Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security.

Published byDayna Walters Modified over 5 years ago

Similar presentations

Presentation on theme: "Security."— Presentation transcript:

1 Security

2 All Input is Evil (Part 1)

3 Introduction Will not cover everything Healthy level of paranoia
Use my DVD Swap Shop application (week 2)

4

5 Security Considerations
Authentication  Authorisation Secure communication Software + Hardware

6 The Login Provides authentication asterisks *********
SQL injection attack

7 Human Problems A simple conversation
People use words they can remember Same passwords for many sites Doctor who fan guess the password T****S

8 Dictionary Attacks If you know a user name throw the dictionary at it

9 Brute Force Attack If the password is CC but all we know is that it is two characters long ** AA AB BA BB BC CB CC The longer the password the more time we need to crack it.

10 Countermeasures Education Enforce rules in code
Don’t use same password for all sites Avoid passwords that could be guessed Don’t use dictionary words Enforce rules in code Minimum password length Non alpha numeric characters Expiration date Limit login attempts

11 Use a Security Framework
Authentication options in .NET Windows Passport Forms DIY

12 Securing Stored Passwords
Unsecured Access database Stored in App_Data folder (Could store on another drive/machine) Plain text password stored in the table

13 Password Hashing .NET Cryptography Encryption is ok Hashing better
IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= Do not store the password in plain text

14 Adding Salt If the passwords for John and Fred without salt look like this... John IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= Fred IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= Adding salt would change the hash values like so... John 354rlrk8Jv7729qVOrOp0lXUv7RAsdV Fred 9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG Concatenate password + address

15 Validation Who do you trust?
Do you trust me not to make use of that data in some way?  Do you trust me to write a web application that will not be compromised in any way? Not just a matter of what people you trust but what systems do you trust? Exclude list = characters we don’t allow Include list = characters we do allow

16 Code Injection Script could run when page is rendered elsewhere in application IIS automatically disallows this

17 Turn Off Debug Mode By entering bad data a hacker could crash your program

18 We now Know The language of the application (VB.NET)
The names of several parameters SwapTitle Description etc.. In the light of the above probably the names of some fields in the database (this way the hacker may refine the SQL injection attacks.) The remote path on the server C:\MyFiles\IMAT1604\content\Widget Swap\Widget Swap\aswap.aspx.vb

19 Securing the Communication Channel

20 Public and Private Keys

21 Public and Private Keys

22 Secure Socket Layer (SSL)
The browser makes a secure HTTP request HTTPS on port 443 The server sends back a digital certificate verifying its credentials The client verifies the certificate with the issuing agency Using the public key the data is encrypted between client and server

23 Open Ports Port scanners Firewalls IP Filtering
Turn off unused services Grant Minimum Permissions to Resources

Download ppt "Security."

Similar presentations

iRequestManager for MediMizer X3

iRequestManager for MediMizer X3
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, 2007.

1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, 2007.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security

Chapter 13 – Network Security
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Similar presentations

Ads by Google