Top Security Threats for .NET developers

Mikhail ShcherbakovProduct Manager at Cezurity

10-я конференция .NET разработчиков19 апреля 2015dotnetconf.ru

About me

Product Manager at Cezurity One of the core developers of the source

code analyzer PT Application Inspector Former Team Lead at Acronis, Luxoft,

Boeing, SPC KRUG

Security DevelopmentWhere to Begin?

Security Development

Security Development

How to write code?

Glossary

Glossary

Threat - a potential violation of security (ISO 7498-2).

Impact - consequences for an organization or environment when an attack is realized, or weakness is present.

Attack - a well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation.

Glossary

Weakness - a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software.

Vulnerability - an occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness.

Glossary

Need to Deal with Weaknesses!

Classifications

Classifications

https://www.owasp.org/index.php/Category:Attack

Classifications

https://www.owasp.org/index.php/Category:Vulnerability

Classifications

http://projects.webappsec.org/w/page/13246978/Threat%20Classification

Classifications

Create a classification for developers!

Improper Input/Output Handling Implementation

Improper Input/Output Handling SQL Injection OS Commanding XML Injection XPath Injection XQuery Injection LDAP Injection Cross-site scripting

(XSS)

Unrestricted File Upload

Path Traversal HTTP Response

Splitting Content Spoofing Buffer Overflow

Injection Anatomy

Input Data

’ OR 1=1 --‘ union all select password FROM CustomerLogin WHERE email = ‘x@exapmle.com'--

Injection Anatomy

SQL Injection with EF

Show me code!

Cross-site scripting (XSS)

Reflected Stored DOM-based

Stored XSS

Show me code!

DOM-based XSS

Show me code!

Insufficient Control Flow ManagementDesign/Implementation

Insufficient Control Flow Management Cross-Site Request Forgery (CSRF) Mass Assignment Business Logic Errors Abuse of Functionality

CSRF

CSRF

ASP.NET MVC <%= Html.AntiForgeryToken() %>

<input name="__RequestVerificationToken" type="hidden“ …

ASP.NET Web Forms __VIEWSTATE, __EVENTVALIDATION

http://www.jardinesoftware.com/Documents/ASP_Net_Web_Forms_CSRF_Workflow.pdf

Business Logic Error

Samples

Sensitive Data ExposureDesign/Implementation/Deployment

Sensitive Data Exposure

Insufficient Transport Layer Protection Insecure Cryptographic Storage Insufficient Client-side Data Protection

Improper Access ControlDesign/Implementation/Deployment

Improper Access Control

Insufficient Authentication Insufficient Authorization Insufficient Password Recovery Insufficient Session Expiration Credential/Session Prediction Improper File System Permissions Brute Force Insufficient Anti-automation

Secure MisconfigurationDeployment

Secure Misconfiguration

Application Misconfiguration Server Misconfiguration Information Exposure Through an Error

Message Information Leakage Directory Indexing Insecure Indexing Using Components with Known

Vulnerabilities

Summary

OWASP Top Ten Project (2010/2013) http://bit.ly/1OffewO

OWASP .NET Project http://bit.ly/1cz62Sv Vladimir Kochetkov Blog

http://bit.ly/1DecXWI Troy Hunt Blog www.troyhunt.com OWASP Developer Guide

http://bit.ly/1JcQLoh CWE/SANS Top 25 Most Dangerous

Software Errors (2011) http://bit.ly/1bjDTOH

Thank you for your attention!

Mikhail Shcherbakov

ms@cezurity.com

linkedin.com/in/mikhailshcherbakov

github.com/yuske

@yu5k3

Product Manager at Cezurity