more secure online services powered by the microsoft sdl bryan sullivan security program manager,...
TRANSCRIPT
![Page 1: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/1.jpg)
More Secure Online Services Powered by the Microsoft SDL
Bryan SullivanSecurity Program Manager, SDLMicrosoft
![Page 2: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/2.jpg)
What We Will Cover
Brief background on the Microsoft Security Development Lifecycle (SDL)SDL processes and tools currently used to protect online servicesPreview future SDL online initiatives
![Page 3: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/3.jpg)
Session Prerequisites
Knowledge of basic web application vulnerabilitiesFamiliarity with web programming concepts
ASP.NET is a plus
Level 300
![Page 4: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/4.jpg)
SDL Background What is the SDL?
Education Tools Process
![Page 5: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/5.jpg)
SDL BackgroundSQL Server Before the SDL
19992000
20012002
0
5
10
15
20
25
Reported SQL Server vulnerabilities
![Page 6: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/6.jpg)
SDL Background SQL Server After the SDL
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
0
5
10
15
20
25
Reported SQL Server vulnerabilities
![Page 7: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/7.jpg)
Online Service Requirements OWASP Top Ten
Cross-Site ScriptingInjection FlawsMalicious File ExecutionInsecure Direct Object ReferencesCross-Site Request ForgeryInformation LeakageBroken AuthenticationInsecure CryptographyInsecure CommunicationsFailure to Restrict URL Access
![Page 8: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/8.jpg)
Cross-Site Scripting (XSS)Input Validation
Ensure the data is what the application expects
FormatLength
Regular expressions (can) work great hereSystem.Text.RegularExpressions.RegexSystem.Web.UI.WebControls.RegularExpressionValidator
![Page 9: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/9.jpg)
Cross-Site Scripting (XSS)Use of Regular Expressions
Incorrect use of Regex:
if (Regex.IsMatch(userInput, "[<>]"))// reject input
Correct use of Regex:
if (Regex.IsMatch(userInput, “^[a-zA-Z]{1,9}$"))// accept input
![Page 10: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/10.jpg)
Cross-Site Scripting (XSS)ValidateRequest
Page directive<%@ Page ValidateRequest="true" %>
Web.config setting<configuration> <system.web> <pages validateRequest="true" /> </system.web></configuration>
More of a defense-in-depth measure
![Page 11: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/11.jpg)
Cross-Site Scripting (XSS)Encode Output
Harder than it sounds!7 different cases
Plain HTMLHTML attributeURLJavaScriptVBScriptXMLXML attribute
Use Microsoft AntiXSS Library
![Page 12: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/12.jpg)
Demonstration 1
Microsoft AntiXSS Library
![Page 13: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/13.jpg)
Cross-Site Scripting (XSS)Static Analysis
XSSDetect Code Analysis ToolAnalyzes source-to-sink dataflowStandalone or integrated into Visual Studio
![Page 14: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/14.jpg)
SQL InjectionUse Stored Procedures
Bad code:SqlCommand command = new SqlCommand( "SELECT * FROM Customers WHERE CustomerId = '" + customerId
+ "'");
Good code:SqlCommand command = new SqlCommand("GetCustomer");command.CommandType = CommandType.StoredProcedure;command.Parameters.Add(new
SqlParameter("@customerId",customerId);
![Page 15: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/15.jpg)
SQL InjectionAvoid EXEC @sql
Moving the string concatenation to the stored proc code still leaves you vulnerable…
EXEC ('SELECT * FROM Customers WHERE CustomerId = ''' + @CustomerId + ''')
The only approved use of EXEC is to call other stored procedures
![Page 16: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/16.jpg)
SQL InjectionRemove Database Privileges
Allow only EXECUTE privileges on the necessary stored proceduresAll other privileges on all objects must be removedThis is defense in depth
![Page 17: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/17.jpg)
Cross-Domain ScriptingSame Origin Policy
Two frames/windows can only communicate with each other if they have the same originOrigin is defined as having the same:
DomainPortProtocol
Also applies to XMLHttpRequest
![Page 18: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/18.jpg)
Cross-Domain ScriptingSame Origin Policy Example
If my page is http://www.mysite.com/foo/bar.aspx
Page Allowed? Why?
http://blogs.mysite.com/page.aspx No Different domain
https://www.mysite.com/page.aspx No Different protocol
http://www.mysite.com:81/page.aspx No Different port
http://mysite.com/page.aspx No Different domain
http://www.mysite.com/bar/page.aspx Yes Everything ok
Take a guess…
Take a guess…
Take a guess…
Take a guess…
Take a guess…
![Page 19: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/19.jpg)
Cross-Domain ScriptingDocument.Domain
Two cooperating pages can lower their domain so they can talk to each other
Do not lower document.domain to the “two-dots” level or lower
foo.site.com is allowedsite.com is prohibited.com is right out (prohibited by browsers too)
![Page 20: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/20.jpg)
Cross-Domain ScriptingCross-Domain Access Policies
Used by Flash, Silverlightcrossdomain.xmlclientaccesspolicy.xml
<cross-domain-policy> <allow-access-from domain="www.good.com"/> <allow-access-from domain="*.net"/> <allow-access-from domain="*"/></cross-domain-policy>
![Page 21: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/21.jpg)
Cross-Site Request ForgeryViewStateUserKey
Built-in canary defense for ASP.NET pages
protected void Page_Init(object sender, EventArgs e){ this.ViewStateUserKey = Session.SessionID;}
![Page 22: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/22.jpg)
Demonstration 2
ViewStateUserKey
![Page 23: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/23.jpg)
Future SDL InitiativesSDL for Agile Development
SDL originally designed for long projectsDifficult to implement 100+ SDL requirements in two-week-long release cycles
![Page 24: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/24.jpg)
Future SDL InitiativesSDL for Agile Development cont’d
Break SDL into two “classes”Non-negotiable “every-sprint” requirements“Bucket” requirements
Complete at least one from each bucketComplete all requirements every six months
![Page 25: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/25.jpg)
Session Summary
SDL can dramatically lower the number and severity of vulnerabilities in online services
Validate user inputEncode outputUse stored proceduresAvoid EXEC @sqlLimit cross-domain accessUse ViewStateUserKey
![Page 26: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/26.jpg)
For More Information
SDL Web Sitehttp://www.microsoft.com/sdl
SDL Bloghttp://blogs.microsoft.com/sdl
MSDN MagazineSeptember 2008, “Security Briefs: SDL Embraces the Web”November 2008, “Agile SDL: Streamline Security Practices for Agile Development”
![Page 27: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/27.jpg)
Questions and Answers
Submit text questions using the “Ask” button. Don’t forget to fill out the survey.For upcoming and previously live webcasts: www.microsoft.com/events/developer.mspx Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781
![Page 28: More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft](https://reader034.vdocuments.site/reader034/viewer/2022051014/551b0f48550346cf5a8b4f63/html5/thumbnails/28.jpg)