Sandboxing in .NET CLR

Jul 8, 2015Download as PPTX, PDF2 likes1,309 views

This document discusses sandboxing in the .NET CLR. It covers security architecture and application domains, as well as code access security, permissions, and the transparency model. The document also discusses sandbox implementation and partial trust applications in ASP.NET. It provides references for further exploring the .NET security model and testing for vulnerabilities.

Sandboxing in .NET CLR
Mikhail Shcherbakov
July 05, 2015

Coordinator of SPB .NET Community
Product Manager at Cezurity
One of the core developers of the source code
analyzer PT Application Inspector
Former Team Lead at Acronis, Luxoft, Boeing
About me
2

Sandboxing is the base of security
Development of extensible and security-sensitive
applications
Troubleshooting and knowledge about the
internals
Knowledge in Practice
 ASP.NET / IIS  Silverlight
 SQL CLR  XBAP
 ClickOnce  Sharepoint
3

deprecated
in .NET
Framework
4
Policy
11

Fully Trusted code in
Partially Trusted AppDomain
15

Level 2 Security Transparency
Critical
Full Trust code that can do anything
Safe Critical
Full Trust code Provides access to Critical code
Transparent
Only verifiable code Cannot p/invoke Cannot elevate/assert
17

Security Transparency Attributes
Assembly
Level
Type
Level
Member
Level
SecurityTransparent   
SecuritySafeCritical   
SecurityCritical   
AllowPartiallyTrustedCallers   
SecAnnotate.exe – .NET Security Annotator Tool
http://bit.ly/1A3vMw3
18

ASP.NET Partial Trust applications
2005 2005 2006 2007 2008 2009 2010 2011 2012
Use Medium trust
in shared hosting
environments
bit.ly/1yABGqf
August 2005
For Web servers that
are Internet-facing,
Medium trust is
recommended
bit.ly/1z83LVV
July 2008
21

ASP.NET Partial Trust applications
20152008 2009 2010 2011 2012 2013
ASP.NET Partial Trust does not
guarantee application isolation
bit.ly/1CRv3Ux
June 2012
ASP.NET Security and the
Importance of KB2698981 in
Cloud Environments bit.ly/1vXJ50J
April 2013
“The official position of the ASP.NET team is
that Medium Trust is obsolete”
-Levi Broderick, security developer at
Microsoft bit.ly/1If14Gv
June 2013
ASP.NET MVC 5 no longer
supports partial trust
bit.ly/1w0xxuX
October 2013
22

DynamicMethod class
MS13-015 vulnerability
Could Allow Elevation of
Privilege (KB2800277)
Trusted Chain
Attack
23

Luring Attack
MS02-061 “Elevation of Privilege in SQL Server Web Tasks”
25

Sandboxing:
Exploring the .NET Framework 4 Security Model
bit.ly/1zBHDl7
New Security Model: Moving to a Better Sandbox
bit.ly/1qdLTYf
How to Test for Luring Vulnerabilities
bit.ly/1G5asdG
Using SecAnnotate to Analyze Your Assemblies for
Transparency Violations bit.ly/12AtGZF
Summary
30

.NET Security:
OWASP Top 10 for .NET developers bit.ly/1mpvG9R
OWASP .NET Project bit.ly/1vCfknm
Troy Hunt blog www.troyhunt.com
The WASC Threat Classification v2.0
bit.ly/1G5d8rM
Summary
31

Thank you for your attention!
Mikhail Shcherbakov
spbdotnet.org
ms@cezurity.com
linkedin.com/in/mikhailshcherbakov
github.com/yuske
@yu5k3
Product Manager at Cezurity

This document provides an overview of application security features in the Microsoft .NET Framework. It covers code access security, role-based security using identities and principals, cryptography services for encryption and signing, securing ASP.NET web applications using forms authentication and validation controls, and securing ASP.NET web services using message-level security standards. The document also includes demonstrations of implementing these various security techniques in .NET applications and web services.

Practice of AppSec .NETMikhail Shcherbakov

This document summarizes a presentation on application security practices for .NET applications. It discusses common vulnerabilities like cross-site scripting, SQL injection, and cross-site request forgery. It provides examples of these vulnerabilities using code snippets and HTTP requests. It also covers mitigation techniques, like input validation, output encoding, and anti-forgery tokens. The presentation recommends resources on the OWASP Top 10, secure coding best practices, and classification of security risks.

Spring Security 5.5 From Taxi to TakeoffVMware Tanzu

Security Patterns for Microservice Architectures - SpringOne 2020Matt Raible

Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures. 1. Be Secure by Design 2. Scan Dependencies 3. Use HTTPS Everywhere 4. Use Access and Identity Tokens 5. Encrypt and Protect Secrets 6. Verify Security with Delivery Pipelines 7. Slow Down Attackers 8. Use Docker Rootless Mode 9. Use Time-Based Security 10. Scan Docker and Kubernetes Configuration for Vulnerabilities 11. Know Your Cloud and Cluster Security Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Fortify dev ops (002)Madhavan Marimuthu

The document discusses Fortify and DevOps for MBFS. It provides an overview of the DevOps lifecycle including planning, development, testing, release decision making, and deploying applications. It then summarizes Hewlett Packard Enterprise's end-to-end application security solution using Fortify on Demand, App Defender, and other tools to integrate security across the development lifecycle and provide protection for applications in production. Charts show the top vulnerability categories and application logging categories detected by Application Defender in February 2016. The document concludes by thanking the readers and providing contact information for Mike Coleman and Thomas Ryan from HPE to answer any questions.

Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible

APIDays Paris Security Workshop42Crunch

Browser Exploit Frameworkn|u - The Open Security Community

BeEF (Browser Exploitation Framework) is a penetration testing tool that focuses on exploiting vulnerabilities within a web browser. It works by hooking one or more browsers and using them as entry points to launch attacks against the system from within the browser context. This allows penetration testers to assess the actual security of a target environment by exploiting client-side attack vectors beyond the hardened network perimeter.

OWASP AppSecEu 2016 Rome - Building secure cloud native appsAndreas Falk

The document discusses building secure cloud-native applications with Spring Boot and Spring Security. It introduces Spring Security which provides "secure by default" configurations and password encoding. It also discusses secure microservice architectures using OAuth2 for authentication and authorization between services. Runtime application self-protection with AppSensor is presented as another method for securing cloud applications.

BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)Steve Springett

The document discusses the importance of software Bills of Materials (BOMs) for managing software supply chain risks. It provides background on the creator's work developing standards like CycloneDX and tools like Dependency Track. BOMs allow organizations to understand component dependencies, track vulnerabilities, and ensure compliance. The document outlines common use cases like vulnerability analysis and outlines standard BOM formats like CycloneDX and Package URL. It demonstrates how BOMs can integrate with DevOps pipelines and provide continuous monitoring of supply chain risks.

Spring SecurityKnoldus Inc.

Compute Security - Host SecurityEng Teong Cheah

This document discusses various compute security topics for hardening endpoints and hosts, including using Azure Security Center to protect endpoints from attacks, implementing privileged access workstations, creating virtual machine templates to improve consistency and security, and how Security Center provides recommendations for security settings, updates, and threat detection. It also mentions demonstrating Azure Firewall and provides a reference link for further information.

SecDevOps for API Security42Crunch

How Secure is Your API?Mary Joy Sabal

This document summarizes a presentation on API and data security. The agenda includes introductions of the speaker and organizers, an overview of API security threats and vulnerabilities, and demonstrations of OAuth, JWT, cryptography techniques for data encryption, and API security policies. The presentation covers best practices for API security such as enabling HTTPS, using OAuth and JWT for authentication, restricting payload sizes to prevent DDoS attacks, and applying API policies for rate limiting and threat protection. It also demonstrates client management and identity management use cases using OpenID Connect and SAML with Okta.

SQL Server Security and Intrusion PreventionGabriel Villa

Is your data secured? Are you a victim of a SQL injection hack? In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.

[OWASP Poland Day] A study of Electron securityOWASP

Electron is an open-source framework for building desktop applications using HTML, CSS and JavaScript. It has a large attack surface including outdated dependencies, insecure default configurations, and deviations from browser security models. The document outlines security issues in Electron's core framework, such as nodeIntegration bypasses allowing remote code execution, and weaknesses in "glorified" APIs. It provides a checklist for developing secure Electron apps and introduces Electronegativity, a tool to help with security testing.

Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava

Better API Security with Automation 42Crunch

ESAPIn|u - The Open Security Community

This document discusses the OWASP ESAPI project, a security API that aims to simplify application security for developers. It provides an overview of ESAPI, including that it contains over 120 security methods and interfaces and was first released in 2010. The document also notes that developers should customize ESAPI to match their own organization and that canonicalization and encoding features are mature, while data validation could be improved.

[OWASP Poland Day] Security knowledge frameworkOWASP

This document outlines an agenda for a presentation on the OWASP Security Knowledge Framework (SKF). The presentation introduces SKF and its goals of integrating security into the software development life cycle. It discusses how SKF provides guidance to developers on secure coding practices. The presentation demonstrates SKF and shows how it can be used with continuous integration tools. It encourages developers to get involved in making SKF widely adopted to help strengthen security across development teams.

The Twelve Factor Appstomi vanek

Reduce Third-Party Tool Dependencies in Your Test FrameworkTechWell

Have you found yourself forced to use outdated test tools because the cost to migrate was prohibitive? Have you abandoned or rewritten existing tests because it was easier (and cheaper) than migrating? With technology ever changing, most businesses struggle to keep up with producing high-quality products for the lowest price possible. And it is usually testers who suffer the most, as they are forced to use tools that are outdated, or no longer supported, because the company cannot afford the migration cost. Chris Mauck offers a new way to design your automation tests to reduce the third-party tool dependencies in your current test framework and significantly shorten the time required to migrate those tests in the future. Using real coding examples Chris explains the approach, design, and implementation. Learn a different way to structure your tests and how you can implement better coding practices across your team.

Top Keys to create a secure websiteClick Ripple Solutions

Evaluating container security with ATT&CK FrameworkSandeep Jayashankar

Containers have been crucial in helping organizations orchestrate their infrastructure requirements. The scalability and reproducibility aspects of containerized environments have enabled applications and web components to be deployed seamlessly in the cloud. While containers have multiple benefits, they also come with distinct security issues, resulting in attackers gaining access to the container, the host, and eventually the data. The first step towards implementing Container Runtime Security is to understand the current threat scenarios and adversary trends affecting the cloud containers. To aptly evaluate the container threat landscape in any environment, an attack matrix should be formulated to ensure that relevant techniques and tactic are identified for every attack stage. The ATT&CK framework from MITRE has been a go-to framework to formulate a threat matrix, identify an adversary’s tactics and methods/techniques used to attain their end game of privilege escalation or data exfiltration. This presentation is targeted towards: Today’s container runtime security landscape Apply ATT&CK methodology on the container runtime environment Provide a practical approach towards attack surface, scenarios, and attack trends Validations and Security Best Practices

42crunch-API-security-workshop42Crunch

If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS. But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as: - Transport and message encryption. - Digital Signatures - Auditing and non-repudiation - SecDevOps and security as code - Coding best practices and how to enforce them - Infrastructure Best Practices

Linux Security for DevelopersMichael Boelen

This document discusses securing Linux systems and applications as a developer. It begins by outlining common security risks like weak passwords, lack of input validation, and unintended data exposure. It then provides strategies to improve security in three levels: basics like validation and encryption; taking ownership of code and systems; and performing security audits. Specific techniques are covered like hardening operating systems, software, and network configuration. The document recommends using the Lynis security auditing tool for its flexibility and simplicity. It concludes by discussing the importance of continuous auditing and leveraging security to save time instead of crisis management.

OWASP API Security Top 10 Examples42Crunch

Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg

Secure and Simple Sandboxing in SELinuxJames Morris

Hack In Paris 2011 - Practical SandboxingTom Keetch

More Related Content

What's hot (20)

OWASP AppSecEu 2016 Rome - Building secure cloud native appsAndreas Falk

BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)Steve Springett

Spring SecurityKnoldus Inc.

Compute Security - Host SecurityEng Teong Cheah

SecDevOps for API Security42Crunch

How Secure is Your API?Mary Joy Sabal

SQL Server Security and Intrusion PreventionGabriel Villa

[OWASP Poland Day] A study of Electron securityOWASP

Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava

Better API Security with Automation 42Crunch

ESAPIn|u - The Open Security Community

[OWASP Poland Day] Security knowledge frameworkOWASP

The Twelve Factor Appstomi vanek

Reduce Third-Party Tool Dependencies in Your Test FrameworkTechWell

Top Keys to create a secure websiteClick Ripple Solutions

Evaluating container security with ATT&CK FrameworkSandeep Jayashankar

42crunch-API-security-workshop42Crunch

Linux Security for DevelopersMichael Boelen

OWASP API Security Top 10 Examples42Crunch

Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg

OWASP AppSecEu 2016 Rome - Building secure cloud native appsAndreas Falk

BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)Steve Springett

Spring SecurityKnoldus Inc.

Compute Security - Host SecurityEng Teong Cheah

SecDevOps for API Security42Crunch

How Secure is Your API?Mary Joy Sabal

SQL Server Security and Intrusion PreventionGabriel Villa

[OWASP Poland Day] A study of Electron securityOWASP

Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava

Better API Security with Automation 42Crunch

ESAPIn|u - The Open Security Community

[OWASP Poland Day] Security knowledge frameworkOWASP

The Twelve Factor Appstomi vanek

Reduce Third-Party Tool Dependencies in Your Test FrameworkTechWell

Top Keys to create a secure websiteClick Ripple Solutions

Evaluating container security with ATT&CK FrameworkSandeep Jayashankar

42crunch-API-security-workshop42Crunch

Linux Security for DevelopersMichael Boelen

OWASP API Security Top 10 Examples42Crunch

Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg

Viewers also liked (20)

Secure and Simple Sandboxing in SELinuxJames Morris

Hack In Paris 2011 - Practical SandboxingTom Keetch

File Transfer protocolsAayushi Pareek

Ceh v5 module 07 sniffersVi Tính Hoàng Nam

The document discusses sniffing and packet capture techniques used for ethical hacking. It defines sniffing as intercepting network traffic to steal passwords, emails, files and other sensitive data. It describes protocols vulnerable to sniffing like HTTP, SMTP, FTP etc. It covers tools for sniffing like Wireshark, tcpdump. It discusses active sniffing techniques like ARP spoofing using tools like Arpspoof, Ettercap and MAC flooding using Macof, Etherflood. It also covers DNS poisoning and tools in the dsniff package for sniffing passwords and files.

Nmap(network mapping)SSASIT

This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.

Content Analysis System and Advanced Threat ProtectionBlue Coat

The document discusses Blue Coat's Content Analysis System (CAS) and advanced threat protection solutions. It describes a 3-stage lifecycle defense approach to blocking known threats, analyzing unknown threats, and reducing the time to resolve latent threats. The CAS uses a multi-layered approach including application whitelisting, signature databases, and sandboxing to inspect both encrypted and unencrypted traffic. It also leverages the global intelligence of 75 million users. The complete solution integrates the CAS, Malware Analysis Appliance for sandboxing, and Solera security analytics platform to provide comprehensive advanced threat protection.

Advanced Threat Protection - Sandboxing 101Blue Coat

The document discusses Blue Coat's Advanced Threat Protection solution, which uses a three-stage approach to block known threats, analyze unknown threats, and reduce the dwell time of latent threats. It focuses on the use of sandboxing to detect and analyze unknown threats through dynamic analysis in a virtual machine or emulation sandbox. Blue Coat's Malware Analysis Appliance utilizes a hybrid analysis approach with sandbox emulation and virtualization, behavioral detection patterns, and an extensible plugin architecture to analyze files and expose targeted attacks. The appliance is designed for enterprise scalability and integration with Blue Coat's ProxySG and Content Analysis System to enable blocking, detection, and analysis of threats across the security infrastructure.

File transfer protocolMilind Swane

FTP (File Transfer Protocol) allows users to transfer files between hosts over a TCP network like the Internet. It works by downloading files from remote computers to a local computer, or uploading files from a local computer to a remote computer. Anonymous FTP sites allow public access without logging in, using a username of "anonymous". FTP has security weaknesses that more secure variants like FTPS address through additions like TLS/SSL encryption. To use FTP for a website, one would get server space from a provider, buy storage, register a domain, and access the FTP settings in the administrator control panel to manage files.

Sandbox vs manual malware analysis v1.1Michael Gough

The document discusses the differences between sandbox analysis and manual analysis of malware. Sandbox analysis uses virtual machines and cloud-based solutions to analyze malware, but may miss artifacts since malware can detect virtual environments. The author argues that manual analysis on bare-metal systems provides more complete artifacts and indicators. Manual analysis allows evaluating malware as it was intended by detonating it directly on hardware.

Remote network monitoringyousef emami

The document discusses Remote Network Monitoring (RMON) and its capabilities. It describes RMON1 and RMON2, which allow network managers to monitor remote network segments. RMON1 provides traffic statistics, alarms, and packet capture capabilities. RMON2 adds support for monitoring network and application layers. The document outlines various RMON components like probes, and how RMON can be supported in Ethernet switches. It provides examples of RMON usage like with Cisco's Network Analysis Module.

Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput

As every coin has two side as a same way we know only the single side of Nmap which is port scanning. While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap. We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF. This can replace the use of acunetix and other paid version scanner.

Course on Ehtical Hacking - IntroductionBharat Thakkar

The document provides a history of hacking from the 1960s to the late 1990s. It describes how the original meaning of "hack" referred to clever programming at MIT. It discusses early phone phreaks and the discovery that a toy whistle could be used to hack phone systems. Over time, hacking groups formed, magazines were published, and laws were passed to criminalize hacking activities. Famous hackers like Kevin Mitnick were arrested. By the late 1990s, hacking became more serious and targeted major websites and banks. The document then defines terms like hackers, crackers, and ethical hackers who perform authorized security assessments.

Introduction to SNMPMohammed Farrah

SNMP is a set of protocols for managing network devices. It uses a manager-agent model where a manager controls and monitors agents, usually routers. SNMP relies on SMI to define object naming and types and MIB to create a collection of named objects and their relationships. Objects are given OIDs starting with 1.3.6.1.2. SNMP versions 1 and 2c provide limited security while version 3 adds authentication and encryption. SNMP uses community strings for authentication in versions 1 and 2c and username/password in version 3. Common packet types include get, set, and trap requests.

Network scanningoceanofwebs

A network consists of 3 parts: IP addresses, services, and ports. An IP address has a network and host address determined by the subnet mask. Services are network protocols that link server and client applications, typically running on specific ports, though any service can run on any port. Ports allow different services to be available from one location, with common services using well-known ports. Network scanning includes host scanning to locate hosts, port scanning to determine services, and vulnerability scanning to find known flaws using signature-based tools like Nmap, Nessus, GFI LANguard, and SuperScan.

Understanding NMAPPhannarith Ou, G-CISO

Port Scanningamiable_indian

Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.

Nmap Basicsamiable_indian

Nmap is an open source tool that can scan networks to discover available hosts, services on hosts, operating systems and versions running on hosts, types of firewalls and filters in place, and other network details. It works across Linux, Windows, and other platforms. Nmap uses raw IP packets to gather this information, which can help identify security issues but also be used by attackers for reconnaissance. The tool supports various types of scans with different tradeoffs between stealthiness and information discovered. While Nmap has both command line and GUI interfaces, advanced usage requires command line expertise.

Hacking With Nmap - Scanning Techniquesamiable_indian

The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.

Computer Hacking - An IntroductionJayaseelan Vejayon

Hacking involves modifying systems outside of their intended purpose. It is commonly done by teenagers and young adults using computers. Reasons for hacking include profit, protest, and challenge. Hacking can damage information, enable theft, compromise systems, and cost businesses millions per year. Hackers can be black hats who intend harm, white hats who perform security work, or gray hats who do both. Common attack types include DoS, password guessing, and man-in-the-middle. Hacking tools are widely available online, and passwords can be cracked using dictionary, brute force, and other attacks.

ETHICAL HACKING PPTSweta Leena Panda

Secure and Simple Sandboxing in SELinuxJames Morris

Hack In Paris 2011 - Practical SandboxingTom Keetch

File Transfer protocolsAayushi Pareek

Ceh v5 module 07 sniffersVi Tính Hoàng Nam

Nmap(network mapping)SSASIT

Content Analysis System and Advanced Threat ProtectionBlue Coat

Advanced Threat Protection - Sandboxing 101Blue Coat

File transfer protocolMilind Swane

Sandbox vs manual malware analysis v1.1Michael Gough

Remote network monitoringyousef emami

Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput

Course on Ehtical Hacking - IntroductionBharat Thakkar

Introduction to SNMPMohammed Farrah

Network scanningoceanofwebs

Understanding NMAPPhannarith Ou, G-CISO

Port Scanningamiable_indian

Nmap Basicsamiable_indian

Hacking With Nmap - Scanning Techniquesamiable_indian

Computer Hacking - An IntroductionJayaseelan Vejayon

ETHICAL HACKING PPTSweta Leena Panda

Similar to Sandboxing in .NET CLR (20)

Security Model in .NET FrameworkMikhail Shcherbakov

Mikhail Shcherbakov, a senior software developer at Positive Technologies, discusses the security model in the .NET Framework. He outlines how the .NET Framework uses application domains, code access security, and a transparency model to provide sandboxing of code through verification, permissions, and security attributes. The security architecture has evolved over time from .NET Framework 4 to address issues like partial trust applications and trusted chain attacks.

Sandboxing in .NET CLRMikhail Shcherbakov

Mikhail Shcherbakov gave a presentation on sandboxing in the .NET CLR. He discussed the .NET security architecture including application domains, code access security, permissions, and the transparency model. He explained how sandboxing is the base of security and developing extensible yet secure applications. He also covered sandbox implementation in ASP.NET partial trust applications and vulnerabilities like the luring attack and exception filter attack that bypass security.

Penetration Test ReportDOTCOMIT PRO SRL

The document is a vulnerability assessment report for the Whistleblow application generated by Beagle Security. It includes an executive summary with charts and tables highlighting the vulnerabilities found, including one low severity issue related to security misconfiguration. The technical summary provides details on 4 issues identified, including the X-XSS-Protection header not being implemented, a Google API key being hardcoded, a potential BREACH attack, and disclosure of an email address. The report concludes that the application overall has very low vulnerabilities.

Spring Boot - Microservice Metrics MonitoringDonghuKIM2

Spring boot microservice metrics monitoringOracle Korea

This document summarizes a presentation on monitoring microservices with Spring Boot. It discusses evolving architectures from monolithic to microservices and challenges in microservices. It then covers different monitoring techniques like metrics, tracing and logging. It provides an overview of tools like Prometheus, Grafana, Spring Boot Admin, Eureka and Consul for monitoring microservices. Finally, it outlines hands-on labs to set up monitoring of a sample application with different tool combinations.

Full Download Programming NET Security 1st Edition Adam Freeman PDF DOCXcalessidey19

Security Patterns for Microservice Architectures - ADTMag Microservices & API...Matt Raible

Security Patterns for Microservice ArchitecturesVMware Tanzu

Creating Secure Applications guest879f38

The document summarizes security enhancements in Visual Studio 2005 and SQL Server 2005, including managed code security improvements like running under less privileged accounts, code access security, and debugging/IntelliSense in restricted permission zones. It also describes SQL Server 2005 features like secure defaults, strengthened authentication, granular permissions, encryption and execution context.

September Patch Tuesday Analysis 2018Ivanti

.NET Intro & Dependency Injection WorkshopSerhii Kokhan

Secure Software Development Lifecycle1&1

Daniel Kefer from 1&1 Internet AG presented on 1&1's secure software development lifecycle (SDLC). He began by introducing himself and 1&1. He then discussed the motivation for a secure SDLC, noting the higher costs of fixing bugs later in development. Kefer outlined the common approaches to application security as intuitive, reactive, or proactive. 1&1 aims to take the proactive approach through their SDLC methodology. He described their methodology, including classifying systems based on risk level and assigning different security requirements at each level across both the development lifecycle and technical categories. Kefer finished by discussing 1&1's plans to expand usage and continuous improvement of their SDLC methodology.

Application security meetup k8_s security with zero trust_29072021lior mazor

.net FrameworkRishu Mehra

The .NET Framework allows developers to easily develop applications across various platforms and devices. Some key aspects of the .NET Framework 4.0 include improved support for parallel and asynchronous programming using technologies like the Task Parallel Library and improvements to the garbage collector to better optimize application performance. The Dynamic Language Runtime also allows dynamic languages to better interact with the .NET Framework and CLR.

Security Patterns for Microservice Architectures - Oktane20Matt Raible

Matt Raible presented 11 security patterns for microservice architectures: 1) be secure by design, 2) scan dependencies, 3) use HTTPS everywhere, 4) use access and identity tokens, 5) encrypt and protect secrets, 6) verify security with delivery pipelines, 7) slow down attackers, 8) use Docker rootless mode, 9) use time-based security, 10) scan Docker and Kubernetes configurations for vulnerabilities, and 11) know your cloud and cluster security. He discussed each pattern in detail and provided examples and recommendations for implementation.

Developing microservices with Java and applying Spring security framework and...IRJET Journal

This document discusses developing microservices with Java using the Spring framework and applying Spring Security and OAuth2 for authentication and authorization. It begins with an introduction to microservice architecture and advantages over monolithic architecture. It then discusses various Java libraries that can be used to build microservices, focusing on the Spring Boot framework. The document creates a proof-of-concept inventory management application to demonstrate building microservices with Spring Boot and securing APIs with Spring Security and OAuth2. It describes authentication needs for both web and non-web backend services.

Active Directory 2019 v2.pptxPradeep Kapkoti

This document discusses recommendations for securing an Active Directory environment. It recommends a single forest single domain architecture by default, but acknowledges exceptions may exist. It introduces a tier model for access control and recommends restricting privilege escalation through measures like privileged access workstations and assessing AD security. It also recommends restricting lateral movement, implementing attack detection solutions, and preparing the organization through strategic planning and technical education.

In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid

As the movement of applications from bare metal to the cloud continues, considerations around analytics and tracing are becoming more prevalent for security, monitoring, and accounting. As an open source project under the Linux Foundation, the IO Visor Project is working with the kernel community on extending BPF (eBPF) and is being used by many companies for security, tracing, and analytics. This talk will describe how an OpenStack micro-segmentation framework using eBPF can be utilized for analytics and tracing to secure application workloads. Use cases around application security, intrusion detection using service insertion, identity will be described. While networking is one piece of the solution, sandboxing applications to avoid attacks is also important. We will also touch upon how eBPF technology and a unified policy framework can secure application workloads in areas beyond networking.

2011 NASA Open Source Summit - Forge.milNASA Open Government Initiative

Forge.mil is a collaborative software development platform that aims to overcome siloed development, reduce duplication of effort, and enable cross-program sharing of software and services. It provides application lifecycle management services and tools for collaborative development within a shared, multi-tenant environment for Department of Defense programs and partners. Forge.mil has grown to support over 2700 software releases from various DoD projects across different services since its initial launch in 2009.

microsoft visual studio .net introduction from ids teamroyaljaiitsolutions

Security Model in .NET FrameworkMikhail Shcherbakov

Sandboxing in .NET CLRMikhail Shcherbakov

Penetration Test ReportDOTCOMIT PRO SRL

Spring Boot - Microservice Metrics MonitoringDonghuKIM2

Spring boot microservice metrics monitoringOracle Korea

Full Download Programming NET Security 1st Edition Adam Freeman PDF DOCXcalessidey19

Security Patterns for Microservice Architectures - ADTMag Microservices & API...Matt Raible

Security Patterns for Microservice ArchitecturesVMware Tanzu

Creating Secure Applications guest879f38

September Patch Tuesday Analysis 2018Ivanti

.NET Intro & Dependency Injection WorkshopSerhii Kokhan

Secure Software Development Lifecycle1&1

Application security meetup k8_s security with zero trust_29072021lior mazor

.net FrameworkRishu Mehra

Security Patterns for Microservice Architectures - Oktane20Matt Raible

Developing microservices with Java and applying Spring security framework and...IRJET Journal

Active Directory 2019 v2.pptxPradeep Kapkoti

In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid

2011 NASA Open Source Summit - Forge.milNASA Open Government Initiative

microsoft visual studio .net introduction from ids teamroyaljaiitsolutions

More from Mikhail Shcherbakov (20)

Delegates and events in C#Mikhail Shcherbakov

Mythbusters - Web Application SecurityMikhail Shcherbakov

Михаил Щербаков "WinDbg сотоварищи"Mikhail Shcherbakov

Доклад с митапа MSK .NET Community (http://mskdotnet.org). Поговорим о самом мощном отладчике для Windows – WinDbg. Разберем как начать использовать этот отладчик, чем он может быть полезен для .NET разработчиков. Подробней остановимся на практических моментах его применения, зачем он прикладным программистам, web-разработчикам. Посмотрим и на другие инструменты отладки, которые занимают нишу между интуитивно управляемым комбайном Visual Studio и легким, но крайне аскетичным WinDbg.

Apache Ignite.NET в действииMikhail Shcherbakov

Архитектура Apache Ignite .NETMikhail Shcherbakov

Знакомство с In-Memory Data GridMikhail Shcherbakov

сценарии использования статического анализатораMikhail Shcherbakov

WCF. Легко или проблемноMikhail Shcherbakov

Поиск ошибок в программах на языке C#Mikhail Shcherbakov

Когда в C# не хватает C++. Часть 3. Mikhail Shcherbakov

Project RiderMikhail Shcherbakov

Rider is a cross-platform .NET IDE developed by JetBrains as an alternative to Visual Studio. It supports .NET Framework, .NET Core, and Mono development. The demo discussed Rider's key features like its IDE components, language understanding, and support for MVVM and reactive programming patterns. Development follows principles like DRY and uses reactive techniques. Challenges include integrating with IntelliJ languages and keeping the ReSharper process separate while fully supporting MVVM in a pure way.

WinDbg в руках .NET разработчикаMikhail Shcherbakov

Structured loggingMikhail Shcherbakov

RESTful API: Best practices, versioning, design documentationMikhail Shcherbakov

Простой и кросс-платформенный WEB-сервер на .NETMikhail Shcherbakov

Использование Visual Studio Tools for Apache Cordova в реальных проектахMikhail Shcherbakov

Когда в C# не хватает C++. Часть 2.Mikhail Shcherbakov

Распространённые ошибки оценки производительности .NET-приложенийMikhail Shcherbakov

Когда в C# не хватает C++Mikhail Shcherbakov

Как это работает: DLRMikhail Shcherbakov

Delegates and events in C#Mikhail Shcherbakov

Mythbusters - Web Application SecurityMikhail Shcherbakov

Михаил Щербаков "WinDbg сотоварищи"Mikhail Shcherbakov

Apache Ignite.NET в действииMikhail Shcherbakov

Архитектура Apache Ignite .NETMikhail Shcherbakov

Знакомство с In-Memory Data GridMikhail Shcherbakov

сценарии использования статического анализатораMikhail Shcherbakov

WCF. Легко или проблемноMikhail Shcherbakov

Поиск ошибок в программах на языке C#Mikhail Shcherbakov

Когда в C# не хватает C++. Часть 3. Mikhail Shcherbakov

Project RiderMikhail Shcherbakov

WinDbg в руках .NET разработчикаMikhail Shcherbakov

Structured loggingMikhail Shcherbakov

RESTful API: Best practices, versioning, design documentationMikhail Shcherbakov

Простой и кросс-платформенный WEB-сервер на .NETMikhail Shcherbakov

Использование Visual Studio Tools for Apache Cordova в реальных проектахMikhail Shcherbakov

Когда в C# не хватает C++. Часть 2.Mikhail Shcherbakov

Распространённые ошибки оценки производительности .NET-приложенийMikhail Shcherbakov

Когда в C# не хватает C++Mikhail Shcherbakov

Как это работает: DLRMikhail Shcherbakov

Recently uploaded (20)

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

This session is designed to equip developers with the skills needed to build mission-critical, end-to-end processes that seamlessly orchestrate agents, people, and robots. 📕 Here's what you can expect: - Modeling: Build end-to-end processes using BPMN. - Implementing: Integrate agentic tasks, RPA, APIs, and advanced decisioning into processes. - Operating: Control process instances with rewind, replay, pause, and stop functions. - Monitoring: Use dashboards and embedded analytics for real-time insights into process instances. This webinar is a must-attend for developers looking to enhance their agentic automation skills and orchestrate robust, mission-critical processes. 👨‍🏫 Speaker: Andrei Vintila, Principal Product Manager @UiPath This session streamed live on April 29, 2025, 16:00 CET. Check out all our upcoming Dev Dives sessions at https://community.uipath.com/dev-dives-automation-developer-2025/.

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025BookNet Canada

Book industry standards are evolving rapidly. In the first part of this session, we’ll share an overview of key developments from 2024 and the early months of 2025. Then, BookNet’s resident standards expert, Tom Richardson, and CEO, Lauren Stewart, have a forward-looking conversation about what’s next. Link to recording, transcript, and accompanying resource: https://bnctechforum.ca/sessions/standardsgoals-for-2025-standards-certification-roundup/ Presented by BookNet Canada on May 6, 2025 with support from the Department of Canadian Heritage.

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Building 10x Organizations with Modern Productivity Metrics 10x developers may be a myth, but 10x organizations are very real, as proven by the influential study performed in the 1980s, ‘The Coding War Games.’ Right now, here in early 2025, we seem to be experiencing YAPP (Yet Another Productivity Philosophy), and that philosophy is converging on developer experience. It seems that with every new method we invent for the delivery of products, whether physical or virtual, we reinvent productivity philosophies to go alongside them. But which of these approaches actually work? DORA? SPACE? DevEx? What should we invest in and create urgency behind today, so that we don’t find ourselves having the same discussion again in a decade?

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Spark is a powerhouse for large datasets, but when it comes to smaller data workloads, its overhead can sometimes slow things down. What if you could achieve high performance and efficiency without the need for Spark? At S&P Global Commodity Insights, having a complete view of global energy and commodities markets enables customers to make data-driven decisions with confidence and create long-term, sustainable value. 🌍 Explore delta-rs + CDC and how these open-source innovations power lightweight, high-performance data applications beyond Spark! 🚀

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Procurement Insights Cost To Value Guide.pptxJon Hansen

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

The MCP (Model Context Protocol) is a framework designed to manage context and interaction within complex systems. This SlideShare presentation will provide a detailed overview of the MCP Model, its applications, and how it plays a crucial role in improving communication and decision-making in distributed systems. We will explore the key concepts behind the protocol, including the importance of context, data management, and how this model enhances system adaptability and responsiveness. Ideal for software developers, system architects, and IT professionals, this presentation will offer valuable insights into how the MCP Model can streamline workflows, improve efficiency, and create more intuitive systems for a wide range of use cases.

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungenpanagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-nomad-web-best-practices-und-verwaltung-von-multiuser-umgebungen/ HCL Nomad Web wird als die nächste Generation des HCL Notes-Clients gefeiert und bietet zahlreiche Vorteile, wie die Beseitigung des Bedarfs an Paketierung, Verteilung und Installation. Nomad Web-Client-Updates werden “automatisch” im Hintergrund installiert, was den administrativen Aufwand im Vergleich zu traditionellen HCL Notes-Clients erheblich reduziert. Allerdings stellt die Fehlerbehebung in Nomad Web im Vergleich zum Notes-Client einzigartige Herausforderungen dar. Begleiten Sie Christoph und Marc, während sie demonstrieren, wie der Fehlerbehebungsprozess in HCL Nomad Web vereinfacht werden kann, um eine reibungslose und effiziente Benutzererfahrung zu gewährleisten. In diesem Webinar werden wir effektive Strategien zur Diagnose und Lösung häufiger Probleme in HCL Nomad Web untersuchen, einschließlich - Zugriff auf die Konsole - Auffinden und Interpretieren von Protokolldateien - Zugriff auf den Datenordner im Cache des Browsers (unter Verwendung von OPFS) - Verständnis der Unterschiede zwischen Einzel- und Mehrbenutzerszenarien - Nutzung der Client Clocking-Funktion

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including: -Artificial Intelligence Market Overview -Strategies for AI Adoption in 2025 -Anticipated drivers of AI adoption and transformative technologies -Benefits of AI and Big data for your business -Tips on how to prepare your business for innovation -AI and data privacy: Strategies for securing data privacy in AI models, etc. Download your free copy nowand implement the key findings to improve your business.

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

tecnologias de las primeras civilizaciones.pdffjgm517

Complete Guide to Advanced Logistics Management Software in Riyadh.pdfSoftware Company

Explore the benefits and features of advanced logistics management software for businesses in Riyadh. This guide delves into the latest technologies, from real-time tracking and route optimization to warehouse management and inventory control, helping businesses streamline their logistics operations and reduce costs. Learn how implementing the right software solution can enhance efficiency, improve customer satisfaction, and provide a competitive edge in the growing logistics sector of Riyadh.

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Linux Support for SMARC: How Toradex Empowers Embedded DevelopersToradex

Toradex brings robust Linux support to SMARC (Smart Mobility Architecture), ensuring high performance and long-term reliability for embedded applications. Here’s how: • Optimized Torizon OS & Yocto Support – Toradex provides Torizon OS, a Debian-based easy-to-use platform, and Yocto BSPs for customized Linux images on SMARC modules. • Seamless Integration with i.MX 8M Plus and i.MX 95 – Toradex SMARC solutions leverage NXP’s i.MX 8 M Plus and i.MX 95 SoCs, delivering power efficiency and AI-ready performance. • Secure and Reliable – With Secure Boot, over-the-air (OTA) updates, and LTS kernel support, Toradex ensures industrial-grade security and longevity. • Containerized Workflows for AI & IoT – Support for Docker, ROS, and real-time Linux enables scalable AI, ML, and IoT applications. • Strong Ecosystem & Developer Support – Toradex offers comprehensive documentation, developer tools, and dedicated support, accelerating time-to-market. With Toradex’s Linux support for SMARC, developers get a scalable, secure, and high-performance solution for industrial, medical, and AI-driven applications. Do you have a specific project or application in mind where you're considering SMARC? We can help with Free Compatibility Check and help you with quick time-to-market For more information: https://www.toradex.com/computer-on-modules/smarc-arm-family

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025BookNet Canada

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Procurement Insights Cost To Value Guide.pptxJon Hansen

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungenpanagenda

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

tecnologias de las primeras civilizaciones.pdffjgm517

Complete Guide to Advanced Logistics Management Software in Riyadh.pdfSoftware Company

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

Linux Support for SMARC: How Toradex Empowers Embedded DevelopersToradex

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

Sandboxing in .NET CLR

1. Sandboxing in .NET CLR Mikhail Shcherbakov July 05, 2015

2. Coordinator of SPB .NET Community Product Manager at Cezurity One of the core developers of the source code analyzer PT Application Inspector Former Team Lead at Acronis, Luxoft, Boeing About me 2

3. Sandboxing is the base of security Development of extensible and security-sensitive applications Troubleshooting and knowledge about the internals Knowledge in Practice  ASP.NET / IIS  Silverlight  SQL CLR  XBAP  ClickOnce  Sharepoint 3

4. Security Architecture 4

5. Security Architecture 5

6. Application Domains 6

7. The verification process 7

8. Just-in-time verification

9. Code Access Security 9

10. Policy 10

11. deprecated in .NET Framework 4 Policy 11

12. Permissions 12

13. Permissions 13

14. Enforcement 14

15. Fully Trusted code in Partially Trusted AppDomain 15

16. Transparency Model 16

17. Level 2 Security Transparency Critical Full Trust code that can do anything Safe Critical Full Trust code Provides access to Critical code Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert 17

18. Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3 18

19. Stack walking 19

20. Sandbox implementation

21. ASP.NET Partial Trust applications 2005 2005 2006 2007 2008 2009 2010 2011 2012 Use Medium trust in shared hosting environments bit.ly/1yABGqf August 2005 For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVV July 2008 21

22. ASP.NET Partial Trust applications 20152008 2009 2010 2011 2012 2013 ASP.NET Partial Trust does not guarantee application isolation bit.ly/1CRv3Ux June 2012 ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50J April 2013 “The official position of the ASP.NET team is that Medium Trust is obsolete” -Levi Broderick, security developer at Microsoft bit.ly/1If14Gv June 2013 ASP.NET MVC 5 no longer supports partial trust bit.ly/1w0xxuX October 2013 22

23. DynamicMethod class MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277) Trusted Chain Attack 23

24. Luring Attack 24

25. Luring Attack MS02-061 “Elevation of Privilege in SQL Server Web Tasks” 25

26. Exception Filter Attack

27. Exception Filter Attack 27

28. Exception Filter Attack 28

29. Summary 29

30. Sandboxing: Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7 New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf How to Test for Luring Vulnerabilities bit.ly/1G5asdG Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF Summary 30

31. .NET Security: OWASP Top 10 for .NET developers bit.ly/1mpvG9R OWASP .NET Project bit.ly/1vCfknm Troy Hunt blog www.troyhunt.com The WASC Threat Classification v2.0 bit.ly/1G5d8rM Summary 31

32. Thank you for your attention! Mikhail Shcherbakov spbdotnet.org [email protected] linkedin.com/in/mikhailshcherbakov github.com/yuske @yu5k3 Product Manager at Cezurity

Sandboxing in .NET CLR

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Sandboxing in .NET CLR (20)

More from Mikhail Shcherbakov (20)

Recently uploaded (20)

Sandboxing in .NET CLR