subtle security flaws: why you must follow the basic principles of software security
DESCRIPTION
Subtle Security flaws: Why you must follow the basic principles of software security. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India. Agenda. Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/1.jpg)
Varun Sharma
Application Consulting and Engineering (ACE) Team,
Microsoft India
![Page 2: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/2.jpg)
Flaw – 1 Custom AuthenticationFlaw – 2 Lack of Rule based AuthorizationFlaw – 3 Black list input validationFlaw – 4 Improper use of CryptoFlaw – 5 App layer DOS attack
![Page 3: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/3.jpg)
Site implements custom forms authenticationBuggy codeDemo
![Page 4: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/4.jpg)
Principles:-Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
![Page 5: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/5.jpg)
Authorization implemented by disabling UIRule based authorization not consideredDemo
![Page 6: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/6.jpg)
Principles:-Do not rely on UI for authorizationDisabled buttons is not authorizationConsider rule based authorization in your design
![Page 7: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/7.jpg)
Only set of bad characters are checked forBecomes vulnerable in special situationsDemo
![Page 8: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/8.jpg)
Principles:-Validate for valid allowed values (white list)If white list validation is not possible,
Encode to prevent XSSParameterize to prevent SQL Injection…
![Page 9: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/9.jpg)
Not knowing what services are provided by what mechanisms
For example, what services do Digital Signatures provide?
Demo
![Page 10: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/10.jpg)
Product 1 ‘s Site
Product 2 ‘s Site
Product 3 ‘s Site
Central Payment Site
Signed XML POST
![Page 11: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/11.jpg)
Principles:-Know what service each mechanism providesDo not implement crypto mechanisms yourselfUse system provided methods
![Page 12: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/12.jpg)
Book movie ticket Screen 1 for User 1
![Page 13: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/13.jpg)
Book movie ticket Screen 2 for User 1
You have 7 minutes left
Enter Payment details:-
Name:-Credit Card Number:-Address:-….
Click to Book
![Page 14: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/14.jpg)
Book movie ticket Screen 1 for User 2
![Page 15: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/15.jpg)
Book movie ticket Screen 1 for User 2 after 7 minutes
![Page 16: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/16.jpg)
Principles:-Use CAPTCHA to avoid automated attacksDesign with security in mind
![Page 17: Subtle Security flaws: Why you must follow the basic principles of software security](https://reader035.vdocuments.site/reader035/viewer/2022081513/568147ab550346895db4e688/html5/thumbnails/17.jpg)