Application Security Best

Practices At Microsoft
Ensuring the lowest possible
exposure and vulnerability to
attacks
Published: January
2003
Solution Overview
Situati
on with the daunting task of inventorying, cataloging, assessing
Faced
, and securing each LOB application, the Microsoft IT group needed
to create an organizational framework for handling the job

Solutio
n
Microsoft IT developed the Application Security Assurance
Program (ASAP) to inventory, assess and – when necessary –
ensure the resolution
of security vulnerabilities found in LOB applications
Benefits
 Lower cost of recovery and lost productivity
 Minimize loss of data
 Improve customer confidence
 Decrease legal risks
Motivation For
Application Security
 Cost of recovery and lost productivity
 Loss of data
 Impact on consumer confidence
 Legal risks
Security Principles
 Confidentiality
 Integrity
 Authentication
 Authorization
 Availability
 Non-repudiation
Managing Risk
 Strategic
 Tactical
 Operational
 Legal
Overview Of ASAP
 Wide variety of LOB applications designed by
Microsoft IT or individual business unit IT teams
 Securing applications and data has grown in
significance and complexity
 LOB applications function in a complex
operational and legal environment with an
equally complex underlying infrastructure
 Every organization should develop its own plan
for securing applications
ASAP Deployment
 Risk assessment
 Design review
 Pre-production assessments
 Post-production followup
Assessment Criteria
 Definition of an application
 Scope of assessments
 High-risk
 Medium-risk
 Low-risk
Assessment Criteria
 Types of Assessments
 Limited assessments
 Comprehensive assessments
Participants
Applicat
Corpora Operati
ion
te ons
Review
Security IT
 Security Policy  Team
Risk Assessment  Action on Audit
 Threat Modeling  Audits Findings

Business
Unit IT
Groups

 Action on Audit
Findings
Application Security
Process Framework

Maintain and Publish Policies and

Guidelines

Apply Lessons
Educate IT Professionals

Learned
Design, Develop, Test, and Verify Secure
Apps
Verify In Production Applications

Respond to Security Exposure Incidents

Application Management –
Secure Infrastructure
NETWORK HOST APPLICATION ACCOUNT TRUST
 Architectur  Operating  Input  Unused  Rogue
e system validation accounts trusts
 Transport  Services  Clear text  Weak or
 Network  Internet protocol blank
device Informatio  Authentica passwords
n Services tion  Shared
 Access (IIS)
control list  Authorizati accounts
 Simple
(ACL) Mail on  Access
permission Transfer  Cryptograp privileges
settings Protocol hy
(SMTP)
 File
 Auditing
Transfer and
Protocol logging
(FTP)
 NetBIOS/R
emote
procedure
call (RPC)
 Terminal
Services

Building Secure Networks –
Configuration
 Network segmentation
 Firewalls
 Routers and switches
Building Secure Networks –
Intrusion Detections Systems
And

Network Encryption
Detection systems should monitor for
 Reconnaissance attacks
 Exploit attacks
 Denial of service attacks
 Network encryption
 Key tool in preventing sensitive data from being read
 Sensitive communication should be encrypted
 Industry-standard encryption methods: Secure Sockets
Layer (SSL), secure shell program such as SSH, Internet
Protocol Security (IPSec)
Building Secure Hosts For
Applications
 Patch management
Patch management
 Configuration
 Permissions
 Simple Network Management
Protocol community strings
 Antivirus software
 Server auditing and logging
 Server backup and restore
Application Layer
Requirements
 Input validation
Input validation
 Session management
 Authentication and authorization
 Design and code review
 Application and server error handling
 Application auditing and logging
 Application backup and restore
 Private data encryption
Common Application
Development Issues
 User input validation
 Cookies, authentication, and access
 Passwords
 Access control lists
 COM+ application configuration
 Auditing and logging
Threat Modeling
 Provides a consistent methodology for
objectively evaluating threats to applications
 Microsoft IT uses STRIDE to identify threats
 Spoofing identity
 Tampering with data
 Repudiation
 Information disclosure
 Denial of service
 Elevation of privilege
Architecture Modeling
 Component selection
 Component location
 Untrusted
 Semitrusted
 Trusted
 Connection identification
 Untrusted
 Semitrusted
 Trusted
 Environment component identification
Lessons Learned
 If you wait until an application is already in production to make
it secure, you are too late
 Good security practices take into account both the host and
the application client
 Create clearly written and easily accessible security guideline
documentation
 Create security checklists that include
step-by-step instructions
 Develop a thoroughly considered policy exception tracking
process
 Education is crucial to the success of a security program
 Processes and reporting are required to ensure that inventory
information is maintained
 Security is an ongoing, always changing, concern
Policies
 Applications should comply with application security policies and guidelines
 Applications should go through a security design review process
 Third-party application vendors should provide assurances that the software does not
contain anything that could be used to compromise security controls
 Internet-facing applications should use existing methods of authentication
 Applications that reside on the corporate network should rely on Windows integrated
authentication
 Applications that cannot use Windows integrated authentication should either encrypt
or hash the password stores
 Credentials should never be stored or sent unencrypted
 User input should be filtered and examined at the Web server
 Web applications should use strong, nonpredictable session IDs
 Web applications should use an inactivity timeout
 Cookies that contain sensitive data should be marked as secure and nonpersistent
Future Security
Considerations
 Authorization Manager
Authorization Manager
 Constrained Delegation
Summary
 Business relies more and more on information
technology to operate
 Securing access to critical resources ensures that
they continue to function as expected
 Microsoft IT put policies and guidelines in place to
help Microsoft development teams secure their
existing applications
 Documenting and sharing the lessons that are
learned by organizations are central to maintaining
security both within and among businesses
For More Information
 Additional content on Microsoft IT
deployments and best practices can be
found on http://www.microsoft.com
 Microsoft TechNet
http://www.microsoft.com/technet/itshowcase
 Microsoft Case Study Resources
http://www.microsoft.com/resources/casest
udies
 E-Mail iT Showcase
showcase@microsoft.com
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2003 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft,
Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.