Best Practices for Building Secure Solutions Peter Willmot Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attackers vs. Defenders Developers and management think that security does not add any business value Cost of addressing security issues only increases as software design lifecycle proceeds Developers and management think that security does not add any business value Cost of addressing security issues only increases as software design lifecycle proceeds Security As an Afterthought Do I need security Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability A quick refresh on security challenges Port blocking Filtering Encryption Port blocking Filtering Encryption Updates IIS hardening ACLs CAS Logging Least privilege Account mgmt. Updates IIS hardening ACLs CAS Logging Least privilege Account mgmt. Validation Hashing Encryption Secrets mgmt. Cookie mgmt. Session mgmt. Error handling Validation Hashing Encryption Secrets mgmt. Cookie mgmt. Session mgmt. Error handling Spoofed packets, etc. Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc. NetworkHostApplication Defend the network Defend the host Defend the application Security requires a holistic approach Critical Security Principles Minimise the Attack Surface Defend in Depth Design for Sustainability Test rigorously In a meaningfully representative environment .. and use the OS / Tools if you can Well-known Product / Services Signatures Server and Service Identity Data in URLs /s Over-friendly error messages Dont Advertise / Disclose too much Unhandled exception messages Stay current with service packs and updates Monitor Event Logs and Resources Use Windows Firewall or Reverse Proxy Apply the principle of least privilege Lock-down IP, File System and Registry Lock-down Services and Configurations Manage / Monitor the configuration Protect your Servers Apply sound Service Layering practices Leverage Active Directory / Kerberos if you can Browser / Client can not be protected by SSL Strong Authentication is key to non-repudiation Take Identity Management as close to the source as you can in federated environments Authenticate Rigorously Never trust user input (always validate!) Store secrets securely (dont use hidden fields) Dont Echo Input Directly Back to Browser Secure ASP.NET session state Anticipate errors and handle them appropriately Validate all Inputs / Parameters ToolDescription Regex Class in System.Text.RegularExpressions namespace that wraps.NET Framework's regular expression engine Validation controls Set of six controls that validate input on both client and server: RequiredFieldValidator, RegularExpression- Validator, RangeValidator, etc. HttpUtility.HtmlEncode HTML-encodes input, converting potentially dangerous characters such as "