SlideShare una empresa de Scribd logo

Threat Modeling - Writing Secure Code

Caleb Jenkins
Caleb Jenkins

An introduction to Security Principals and Patterns in Application Architectural Design.

Tecnología
1 de 85
Threat Modeling an introduction toSecurity Principals and Patterns in Application Architectural Design Caleb Jenkins Software Ninja | Architecthttp://DevelopingUX.com
Threat
+ Threat Attack
or is your world more like this?
Agenda ,[object Object],Basic Security Concepts Security Code Review Summary / Q&A
T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 BOSTON - A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information. Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.
T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.
Assets are the things an attacker wants to take from you Threats are the ways in which the attacker will try to get at your assets Mitigations are the ways you block the attacker from getting the assets Vulnerabilities are unmitigated threats Threat Models are an assessment of the Assets, Threats, Mitigations and Vulnerabilities of the system you are building or have built
Assets are more than money… Reputation & Customer Confidence Confidential Data Processor, Storage, Bandwidth Availability Performance
Threat Analysis Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever How will attackers attempt to compromise the system? Asset Mitigation Threat Vulnerability
Security User Stories Describes something the bad guy wants to do (a threat) ,[object Object]
Written by the user in non-technical languageAs an attacker I want to <attack> So that <crime> By <method>
Security User Stories As an attacker I want to obtain credentials So that I can plunder bank accounts By tricking users into logging into my bogus site with a Phishing mail
Security Objectives What do you not want to happen? ,[object Object],“I do not want unauthorized users to gain access to confidential information” ,[object Object],“I do not want unauthorized users to tamper with data” ,[object Object],“I do not want the system to be unavailable because of an attack” Agree on security objectives up front ,[object Object],[object Object]
Basic Security Concepts ,[object Object],Defense In Depth Least Privilege Fail to Secure Mode
Attack Surface The “Attack Surface” is the sum of the ways in which an attacker can get at you ,[object Object],[object Object]
Attack Surface The “Attack Surface” is the sum of the ways in which an attacker can get at you ,[object Object],Hint: No way to know… what’s on the other side?
Understand Your Attack Surface Networking protocols that are enabled by default Network Endpoints Code that auto-starts or will execute when accessed Examples: Services, daemons, ISAPI filters and applications, SOAP services, and Web roots Reusable components ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute) Process identities for all the code you run User accounts installed
Reducing Attack Surface TCP/UDP TCP/UDP TCP/UDP Service: Autostart SYSTEM
Reducing Attack Surface TCP/UDP TCP/UDP TCP/UDP Service: Autostart SYSTEM Turn off less-used ports
Reducing Attack Surface TCP/UDP TCP only Service: Autostart SYSTEM Turn off UDP connections
Reducing Attack Surface TCP only Service: Autostart SYSTEM Restrict requests to subnet/IP range
Reducing Attack Surface TCP only Service: Autostart SYSTEM Authenticate connections
Reducing Attack Surface TCP only Service: Manual NetService Lower privilege Turn feature off
Reducing Attack Surface TCP only Service: Manual NetService Everyone (Full Control) Admin (Full Control) Everyone (Read) Service (RW) Harden ACLs on data store
Basic Security Concepts Reduce Attack Surface ,[object Object],Least Privilege Fail to Secure Mode
Defense In Depth Don’t count on one line of defense for everything What if the attacker penetrates that defense? Contain the damage Example – Nuclear Plants
“ Multiple redundant safety systems. Nuclear plants are designed according to a "defense in depth" philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection. - Nuclear Energy Institute “
System Failures can be Bad
Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
Basic Security Concepts Reduce Attack Surface Defense In Depth ,[object Object],Fail to Secure Mode
Least Privilege A defense in depth measure Code should run with only the permissions it requires Attackers can only do whatever the code was already allowed to do Recommendations ,[object Object]
Use code access security
Write Apps that non-admins can actually use,[object Object]
Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success
Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success Authenticated flag may still be true here Catch ex As Exception
Agenda Threat Analysis Basic Security Concepts ,[object Object],Summary / Q&A
Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review
Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password
Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments
Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments Don’t reveal everything to an attacker For Each err As SqlError
Why not connect as SA? Violates the principle of least privilege Threat: Code is subject to attacker elevating privilege Mitigation Recommendation Defense in depth Action: Run SQL as Network Service rather than Local System Reduce surface area: eliminate privileges on everything except for the required stored procedures Action: Create stored procedures Least privilege: run as a lesser privileged user when connecting to database Action: Fix the connection string
Why not embed secrets? Violates the principle of avoiding security by obscurity Threat: Secrets are easily discovered Mitigation Recommendation Don’t Store Secrets Tip: Use Windows Authentication Encrypt secrets For .NET 1.1 consider Enterprise Library For .NET 2.0 use Enterprise Library or System.Security.Cryptography.ProtectedData For SQL Server 2005 use EncryptByKey / DecryptByKey
Storing Secrets Hackers use search engines to locate secrets Search engines will find anything you have hidden
Storing Secrets MySQL Data Dumps Config Files on *nix systems
Fix Connection String Not good Much Better
Never create your own encryption
Never create your own encryption
Never create your own encryption
Why not use easy passwords? Because they are easily broken by brute force attacks Threat: Attacker guesses or brute forces password to access secrets Mitigation: ,[object Object]
Enable password policy enforcement on SQL Server
Uses Windows Server 2003 policy,[object Object]
Password Policy SQL Server 2005 Management Studio Tool Shown
Why not concatenate arguments? Violates the principle of All Input Is Evil (Until Proven Otherwise) Threat: Code is subject to luring attacks via SQL Injection Mitigation Recommendation ,[object Object]
Use parameters with SQL
Create stored procedures and grant access only to the stored procedure
Consider Table-Valued Functions in SQL 2005
Disable unneeded SQL Server Features,[object Object]
Reduce SQL Surface Area
Reduce SQL Surface Area If you don’t connect in a sysadmin role the account used by xp_cmdshell will be the one defined by xp_cmdshell_proxy_account which may have reduced privilege
Evil Input Attack - Hotmail October 2001 an XSS vulnerability which allowed an attacker to steal a user's Microsoft .NET Passport session cookies. Exploit for this vulnerability consisted of sending a malicious email to a Hotmail user, which contained malformed HTML. The script filtering code in Hotmail's site failed to remove the broken HTML and Internet Explorer's parsing algorithm happily interpreted the malicious code.
Security Fix: Validate Input Constrain ,[object Object]
Set Max Length to 5
Use Regular Expressions to permit only what you want
Integer expression: “^[0-9]{0,5}$”Reject ,[object Object],Sanitize ,[object Object]
HTMLEncode output,[object Object]
discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete”
discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete”
discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete” “delete”
demo: SQL Injection Sanitizing User Input Select Count(*) From Users Where User Name = ‘’ OR 1+1=2; -- ‘ and password = ‘’
demo: SQL Injection Sanitizing User Input
Discussion: XSS Sanitizing User Input
Why not reveal all exceptions? Most users won’t understand the details anyway Threat: Code is subject to information disclosure threats Mitigation Recommendation ,[object Object]
Never disclose secrets in error messages,[object Object]

Recomendados

Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
Matt Tortora
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
MITDaveMillaar
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
Priyanka Aash
 

Recomendados

Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
Matt Tortora
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
MITDaveMillaar
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
Priyanka Aash
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
Priyanka Aash
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
System of security controls
System of security controlsSystem of security controls
System of security controls
S.E. CTS CERT-GOV-MD
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
aizazhussain234
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
ARUN REDDY M
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
Item46763
Item46763Item46763
Item46763
madunix
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
Dedi Dwianto
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 

Más contenido relacionado

La actualidad más candente

Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 

La actualidad más candente (20)

NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
System of security controls
System of security controlsSystem of security controls
System of security controls
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
 
Item46763
Item46763Item46763
Item46763
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 

Similar a Threat Modeling - Writing Secure Code

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Ph d proposal_20070809
Ph d proposal_20070809Ph d proposal_20070809
Ph d proposal_20070809
Todd Deshane
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
Todd Deshane
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
phanleson
 

Similar a Threat Modeling - Writing Secure Code (20)

Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future MusingsWeb Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future Musings
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
 
Ph d proposal_20070809
Ph d proposal_20070809Ph d proposal_20070809
Ph d proposal_20070809
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Secrity project keyvan
Secrity project keyvanSecrity project keyvan
Secrity project keyvan
 

Más de Caleb Jenkins

10 Reasons Your Software Sucks - Election 2012 Edition
10 Reasons Your Software Sucks - Election 2012 Edition10 Reasons Your Software Sucks - Election 2012 Edition
10 Reasons Your Software Sucks - Election 2012 Edition
Caleb Jenkins
 

Más de Caleb Jenkins (20)

Coding Naked 2023
Coding Naked 2023Coding Naked 2023
Coding Naked 2023
 
Development Matters
Development MattersDevelopment Matters
Development Matters
 
Code to DI For - Dependency Injection for Modern Applications
Code to DI For - Dependency Injection for Modern ApplicationsCode to DI For - Dependency Injection for Modern Applications
Code to DI For - Dependency Injection for Modern Applications
 
Get your Hero Groove On - Heroes Reborn
Get your Hero Groove On - Heroes RebornGet your Hero Groove On - Heroes Reborn
Get your Hero Groove On - Heroes Reborn
 
Scaling Scrum with UX in the Enterprise
Scaling Scrum with UX in the EnterpriseScaling Scrum with UX in the Enterprise
Scaling Scrum with UX in the Enterprise
 
Modern Web - MVP Testable WebForms
Modern Web - MVP Testable WebFormsModern Web - MVP Testable WebForms
Modern Web - MVP Testable WebForms
 
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
 
Modern ASP.NET Webskills
Modern ASP.NET WebskillsModern ASP.NET Webskills
Modern ASP.NET Webskills
 
Prototype Collaborate Innovate
Prototype Collaborate InnovatePrototype Collaborate Innovate
Prototype Collaborate Innovate
 
10 Reasons Your Software Sucks - Election 2012 Edition
10 Reasons Your Software Sucks - Election 2012 Edition10 Reasons Your Software Sucks - Election 2012 Edition
10 Reasons Your Software Sucks - Election 2012 Edition
 
Windows 8 & Phone 8 - an Architectural Battle Plan
Windows 8 & Phone 8 - an Architectural Battle PlanWindows 8 & Phone 8 - an Architectural Battle Plan
Windows 8 & Phone 8 - an Architectural Battle Plan
 
Scaling Scrum with UX
Scaling Scrum with UXScaling Scrum with UX
Scaling Scrum with UX
 
Coding Naked
Coding NakedCoding Naked
Coding Naked
 
Scaling Scrum with UX
Scaling Scrum with UXScaling Scrum with UX
Scaling Scrum with UX
 
Taming the Monster Legacy Code Beast
Taming the Monster Legacy Code BeastTaming the Monster Legacy Code Beast
Taming the Monster Legacy Code Beast
 
Silverlight for Mobile World Dominations
Silverlight for Mobile World DominationsSilverlight for Mobile World Dominations
Silverlight for Mobile World Dominations
 
.NET on the Cheap - Microsoft + OSS
.NET on the Cheap - Microsoft + OSS.NET on the Cheap - Microsoft + OSS
.NET on the Cheap - Microsoft + OSS
 
10 practices that every developer needs to start right now
10 practices that every developer needs to start right now10 practices that every developer needs to start right now
10 practices that every developer needs to start right now
 
Dependency Injection in Silverlight
Dependency Injection in SilverlightDependency Injection in Silverlight
Dependency Injection in Silverlight
 
Becoming A Presenter in the .NET World
Becoming A Presenter in the .NET WorldBecoming A Presenter in the .NET World
Becoming A Presenter in the .NET World
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Threat Modeling - Writing Secure Code

  • 1. Threat Modeling an introduction toSecurity Principals and Patterns in Application Architectural Design Caleb Jenkins Software Ninja | Architecthttp://DevelopingUX.com
  • 4. or is your world more like this?
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10. T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 BOSTON - A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information. Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.
  • 11. T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.
  • 12. Assets are the things an attacker wants to take from you Threats are the ways in which the attacker will try to get at your assets Mitigations are the ways you block the attacker from getting the assets Vulnerabilities are unmitigated threats Threat Models are an assessment of the Assets, Threats, Mitigations and Vulnerabilities of the system you are building or have built
  • 13. Assets are more than money… Reputation & Customer Confidence Confidential Data Processor, Storage, Bandwidth Availability Performance
  • 14. Threat Analysis Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever How will attackers attempt to compromise the system? Asset Mitigation Threat Vulnerability
  • 15.
  • 16. Written by the user in non-technical languageAs an attacker I want to <attack> So that <crime> By <method>
  • 17. Security User Stories As an attacker I want to obtain credentials So that I can plunder bank accounts By tricking users into logging into my bogus site with a Phishing mail
  • 18.
  • 19.
  • 20.
  • 21.
  • 22. Understand Your Attack Surface Networking protocols that are enabled by default Network Endpoints Code that auto-starts or will execute when accessed Examples: Services, daemons, ISAPI filters and applications, SOAP services, and Web roots Reusable components ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute) Process identities for all the code you run User accounts installed
  • 23. Reducing Attack Surface TCP/UDP TCP/UDP TCP/UDP Service: Autostart SYSTEM
  • 24. Reducing Attack Surface TCP/UDP TCP/UDP TCP/UDP Service: Autostart SYSTEM Turn off less-used ports
  • 25. Reducing Attack Surface TCP/UDP TCP only Service: Autostart SYSTEM Turn off UDP connections
  • 26. Reducing Attack Surface TCP only Service: Autostart SYSTEM Restrict requests to subnet/IP range
  • 27. Reducing Attack Surface TCP only Service: Autostart SYSTEM Authenticate connections
  • 28. Reducing Attack Surface TCP only Service: Manual NetService Lower privilege Turn feature off
  • 29. Reducing Attack Surface TCP only Service: Manual NetService Everyone (Full Control) Admin (Full Control) Everyone (Read) Service (RW) Harden ACLs on data store
  • 30.
  • 31. Defense In Depth Don’t count on one line of defense for everything What if the attacker penetrates that defense? Contain the damage Example – Nuclear Plants
  • 32.
  • 33. “ Multiple redundant safety systems. Nuclear plants are designed according to a "defense in depth" philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection. - Nuclear Energy Institute “
  • 35. Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
  • 36. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
  • 37. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
  • 38. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
  • 39. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
  • 40. The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
  • 41. The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003
  • 42.
  • 43.
  • 44. Use code access security
  • 45.
  • 46. Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success
  • 47. Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success Authenticated flag may still be true here Catch ex As Exception
  • 48.
  • 49. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review
  • 50. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password
  • 51. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments
  • 52. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments Don’t reveal everything to an attacker For Each err As SqlError
  • 53. Why not connect as SA? Violates the principle of least privilege Threat: Code is subject to attacker elevating privilege Mitigation Recommendation Defense in depth Action: Run SQL as Network Service rather than Local System Reduce surface area: eliminate privileges on everything except for the required stored procedures Action: Create stored procedures Least privilege: run as a lesser privileged user when connecting to database Action: Fix the connection string
  • 54. Why not embed secrets? Violates the principle of avoiding security by obscurity Threat: Secrets are easily discovered Mitigation Recommendation Don’t Store Secrets Tip: Use Windows Authentication Encrypt secrets For .NET 1.1 consider Enterprise Library For .NET 2.0 use Enterprise Library or System.Security.Cryptography.ProtectedData For SQL Server 2005 use EncryptByKey / DecryptByKey
  • 55. Storing Secrets Hackers use search engines to locate secrets Search engines will find anything you have hidden
  • 56. Storing Secrets MySQL Data Dumps Config Files on *nix systems
  • 57. Fix Connection String Not good Much Better
  • 58. Never create your own encryption
  • 59. Never create your own encryption
  • 60. Never create your own encryption
  • 61.
  • 62. Enable password policy enforcement on SQL Server
  • 63.
  • 64. Password Policy SQL Server 2005 Management Studio Tool Shown
  • 65.
  • 67. Create stored procedures and grant access only to the stored procedure
  • 69.
  • 71. Reduce SQL Surface Area If you don’t connect in a sysadmin role the account used by xp_cmdshell will be the one defined by xp_cmdshell_proxy_account which may have reduced privilege
  • 72. Evil Input Attack - Hotmail October 2001 an XSS vulnerability which allowed an attacker to steal a user's Microsoft .NET Passport session cookies. Exploit for this vulnerability consisted of sending a malicious email to a Hotmail user, which contained malformed HTML. The script filtering code in Hotmail's site failed to remove the broken HTML and Internet Explorer's parsing algorithm happily interpreted the malicious code.
  • 73.
  • 75. Use Regular Expressions to permit only what you want
  • 76.
  • 77.
  • 78. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete”
  • 79. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete”
  • 80. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete” “delete”
  • 81. demo: SQL Injection Sanitizing User Input Select Count(*) From Users Where User Name = ‘’ OR 1+1=2; -- ‘ and password = ‘’
  • 82. demo: SQL Injection Sanitizing User Input
  • 84.
  • 85.
  • 88.
  • 89. Capture your work in a threat model document
  • 91. Track and prioritize vulnerabilities through to mitigation and testing
  • 92. Take advantage of security guidance http://msdn.microsoft.com/securityguidancevuln threat asset
  • 93.
  • 94. exercise: Use the Threat Analysis & Modeling Tool
  • 95.
  • 97.

Notas del editor

  1. “Search engines will find anything you have hidden” We could say “could, or might find”… but we need to think of this as WILL find anything that we have hidden.