secure development in .net with episerver solita
TRANSCRIPT
SECURE
DEVELOPMENT IN
.NET
Joona Immonen
Software architect
DEVELOPERS AS SECURITY
TESTERS
› Pros:
• Enables continuous security testing.
• Developers will automate.
• Minimal hand-over costs.
• Will find important non-security related bugs.
› Cons:
• Not security specialists. Will miss some things.
• May need investment (training, some tools)
BASIC SECURITY MODEL
Confidentiality• Privacy• Password policies• EncryptionIntegrity• Trustworthiness of data• ChecksumsAvailability• Bandwidths• Bottlenecks• Disaster recovery planning
OWASP TESTING
GUIDE 4.0
› Picture presents how OWASP
thinks that different security
controls are linked to secure
development life cycle
SECURITY TESTING ASPECTS IN
ONION MODEL
Network scanning
Vulnerability scanning
Web application security testing
Static code analyze
Web application onfiguration analysis
Operating system configuration analysis
Application server vulnerability scanning
HOW ONION MODEL IS LINKED TO
OUR PROJECTS
Public internet
Private networks between servers
Customer network
Host has most commonly shared responsibility
Application is on our responsibility
Part of data is on our responsibility
Part of the data comes from integrations
Updates come from other parties, conf from us
Part of the applications are products (inriver, IIS)
TOOLS IN SECURE DEVELOPMENT
LIFECYCLE
Be
for
ed
ev
elo
pm
en
t
De
fin
itio
n a
nd
de
sig
n
De
ve
lop
me
nt
De
plo
ym
en
t
Ma
inte
na
nc
e
FxCop X
VisualCodeGrepper X
SonarQube X
Code Metrics X
OWASP ZAP X X X
Nessus X X
jMeter X X X
TOOLS IN DEFENCE IN DEPTH
Ne
two
rk
Ho
st
Ap
ps
er
ve
r
Ap
pli
ca
tio
n
We
b.c
on
fig
So
ur
ce
co
de
FxCop X X
VisualCodeGrepper X X
SonarQube X X
Code Metrics X
OWASP ZAP X X
Nessus X X X X
jMeter X X
HOW TOOLS MITIGATE
”OWASP TOP 10”
Inje
cti
on
Br
ok
en
au
th
XS
S
Dir
ec
t o
bj
re
f
Mis
co
nf
Da
ta e
xp
os
ur
e
Fu
nc
tio
n l
ev
el
au
th
CS
RF
Kn
ow
n v
uln
Un
va
lid
ate
dr
ed
ire
cts
FxCop 1 1 1 1
VCG 1 1 1
SonarQube 1 1 1 1
Code Metrics
OWASP ZAP 2 2 2 2 2 1 2 1 2
Nessus 1 1 1 1 2 1 1 2 1
jMeter
empty=no, 1=maybe, 2=meant for that
HOW TOOLS MITIGATE CSA
”NOTORIOUS NINE”
Da
ta B
re
ac
he
s
Da
ta L
oss
Ac
co
un
t o
r S
er
vic
e T
ra
ffic
Hij
ac
kin
g
Inse
cu
re
in
ter
fac
es a
nd
AP
Is
De
nia
l o
f S
er
vic
e
Ma
lic
iou
s I
nsid
er
s
Ab
use
of
clo
ud
se
rv
ice
s
Insu
ffic
ien
t D
ue
Dil
ige
nc
e
Sh
ar
ed
Te
ch
no
log
y
Vu
lne
ra
bil
itie
s
FxCop 1 1
VisualCodeGrepper 1 1
SonarQube 1 1
Code Metrics 1
OWASP ZAP 1 1 1
Nessus 1 1 1
jMeter 1 1
empty=no, 1=maybe, 2=meant for that
EPISERVER DEVELOPMENT
› Know your HTTP headers
› Understand the security responsibilities of each party (dev, hosting)
› AntiForgeryTokens!
› Do not EVER leave SQL injections in your application
› Think about security in beforehand
› All the frontend includes………
DEVELOPER -> HACKER
› Traits
• Curiosity and creativity. What will happen, if.. ?
• Perseverance
› Skills
• Technical knowledge, deep/wide
• Common vulnerabilities
• Security testing
› Some developers are hobbyist hackers. (Apply at [email protected])