More Secure Online Services Powered by the Microsoft SDL

Bryan SullivanSecurity Program Manager, SDLMicrosoft

What We Will Cover

Brief background on the Microsoft Security Development Lifecycle (SDL)SDL processes and tools currently used to protect online servicesPreview future SDL online initiatives

Session Prerequisites

Knowledge of basic web application vulnerabilitiesFamiliarity with web programming concepts

ASP.NET is a plus

Level 300

SDL Background What is the SDL?

Education Tools Process

SDL BackgroundSQL Server Before the SDL

19992000

20012002

0

5

10

15

20

25

Reported SQL Server vulnerabilities

SDL Background SQL Server After the SDL

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

0

5

10

15

20

25

Reported SQL Server vulnerabilities

Online Service Requirements OWASP Top Ten

Cross-Site ScriptingInjection FlawsMalicious File ExecutionInsecure Direct Object ReferencesCross-Site Request ForgeryInformation LeakageBroken AuthenticationInsecure CryptographyInsecure CommunicationsFailure to Restrict URL Access

Cross-Site Scripting (XSS)Input Validation

Ensure the data is what the application expects

FormatLength

Regular expressions (can) work great hereSystem.Text.RegularExpressions.RegexSystem.Web.UI.WebControls.RegularExpressionValidator

Cross-Site Scripting (XSS)Use of Regular Expressions

Incorrect use of Regex:

if (Regex.IsMatch(userInput, "[<>]"))// reject input

Correct use of Regex:

if (Regex.IsMatch(userInput, “^[a-zA-Z]{1,9}$"))// accept input

Cross-Site Scripting (XSS)ValidateRequest

Page directive<%@ Page ValidateRequest="true" %>

Web.config setting<configuration> <system.web> <pages validateRequest="true" /> </system.web></configuration>

More of a defense-in-depth measure

Cross-Site Scripting (XSS)Encode Output

Harder than it sounds!7 different cases

Plain HTMLHTML attributeURLJavaScriptVBScriptXMLXML attribute

Use Microsoft AntiXSS Library

Demonstration 1

Microsoft AntiXSS Library

Cross-Site Scripting (XSS)Static Analysis

XSSDetect Code Analysis ToolAnalyzes source-to-sink dataflowStandalone or integrated into Visual Studio

SQL InjectionUse Stored Procedures

Bad code:SqlCommand command = new SqlCommand( "SELECT * FROM Customers WHERE CustomerId = '" + customerId

+ "'");

Good code:SqlCommand command = new SqlCommand("GetCustomer");command.CommandType = CommandType.StoredProcedure;command.Parameters.Add(new

SqlParameter("@customerId",customerId);

SQL InjectionAvoid EXEC @sql

Moving the string concatenation to the stored proc code still leaves you vulnerable…

EXEC ('SELECT * FROM Customers WHERE CustomerId = ''' + @CustomerId + ''')

The only approved use of EXEC is to call other stored procedures

SQL InjectionRemove Database Privileges

Allow only EXECUTE privileges on the necessary stored proceduresAll other privileges on all objects must be removedThis is defense in depth

Cross-Domain ScriptingSame Origin Policy

Two frames/windows can only communicate with each other if they have the same originOrigin is defined as having the same:

DomainPortProtocol

Also applies to XMLHttpRequest

Cross-Domain ScriptingSame Origin Policy Example

If my page is http://www.mysite.com/foo/bar.aspx

Page Allowed? Why?

http://blogs.mysite.com/page.aspx No Different domain

https://www.mysite.com/page.aspx No Different protocol

http://www.mysite.com:81/page.aspx No Different port

http://mysite.com/page.aspx No Different domain

http://www.mysite.com/bar/page.aspx Yes Everything ok

Take a guess…

Take a guess…

Take a guess…

Take a guess…

Take a guess…

Cross-Domain ScriptingDocument.Domain

Two cooperating pages can lower their domain so they can talk to each other

Do not lower document.domain to the “two-dots” level or lower

foo.site.com is allowedsite.com is prohibited.com is right out (prohibited by browsers too)

Cross-Domain ScriptingCross-Domain Access Policies

Used by Flash, Silverlightcrossdomain.xmlclientaccesspolicy.xml

<cross-domain-policy> <allow-access-from domain="www.good.com"/> <allow-access-from domain="*.net"/> <allow-access-from domain="*"/></cross-domain-policy>

Cross-Site Request ForgeryViewStateUserKey

Built-in canary defense for ASP.NET pages

protected void Page_Init(object sender, EventArgs e){ this.ViewStateUserKey = Session.SessionID;}

Demonstration 2

ViewStateUserKey

Future SDL InitiativesSDL for Agile Development

SDL originally designed for long projectsDifficult to implement 100+ SDL requirements in two-week-long release cycles

Future SDL InitiativesSDL for Agile Development cont’d

Break SDL into two “classes”Non-negotiable “every-sprint” requirements“Bucket” requirements

Complete at least one from each bucketComplete all requirements every six months

Session Summary

SDL can dramatically lower the number and severity of vulnerabilities in online services

Validate user inputEncode outputUse stored proceduresAvoid EXEC @sqlLimit cross-domain accessUse ViewStateUserKey

For More Information

SDL Web Sitehttp://www.microsoft.com/sdl

SDL Bloghttp://blogs.microsoft.com/sdl

MSDN MagazineSeptember 2008, “Security Briefs: SDL Embraces the Web”November 2008, “Agile SDL: Streamline Security Practices for Agile Development”

Questions and Answers

Submit text questions using the “Ask” button. Don’t forget to fill out the survey.For upcoming and previously live webcasts: www.microsoft.com/events/developer.mspx Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781