authorization Cryptography Cryptography Auditing and logging Auditing and logging Unused accounts Unused accounts Weak or blank passwords Weak or blank passwords Shared accounts Shared accounts Access privileges Access privileges Rogue trusts Rogue trusts

Building Secure Networks – Configuration Network segmentation Network segmentation Firewalls Firewalls Routers and switches Routers and switches

Building Secure Networks – Intrusion Detections Systems And Network Encryption Detection systems should monitor for Detection systems should monitor for Reconnaissance attacks Reconnaissance attacks Exploit attacks Exploit attacks Denial of service attacks Denial of service attacks Network encryption Network encryption Key tool in preventing sensitive data from being read Key tool in preventing sensitive data from being read Sensitive communication should be encrypted Sensitive communication should be encrypted Industry-standard encryption methods: Secure Sockets Layer (SSL), secure shell program such as SSH, Internet Protocol Security (IPSec) Industry-standard encryption methods: Secure Sockets Layer (SSL), secure shell program such as SSH, Internet Protocol Security (IPSec)

Building Secure Hosts For Applications Patch management Patch management Configuration Configuration Permissions Permissions Simple Network Management Protocol community strings Simple Network Management Protocol community strings Antivirus software Antivirus software Server auditing and logging Server auditing and logging Server backup and restore Server backup and restore

Application Layer Requirements Input validation Input validation Session management Session management Authentication and authorization Authentication and authorization Design and code review Design and code review Application and server error handling Application and server error handling Application auditing and logging Application auditing and logging Application backup and restore Application backup and restore Private data encryption Private data encryption

Common Application Development Issues User input validation User input validation Cookies, authentication, and access Cookies, authentication, and access Passwords Passwords Access control lists Access control lists COM+ application configuration COM+ application configuration Auditing and logging Auditing and logging

Threat Modeling Provides a consistent methodology for objectively evaluating threats to applications Provides a consistent methodology for objectively evaluating threats to applications Microsoft IT uses STRIDE to identify threats Microsoft IT uses STRIDE to identify threats Spoofing identity Spoofing identity Tampering with data Tampering with data Repudiation Repudiation Information disclosure Information disclosure Denial of service Denial of service Elevation of privilege Elevation of privilege

Architecture Modeling Component selection Component selection Component location Component location Untrusted Untrusted Semitrusted Semitrusted Trusted Trusted Connection identification Connection identification Untrusted Untrusted Semitrusted Semitrusted Trusted Trusted Environment component identification Environment component identification

Lessons Learned If you wait until an application is already in production to make it secure, you are too late If you wait until an application is already in production to make it secure, you are too late Good security practices take into account both the host and the application client Good security practices take into account both the host and the application client Create clearly written and easily accessible security guideline documentation Create clearly written and easily accessible security guideline documentation Create security checklists that include step-by-step instructions Create security checklists that include step-by-step instructions Develop a thoroughly considered policy exception tracking process Develop a thoroughly considered policy exception tracking process Education is crucial to the success of a security program Education is crucial to the success of a security program Processes and reporting are required to ensure that inventory information is maintained Processes and reporting are required to ensure that inventory information is maintained Security is an ongoing, always changing, concern Security is an ongoing, always changing, concern

PoliciesPolicies Applications should comply with application security policies and guidelines Applications should comply with application security policies and guidelines Applications should go through a security design review process Applications should go through a security design review process Third-party application vendors should provide assurances that the software does not contain anything that could be used to compromise security controls Third-party application vendors should provide assurances that the software does not contain anything that could be used to compromise security controls Internet-facing applications should use existing methods of authentication Internet-facing applications should use existing methods of authentication Applications that reside on the corporate network should rely on Windows integrated authentication Applications that reside on the corporate network should rely on Windows integrated authentication Applications that cannot use Windows integrated authentication should either encrypt or hash the password stores Applications that cannot use Windows integrated authentication should either encrypt or hash the password stores Credentials should never be stored or sent unencrypted Credentials should never be stored or sent unencrypted User input should be filtered and examined at the Web server User input should be filtered and examined at the Web server Web applications should use strong, nonpredictable session IDs Web applications should use strong, nonpredictable session IDs Web applications should use an inactivity timeout Web applications should use an inactivity timeout Cookies that contain sensitive data should be marked as secure and nonpersistent Cookies that contain sensitive data should be marked as secure and nonpersistent

Future Security Considerations Authorization Manager Authorization Manager Constrained Delegation Constrained Delegation

SummarySummary Business relies more and more on information technology to operate Business relies more and more on information technology to operate Securing access to critical resources ensures that they continue to function as expected Securing access to critical resources ensures that they continue to function as expected Microsoft IT put policies and guidelines in place to help Microsoft development teams secure their existing applications Microsoft IT put policies and guidelines in place to help Microsoft development teams secure their existing applications Documenting and sharing the lessons that are learned by organizations are central to maintaining security both within and among businesses Documenting and sharing the lessons that are learned by organizations are central to maintaining security both within and among businesses

For More Information Additional content on Microsoft IT deployments and best practices can be found on Additional content on Microsoft IT deployments and best practices can be found on Microsoft TechNet Microsoft TechNet Microsoft Case Study Resources Microsoft Case Study Resources iT Showcase iT Showcase

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.