writing secure code – best practices - ufies
TRANSCRIPT
Page: 1
DN-040218-JSemeniuk-REV1
Writing Secure Code – Best Practices
Page: 2
DN-040218-JSemeniuk-REV1
What We Will Cover
Page: 3
DN-040218-JSemeniuk-REV1
Session Prerequisites
Page: 4
DN-040218-JSemeniuk-REV1
Agenda
Page: 5
DN-040218-JSemeniuk-REV1
The "J" Scale
Measures the Synaptic Activity in Your Brain
10 - WAY too much energy
9
8
7
6
5
4 - Getting Tired
3 - Able to say "yes" to every question - everything makes sense
2
1 - Dead asleep
J Scale
Page: 6
DN-040218-JSemeniuk-REV1
Ever Fix Vulnerable Code
Page: 7
DN-040218-JSemeniuk-REV1
Improving the Application Development Process
Page: 8
DN-040218-JSemeniuk-REV1
The SD3 Security Framework
Page: 9
DN-040218-JSemeniuk-REV1
Secure Product Development Timeline
Page: 10
DN-040218-JSemeniuk-REV1
Secure by Design
Page: 11
DN-040218-JSemeniuk-REV1
J Scale
Page: 12
DN-040218-JSemeniuk-REV1
Agenda
Page: 13
DN-040218-JSemeniuk-REV1
What is threat modeling?
Page: 14
DN-040218-JSemeniuk-REV1
Benefits of Threat Modeling
Page: 15
DN-040218-JSemeniuk-REV1
The Threat Modeling Process
Page: 16
DN-040218-JSemeniuk-REV1
Threat Modeling Process Step 1: Identify Assets
Page: 17
DN-040218-JSemeniuk-REV1
Threat Modeling Process Step 2: Create An Architecture Overview
Page: 18
DN-040218-JSemeniuk-REV1
Threat Modeling Process Step 3: Decompose the Application
Page: 19
DN-040218-JSemeniuk-REV1
Threat Modeling Process Step 4: Identify the Threats
Page: 20
DN-040218-JSemeniuk-REV1
Threat Modeling Process Identify the Threats by Using STRIDE
Page: 21
DN-040218-JSemeniuk-REV1
Threat Modeling Process Identify the Threats by Using Attack Trees
Page: 22
DN-040218-JSemeniuk-REV1
Threat Modeling Process Step 5: Document the Threats
Page: 23
DN-040218-JSemeniuk-REV1
Threat Modeling Process Step 6: Rate the Threats
Page: 24
DN-040218-JSemeniuk-REV1
Threat Modeling Process Example: Rate the Threats
Page: 25
DN-040218-JSemeniuk-REV1
Coding to a Threat Model
Page: 26
DN-040218-JSemeniuk-REV1
POLL - FUTURE THREAT ANALYSIS
Page: 27
DN-040218-JSemeniuk-REV1
Agenda
Page: 28
DN-040218-JSemeniuk-REV1
Risk Mitigation Options
Page: 29
DN-040218-JSemeniuk-REV1
Risk Mitigation Process
Page: 30
DN-040218-JSemeniuk-REV1
Sample Mitigation Techniques
Page: 31
DN-040218-JSemeniuk-REV1
J Scale
Page: 32
DN-040218-JSemeniuk-REV1
Agenda
Page: 33
DN-040218-JSemeniuk-REV1
Run with Least Privilege
Page: 34
DN-040218-JSemeniuk-REV1
POLL - DEVELOP AS ADMIN
Page: 35
DN-040218-JSemeniuk-REV1
Demonstration 1 ASP.NET Applications Security Investigating ASP.NET Application
Privileges Restr...
Page: 36
DN-040218-JSemeniuk-REV1
A Sharing Slide
[ Share H ]
Page: 37
DN-040218-JSemeniuk-REV1
Reduce the Attack Surface
Page: 38
DN-040218-JSemeniuk-REV1
Do Not Trust User Input
Page: 39
DN-040218-JSemeniuk-REV1
Demonstration 2 Windows Forms Validation Viewing a Non-Validating Application Adding
Input Valid...
Page: 40
DN-040218-JSemeniuk-REV1
A Sharing Slide
[ Share I ]
Page: 41
DN-040218-JSemeniuk-REV1
Defense in Depth (1 of 3) Use Multiple Gatekeepers
Page: 42
DN-040218-JSemeniuk-REV1
Defense in Depth (2 of 3) Apply Appropriate Measures for Each Layer
Page: 43
DN-040218-JSemeniuk-REV1
Defense in Depth (3 of 3) Use Strong ACLs on Resources
Page: 44
DN-040218-JSemeniuk-REV1
Do Not Rely on Security by Obscurity
Page: 45
DN-040218-JSemeniuk-REV1
Use Data Protection API (DPAPI) to Protect Secrets
Page: 46
DN-040218-JSemeniuk-REV1
Demonstration 3 DPAPI Storing Connection Strings in Web.config Encrypting Connection
Strings wit...
Page: 47
DN-040218-JSemeniuk-REV1
A Sharing Slide
[ Share J ]
Page: 48
DN-040218-JSemeniuk-REV1
Fail Intelligently (1 of 2)
Page: 49
DN-040218-JSemeniuk-REV1
Fail Intelligently (2 of 2)
Page: 50
DN-040218-JSemeniuk-REV1
Test Security
Page: 51
DN-040218-JSemeniuk-REV1
Learn from Mistakes
Page: 52
DN-040218-JSemeniuk-REV1
Session Summary
Page: 53
DN-040218-JSemeniuk-REV1
Next Steps
Page: 54
DN-040218-JSemeniuk-REV1
For More Information
Page: 55
DN-040218-JSemeniuk-REV1
Questions?
Page: 56
DN-040218-JSemeniuk-REV1
Upcoming Security Webcasts
Page: 57
DN-040218-JSemeniuk-REV1
Where Can I Get MSDN?
Page: 58
DN-040218-JSemeniuk-REV1
Questions and Answers
Page: 59
DN-040218-JSemeniuk-REV1
https://msevents.microsoft.com/emcui/WelcomePage.aspx?EventID=1032243209&Culture=en-US
https://msevents.microsoft.com/emcui/WelcomePage.aspx?EventI...
Page: 60
DN-040218-JSemeniuk-REV1
Slide 47