more secure online services powered by the microsoft sdl bryan sullivan security program manager,...
TRANSCRIPT
More Secure Online Services Powered by the Microsoft SDL
Bryan SullivanSecurity Program Manager, SDLMicrosoft
What We Will Cover
Brief background on the Microsoft Security Development Lifecycle (SDL)SDL processes and tools currently used to protect online servicesPreview future SDL online initiatives
Session Prerequisites
Knowledge of basic web application vulnerabilitiesFamiliarity with web programming concepts
ASP.NET is a plus
Level 300
SDL Background What is the SDL?
Education Tools Process
SDL BackgroundSQL Server Before the SDL
19992000
20012002
0
5
10
15
20
25
Reported SQL Server vulnerabilities
SDL Background SQL Server After the SDL
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
0
5
10
15
20
25
Reported SQL Server vulnerabilities
Online Service Requirements OWASP Top Ten
Cross-Site ScriptingInjection FlawsMalicious File ExecutionInsecure Direct Object ReferencesCross-Site Request ForgeryInformation LeakageBroken AuthenticationInsecure CryptographyInsecure CommunicationsFailure to Restrict URL Access
Cross-Site Scripting (XSS)Input Validation
Ensure the data is what the application expects
FormatLength
Regular expressions (can) work great hereSystem.Text.RegularExpressions.RegexSystem.Web.UI.WebControls.RegularExpressionValidator
Cross-Site Scripting (XSS)Use of Regular Expressions
Incorrect use of Regex:
if (Regex.IsMatch(userInput, "[<>]"))// reject input
Correct use of Regex:
if (Regex.IsMatch(userInput, “^[a-zA-Z]{1,9}$"))// accept input
Cross-Site Scripting (XSS)ValidateRequest
Page directive<%@ Page ValidateRequest="true" %>
Web.config setting<configuration> <system.web> <pages validateRequest="true" /> </system.web></configuration>
More of a defense-in-depth measure
Cross-Site Scripting (XSS)Encode Output
Harder than it sounds!7 different cases
Plain HTMLHTML attributeURLJavaScriptVBScriptXMLXML attribute
Use Microsoft AntiXSS Library
Demonstration 1
Microsoft AntiXSS Library
Cross-Site Scripting (XSS)Static Analysis
XSSDetect Code Analysis ToolAnalyzes source-to-sink dataflowStandalone or integrated into Visual Studio
SQL InjectionUse Stored Procedures
Bad code:SqlCommand command = new SqlCommand( "SELECT * FROM Customers WHERE CustomerId = '" + customerId
+ "'");
Good code:SqlCommand command = new SqlCommand("GetCustomer");command.CommandType = CommandType.StoredProcedure;command.Parameters.Add(new
SqlParameter("@customerId",customerId);
SQL InjectionAvoid EXEC @sql
Moving the string concatenation to the stored proc code still leaves you vulnerable…
EXEC ('SELECT * FROM Customers WHERE CustomerId = ''' + @CustomerId + ''')
The only approved use of EXEC is to call other stored procedures
SQL InjectionRemove Database Privileges
Allow only EXECUTE privileges on the necessary stored proceduresAll other privileges on all objects must be removedThis is defense in depth
Cross-Domain ScriptingSame Origin Policy
Two frames/windows can only communicate with each other if they have the same originOrigin is defined as having the same:
DomainPortProtocol
Also applies to XMLHttpRequest
Cross-Domain ScriptingSame Origin Policy Example
If my page is http://www.mysite.com/foo/bar.aspx
Page Allowed? Why?
http://blogs.mysite.com/page.aspx No Different domain
https://www.mysite.com/page.aspx No Different protocol
http://www.mysite.com:81/page.aspx No Different port
http://mysite.com/page.aspx No Different domain
http://www.mysite.com/bar/page.aspx Yes Everything ok
Take a guess…
Take a guess…
Take a guess…
Take a guess…
Take a guess…
Cross-Domain ScriptingDocument.Domain
Two cooperating pages can lower their domain so they can talk to each other
Do not lower document.domain to the “two-dots” level or lower
foo.site.com is allowedsite.com is prohibited.com is right out (prohibited by browsers too)
Cross-Domain ScriptingCross-Domain Access Policies
Used by Flash, Silverlightcrossdomain.xmlclientaccesspolicy.xml
<cross-domain-policy> <allow-access-from domain="www.good.com"/> <allow-access-from domain="*.net"/> <allow-access-from domain="*"/></cross-domain-policy>
Cross-Site Request ForgeryViewStateUserKey
Built-in canary defense for ASP.NET pages
protected void Page_Init(object sender, EventArgs e){ this.ViewStateUserKey = Session.SessionID;}
Demonstration 2
ViewStateUserKey
Future SDL InitiativesSDL for Agile Development
SDL originally designed for long projectsDifficult to implement 100+ SDL requirements in two-week-long release cycles
Future SDL InitiativesSDL for Agile Development cont’d
Break SDL into two “classes”Non-negotiable “every-sprint” requirements“Bucket” requirements
Complete at least one from each bucketComplete all requirements every six months
Session Summary
SDL can dramatically lower the number and severity of vulnerabilities in online services
Validate user inputEncode outputUse stored proceduresAvoid EXEC @sqlLimit cross-domain accessUse ViewStateUserKey
For More Information
SDL Web Sitehttp://www.microsoft.com/sdl
SDL Bloghttp://blogs.microsoft.com/sdl
MSDN MagazineSeptember 2008, “Security Briefs: SDL Embraces the Web”November 2008, “Agile SDL: Streamline Security Practices for Agile Development”
Questions and Answers
Submit text questions using the “Ask” button. Don’t forget to fill out the survey.For upcoming and previously live webcasts: www.microsoft.com/events/developer.mspx Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781