SlideShare una empresa de Scribd logo

Securing .Net Hosted Services

Brett Nemec
Brett Nemec
Tecnología
1 de 20
Securing Microsoft .Net Hosted Services INFORMATION SECURITY PRACTICUM CAPSTONE PROJECT LEWIS UNIVERSITY BRETT NEMEC
Introduction Myself ◦ Education ◦ Professional experience Project ◦ .Net Hosted Services ◦ WCF ◦ Web API ◦ Data Services ◦ OWASP ◦ Top Ten ◦ How it applies to hosted services BRETT NEMEC
Windows Communication Foundation Part of the .Net framework ◦ System.ServiceModel namespace ◦ Introduced in version 3.0 The Service Model ◦ Service oriented ◦ Interoperable ◦ Automatic configuration ◦ Follows security standards ◦ Supports multiple transports and encodings ◦ Extensible Security ◦ SOAP ◦ Message integrity ◦ Authentication on service and client ◦ Integration with existing technology BRETT NEMEC
BRETT NEMEC Host WAS ASP.NET Windows Service Service Model Services Endpoints Contracts Operations Messaging HTTP TCP Queues Transport Security Message Security XML or Binary Serialization
MVC Web API Formerly part of WCF ASP.NET MVC 4 ◦ Model-View-Controller pattern ◦ RESTful architecture ◦ CRUD Security ◦ Integration with existing technology ◦ Authentication ◦ Attributes ◦ HttpGet ◦ HttpPost ◦ Authorize BRETT NEMEC
Using the Authorize attribute BRETT NEMEC
Data Services Model driven architecture ◦ Object Relational Mapping ◦ Entity Framework Odata ◦ Open Data Protocol Data owner has more control over data Cloud ◦ Introduces added risk due to foreign environments ◦ Data owner can have less control BRETT NEMEC
OWASP Stands for Open Web Application Security Project Not for profit organization Dedicated to web security ◦ Helps raise awareness of trends in security threats Support for most popular web technologies ◦ Java ◦ C/C++ ◦ .Net ◦ PHP Top ten security risks of 2013 BRETT NEMEC
OWASP Top Ten Security Risks of 2013 RC A1 – Injection A2 – Broken authentication and session management A3 – Cross-site scripting (XSS) A4 – Insecure direct object references A5 – Security misconfigurations A6 – Sensitive data exposure A7 – Missing functional level access control A8 – Cross-site request forgery (CSRF) A9 – Using known vulnerable components A10 – Unvalidated redirects and forwards BRETT NEMEC
A1 - Injection SQL Injection ◦ Example ◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1” ◦ Executes SQL ◦ var query = “select * from Person where name = „” + p1 + “‟”; ◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟” ◦ One of the the most prominent classes of input validation errors ◦ Don’t use command interpreters ◦ Use a parameterized interface ◦ var query = “select * from Person where name = @name”; ◦ Entity Framework v5 ◦ ORM ◦ SQL is generated behind the scenes ◦ Model driven ◦ Linq to SQL BRETT NEMEC
A2 – Broken authentication and session management WCF is stateless by default ◦ Stateful session can be enabled in configuration Message Authentication ◦ Certificate authentication over transport security ◦ Satisfies Level 1 requirements of the OWASP Application Security Verification Standard (ASVS) ◦ Section V2, all pages and resources must be authenticated except those that are public ◦ Certificate authentication pre-authenticates the client ◦ Authorize attribute is used for business authentication, while client is authenticated to the service BRETT NEMEC
A3 – Cross-site scripting (XSS) WCF is not directly vulnerable to XSS ◦ Messages are XML based, not URLs Implement custom input/output parameter inspectors ◦ IParameterInspector interface BRETT NEMEC
A4 – Insecure direct object references Authorize attribute ◦ Using role-based authentication ◦ When a message is sent to an endpoint, service calls custom role provider for the requested operation ◦ Example: [Authorize(“Administrators”)] public void GetAllUsers(); BRETT NEMEC
A5 – Security misconfigurations Don’t expose metadata ◦ Can be turned on for debugging in configuration ◦ App.config or web.config, using the system.serviceModel element ◦ Must be disabled for production ◦ Custom web page BRETT NEMEC
A6 – Sensitive data exposure Store sensitive data in it’s encrypted form Passwords ◦ Don’t actually store the password, store a hash ◦ Random salt (256 bytes) ◦ RSA Pseudo random number generator ◦ SHA-256(Salt + Password) = Salted Password Hash ◦ Every time user changes the password, a new salt is used ◦ Database table has two columns, allows for one way validation ◦ PasswordSalt, non-sensitive ◦ PasswordHash ◦ Timeout after specified number of failed attempts ◦ Stops brute force attacks BRETT NEMEC
A7 – Missing functional level access control Related to A4, Insecure Direct Object References WCF by default is stateless ◦ If using default, sessions are not of concern ◦ If using sessions, control with OperationContract ◦ IsInitiating property ◦ IsTerminating property Windows Identity Foundation ◦ Supports federated claims based security ◦ Authorized claim sets ◦ Used similarly as role-based authorization BRETT NEMEC
A8 – Cross-site request forgery (CSRF) WCF is message based, not as much of a risk It is possible to implement controls for this risk Windows Identity Foundation ◦ If implemented, service is already using a Security Token Service (STS) ◦ STS processes user validation request ◦ Provides a claim-set for the user ◦ When the user sends a message request to the service, the claim-set is provided as a token, STS evaluates the token BRETT NEMEC
A9 – Using known vulnerable components Don’t use components that are untested or source is unknown Most controls and tools are already part of the .Net framework ◦ Entity Framework v5 ◦ Tight integration with existing Microsoft .Net technologies ◦ Beta versions are not a good idea OWASP ESAPI for .Net ◦ Website states it’s not suitable for production use ◦ Good reason not to use it BRETT NEMEC
A10 – Unvalidated redirects and forwards Redirects and forwards should be avoided WCF not at risk like web applications are ◦ Sometimes parameters can contain the target page ◦ IParameterInspector custom inspector BRETT NEMEC
Review Windows Communication Foundation ASP.NET MVC Web API OWASP Top Ten project BRETT NEMEC

Recomendados

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-onsOWASP
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NETMikhail Shcherbakov
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Weblogic server
Weblogic serverWeblogic server
Weblogic serverSmartittrainings
 

Recomendados

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-onsOWASP
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NETMikhail Shcherbakov
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Weblogic server
Weblogic serverWeblogic server
Weblogic serverSmartittrainings
 
Weblogic online training
Weblogic online trainingWeblogic online training
Weblogic online trainingSmartittrainings
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and InfrastructurePhi Huynh
 
Microservices - not just with Java
Microservices - not just with JavaMicroservices - not just with Java
Microservices - not just with JavaEberhard Wolff
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
OWASP Serverless Top 10
OWASP Serverless Top 10OWASP Serverless Top 10
OWASP Serverless Top 10Chandrapal Badshah
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFOWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFPaul Mooney
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch PresentationRam Dutt Shukla
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server SecurityGabriel Villa
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Microservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale AgileMicroservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale AgileEberhard Wolff
 
How Small Can Java Microservices Be?
How Small Can Java Microservices Be?How Small Can Java Microservices Be?
How Small Can Java Microservices Be?Eberhard Wolff
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Build 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersBuild 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersWindows Developer
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 

Más contenido relacionado

La actualidad más candente

Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and InfrastructurePhi Huynh
 
Microservices - not just with Java
Microservices - not just with JavaMicroservices - not just with Java
Microservices - not just with JavaEberhard Wolff
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFOWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFPaul Mooney
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch PresentationRam Dutt Shukla
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server SecurityGabriel Villa
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Microservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale AgileMicroservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale AgileEberhard Wolff
 
How Small Can Java Microservices Be?
How Small Can Java Microservices Be?How Small Can Java Microservices Be?
How Small Can Java Microservices Be?Eberhard Wolff
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Build 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersBuild 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersWindows Developer
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 

La actualidad más candente (20)

Weblogic online training
Weblogic online trainingWeblogic online training
Weblogic online training
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and Infrastructure
 
Microservices - not just with Java
Microservices - not just with JavaMicroservices - not just with Java
Microservices - not just with Java
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 
OWASP Serverless Top 10
OWASP Serverless Top 10OWASP Serverless Top 10
OWASP Serverless Top 10
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFOWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Microservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale AgileMicroservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale Agile
 
How Small Can Java Microservices Be?
How Small Can Java Microservices Be?How Small Can Java Microservices Be?
How Small Can Java Microservices Be?
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Build 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersBuild 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for Containers
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 

Similar a Securing .Net Hosted Services

Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshopkanimozhin
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...kanimozhin
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Edureka!
 
Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11Richard Conway
 
Service Management Dec 11
Service Management Dec 11Service Management Dec 11
Service Management Dec 11clarendonint
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Developing and deploying windows azure applications
Developing and deploying windows azure applicationsDeveloping and deploying windows azure applications
Developing and deploying windows azure applicationsManish Corriea
 
Struts 2 - Introduction
Struts 2 - Introduction Struts 2 - Introduction
Struts 2 - Introduction Hitesh-Java
 
Session 41 - Struts 2 Introduction
Session 41 - Struts 2 IntroductionSession 41 - Struts 2 Introduction
Session 41 - Struts 2 IntroductionPawanMM
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Building a secure BFF at Postman
Building a secure BFF at PostmanBuilding a secure BFF at Postman
Building a secure BFF at PostmanAnkit Muchhala
 
Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows AzureHaddy El-Haggan
 
SCCM Cloud Management Gateway
SCCM Cloud Management Gateway SCCM Cloud Management Gateway
SCCM Cloud Management Gateway Anoop Nair
 

Similar a Securing .Net Hosted Services (20)

Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
 
Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11
 
Service Management Dec 11
Service Management Dec 11Service Management Dec 11
Service Management Dec 11
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Developing and deploying windows azure applications
Developing and deploying windows azure applicationsDeveloping and deploying windows azure applications
Developing and deploying windows azure applications
 
Struts 2 - Introduction
Struts 2 - Introduction Struts 2 - Introduction
Struts 2 - Introduction
 
Session 41 - Struts 2 Introduction
Session 41 - Struts 2 IntroductionSession 41 - Struts 2 Introduction
Session 41 - Struts 2 Introduction
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Building a secure BFF at Postman
Building a secure BFF at PostmanBuilding a secure BFF at Postman
Building a secure BFF at Postman
 
Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows Azure
 
SCCM Cloud Management Gateway
SCCM Cloud Management Gateway SCCM Cloud Management Gateway
SCCM Cloud Management Gateway
 

Último

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 

Último (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 

Securing .Net Hosted Services

  • 1. Securing Microsoft .Net Hosted Services INFORMATION SECURITY PRACTICUM CAPSTONE PROJECT LEWIS UNIVERSITY BRETT NEMEC
  • 2. Introduction Myself ◦ Education ◦ Professional experience Project ◦ .Net Hosted Services ◦ WCF ◦ Web API ◦ Data Services ◦ OWASP ◦ Top Ten ◦ How it applies to hosted services BRETT NEMEC
  • 3. Windows Communication Foundation Part of the .Net framework ◦ System.ServiceModel namespace ◦ Introduced in version 3.0 The Service Model ◦ Service oriented ◦ Interoperable ◦ Automatic configuration ◦ Follows security standards ◦ Supports multiple transports and encodings ◦ Extensible Security ◦ SOAP ◦ Message integrity ◦ Authentication on service and client ◦ Integration with existing technology BRETT NEMEC
  • 4. BRETT NEMEC Host WAS ASP.NET Windows Service Service Model Services Endpoints Contracts Operations Messaging HTTP TCP Queues Transport Security Message Security XML or Binary Serialization
  • 5. MVC Web API Formerly part of WCF ASP.NET MVC 4 ◦ Model-View-Controller pattern ◦ RESTful architecture ◦ CRUD Security ◦ Integration with existing technology ◦ Authentication ◦ Attributes ◦ HttpGet ◦ HttpPost ◦ Authorize BRETT NEMEC
  • 6. Using the Authorize attribute BRETT NEMEC
  • 7. Data Services Model driven architecture ◦ Object Relational Mapping ◦ Entity Framework Odata ◦ Open Data Protocol Data owner has more control over data Cloud ◦ Introduces added risk due to foreign environments ◦ Data owner can have less control BRETT NEMEC
  • 8. OWASP Stands for Open Web Application Security Project Not for profit organization Dedicated to web security ◦ Helps raise awareness of trends in security threats Support for most popular web technologies ◦ Java ◦ C/C++ ◦ .Net ◦ PHP Top ten security risks of 2013 BRETT NEMEC
  • 9. OWASP Top Ten Security Risks of 2013 RC A1 – Injection A2 – Broken authentication and session management A3 – Cross-site scripting (XSS) A4 – Insecure direct object references A5 – Security misconfigurations A6 – Sensitive data exposure A7 – Missing functional level access control A8 – Cross-site request forgery (CSRF) A9 – Using known vulnerable components A10 – Unvalidated redirects and forwards BRETT NEMEC
  • 10. A1 - Injection SQL Injection ◦ Example ◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1” ◦ Executes SQL ◦ var query = “select * from Person where name = „” + p1 + “‟”; ◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟” ◦ One of the the most prominent classes of input validation errors ◦ Don’t use command interpreters ◦ Use a parameterized interface ◦ var query = “select * from Person where name = @name”; ◦ Entity Framework v5 ◦ ORM ◦ SQL is generated behind the scenes ◦ Model driven ◦ Linq to SQL BRETT NEMEC
  • 11. A2 – Broken authentication and session management WCF is stateless by default ◦ Stateful session can be enabled in configuration Message Authentication ◦ Certificate authentication over transport security ◦ Satisfies Level 1 requirements of the OWASP Application Security Verification Standard (ASVS) ◦ Section V2, all pages and resources must be authenticated except those that are public ◦ Certificate authentication pre-authenticates the client ◦ Authorize attribute is used for business authentication, while client is authenticated to the service BRETT NEMEC
  • 12. A3 – Cross-site scripting (XSS) WCF is not directly vulnerable to XSS ◦ Messages are XML based, not URLs Implement custom input/output parameter inspectors ◦ IParameterInspector interface BRETT NEMEC
  • 13. A4 – Insecure direct object references Authorize attribute ◦ Using role-based authentication ◦ When a message is sent to an endpoint, service calls custom role provider for the requested operation ◦ Example: [Authorize(“Administrators”)] public void GetAllUsers(); BRETT NEMEC
  • 14. A5 – Security misconfigurations Don’t expose metadata ◦ Can be turned on for debugging in configuration ◦ App.config or web.config, using the system.serviceModel element ◦ Must be disabled for production ◦ Custom web page BRETT NEMEC
  • 15. A6 – Sensitive data exposure Store sensitive data in it’s encrypted form Passwords ◦ Don’t actually store the password, store a hash ◦ Random salt (256 bytes) ◦ RSA Pseudo random number generator ◦ SHA-256(Salt + Password) = Salted Password Hash ◦ Every time user changes the password, a new salt is used ◦ Database table has two columns, allows for one way validation ◦ PasswordSalt, non-sensitive ◦ PasswordHash ◦ Timeout after specified number of failed attempts ◦ Stops brute force attacks BRETT NEMEC
  • 16. A7 – Missing functional level access control Related to A4, Insecure Direct Object References WCF by default is stateless ◦ If using default, sessions are not of concern ◦ If using sessions, control with OperationContract ◦ IsInitiating property ◦ IsTerminating property Windows Identity Foundation ◦ Supports federated claims based security ◦ Authorized claim sets ◦ Used similarly as role-based authorization BRETT NEMEC
  • 17. A8 – Cross-site request forgery (CSRF) WCF is message based, not as much of a risk It is possible to implement controls for this risk Windows Identity Foundation ◦ If implemented, service is already using a Security Token Service (STS) ◦ STS processes user validation request ◦ Provides a claim-set for the user ◦ When the user sends a message request to the service, the claim-set is provided as a token, STS evaluates the token BRETT NEMEC
  • 18. A9 – Using known vulnerable components Don’t use components that are untested or source is unknown Most controls and tools are already part of the .Net framework ◦ Entity Framework v5 ◦ Tight integration with existing Microsoft .Net technologies ◦ Beta versions are not a good idea OWASP ESAPI for .Net ◦ Website states it’s not suitable for production use ◦ Good reason not to use it BRETT NEMEC
  • 19. A10 – Unvalidated redirects and forwards Redirects and forwards should be avoided WCF not at risk like web applications are ◦ Sometimes parameters can contain the target page ◦ IParameterInspector custom inspector BRETT NEMEC
  • 20. Review Windows Communication Foundation ASP.NET MVC Web API OWASP Top Ten project BRETT NEMEC