Essentials of Application Security

Name Job Title Company

What We Will Cover
The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Session Prerequisites
Development experience with Microsoft Visual Basic® , Microsoft Visual C++® , or C#

Level 200

The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Trustworthy Computing
“Trustworthy Computing has four pillars:
Reliability means a computer system is dependable, is available when needed, and performs as expected and at appropriate levels. Security means a system is resilient to attack, and the confidentiality, integrity, and availability of both the system and its data are protected. Privacy means that people can control their personal information and organizations that use the information faithfully protect it. Business integrity is about companies in our industry being responsible to customers and helping them find appropriate solutions for their business issues, addressing problems with products or services, and being open in interactions with - Bill Gates customers.” July 18,

Connection Scenarios and Security Concerns
Connection scenarios:
Traditional wired networks Mobile workforces Public wireless networks

Security concerns:
Application reliance on the Internet Business reliance on the Internet Internal security attacks

Common Types of Attacks
Organizational Attacks Attackers

Restricted Data

Automated Attacks
DoS Connection Fails

Accidental Breaches In Security Viruses, Trojan Horses, and

Denial of Service (DoS)

Examples of Security Intrusions
CodeRed ILoveYou Nimda



Consequences of Poor Security
Stolen intellectual property System downtime Lost productivity Damage to business reputation Lost consumer confidence Severe financial losses due to lost revenue

Challenges When Implementing Security
Attacker needs to understand only one vulnerability Attackers have unlimited time Defender works with time and cost constraints Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Defender needs to secure all entry points

Attackers vs. Defenders

Security vs. Usability

Addressing vulnerabilities just before a product is released is very expensive ecurity As an Afterthought

Do I need securi ty…

Developers and management think that security does not add any business value

The Developer Role in Application Security
Developers must:
Work with solution architects and systems administrators to ensure application security Contribute to security by:
Adopting good application security development practices Knowing where security vulnerabilities occur and how to avoid them Using secure programming techniques

The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Holistic Approach to Security
Security must be considered at:
All stages of a project
Design Development Deployment

All layers
Network Host Application “Security is only as good as the weakest link”

Security Throughout Project Lifecycle
Analyze threats External review Learn and refine

Secure questions Determine security sign-off during interviews criteria

Security push


Designs Complete

Test Plans Complete

Code Complete



Train team members Security team review

mutation and least privilege

Review old defects, checkins checked secure coding guidelines, use tools Data =ongoing

The SD Security Framework

Secure by Design

Secure architecture and code Threat analysis Vulnerability reduction Attack surface area reduced Unused features turned off by default Minimum privileges used Protection: Detection, defense, recovery, management Process: How to guides, architecture guides People: Training

Secure by Default

Secure in Deployment

Threat Modeling
Threat modeling is:
A security-based analysis of an application A crucial part of the design process

Threat modeling:
Reduces the cost of securing an application Provides a logical, efficient process Helps the development team:
Identify where the application is most vulnerable Determine which threats require mitigation and how to address those threats

Ongoing Education
Provide training about:
How security features work How to use the security features to build secure systems What security vulnerabilities look like in order to identify flawed code How to avoid common security vulnerabilities How to avoid repeating mistakes

Input Validation
Buffer overruns SQL injection Cross-site scripting

“All input is evil until proven otherwise!”

Demonstration 1
Buffer Overruns
Bypassing Security Checks

Practices for Improving Security
Adopt Threat Modeling Train development team

Identifies of security vulnerabilities Increases awareness of application architecture Avoids common security defects Correct application of security technologies Secures code that
Accesses the network Runs by default Uses unauthenticated protocols Runs with elevated privileges

Code Review

Use tools Use infrastructure solutions Use component solutions Migrate managed code

More consistent testing for vulnerabilities More secure with SSL/TLS and IPSec More robust with CAPICOM and .NET Cryptography namespace Avoids common vulnerabilities

The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Overview of Security Technologies
Developers need to use and apply:
Encryption Hashing Digital signatures Digital certificates Secure communication Authentication Authorization Firewalls Auditing Service packs and updates

Encryption is the process of encoding data
To protect a user’s identity or data from being read To protect data from being altered To verify that data originates from a particular user

Encryption can be:
Asymmetric Symmetric

Symmetric vs. Asymmetric Encryption
Algorithm Type
Uses one key to: Symmetric
Encrypt the data Decrypt the data


Is fast and efficient Uses two mathematically related keys: Asymmetric
Public key to encrypt the data Private key to decrypt the data

Is more secure than symmetric encryption Is slower than symmetric encryption

Verifying Data Integrity with Hashes
User A User B


Hash Algorith m

Hash Value If hash values Hash Algorithm match, data is valid

Data Hash Value User A sends data and hash value to User B

Data Hash Value

Digital Signatures
User A User B
Hash Algorithm

Hash Algorithm


Hash Value

User A Publ ic Key

Hash Value

User A Priv ate key

Hash Value

If hash values match, data came from the owner of the private key and is valid

How Digital Certificates Work
User Computer
Privat e Key rivate/Public P

Key Pair
Publi c Key


Service Certificati on Authority

Certified Administr ator

Secure Communication
Technologies include:
IPSec SSL TLS RPC encryption
SSL/TLS IPSec RPC Encryption

Secure Communication
How IPSec Works
IPSec Policy Security Association Negotiation IPSec Policy

TCP Layer IPSec Driver

TCP Layer IPSec Driver

Encrypted IP Packets

Secure Communication
How SSL Works
Secure Brows er Web Server Root Certificate Message Secure Web Server


4 1

1 2 3 4

The user browses to a secure Web server by using HTTPS The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate The Web server receives the session key and decrypts it by using the server’s private key After the connection is established, all communication between the browser and

Demonstration 2
SSL Server Certificates
Viewing a Web Site on a Non-Secure Server Generating a Certificate Request Requesting a Trial Certificate Installing the SSL Certificate Testing the SSL Certificate


Purpose of Authentication
Verifies the identity of a principal by:
Accepting credentials Validating those credentials

Secures communications by ensuring your application knows who the caller is

Encrypting the data is not enough!


Authentication Methods
Basic Digest Digital signatures and digital certificates Integrated
The Kerberos version 5 protocol NTLM

Microsoft Passport Biometrics


Basic Authentication
Is simple but effective Is supported by all major browsers and servers Is easy to program and set up Manages user credentials Requires SSL/TLS


How Digest Authentication Works


Active Directory

1 Request


2 4

Client Password



Digest Algorithm


Client Digital Certificates
Used in Web applications
Server secures communications using SSL/TLS with a X.509 server certificate Server authenticates clients using data in client X.509 certificate, if required Certificate authority issues a certificate for which the server holds a root certificate

Used in distributed applications
Application uses SSL/TLS communication channel Client and server applications authenticate using certificates

Can be deployed on smartcards


When to Use Integrated Authentication

Client Yes


Windows 2000 No Or later?
Windows Integrated

Cannot use Integrate d Authentic ation NTLM
Server Authentica tion


Active Directory Domain?

No Kerberos
Client and Server

Initial Logon

How to Use Kerberos Version 5
Service Request KDC

2 1


1 3


Target Server


TGT cached locally

Session established

Ticket-Granting Ticket ST TGT

Service Ticket

Demonstration 3
IIS Authentication Techniques
Using Anonymous Authentication Using Basic Authentication Using Integrated Windows Authentication


What is Authorization?
Occurs after your client request is authenticated Is the process of confirming that an authenticated principal is allowed access to specific resources Checks rights assigned to files, folders, registry settings, applications, and so on Can be role-based Can be code-based


Common Authorization Techniques
IIS Web permissions (and IP/DNS restrictions) .NET role-based security .NET code access security NTFS access control lists (ACL) SQL Server logins SQL Server permissions


Impersonation/Delegation Model
Client identity is used to access downstream resources
Web or Application Server Database or other resource server




Trusted Subsystem Model
Clients are mapped to roles Dedicated Windows service accounts are used for each role when accessing downstream resources
Web or Application Server Role 1 Role 2 Database or other resource server


1 2

Demonstration 4
Trusted Subsystem Model Authorization Techniques
Reviewing the Application Setting Authentication on the Web Server Creating Service Accounts on the Web Server Setting Authorization on the Database Server

Firewalls can provide:
Secure gateway to the Internet for internal clients Packet filtering Circuit-level filtering Application filtering Auditing

Firewalls cannot provide:
Protection against application-level attacks over HTTP or HTTPS

Auditing actions include tracking:
Resource access and usage Successful and unsuccessful logon attempts Application failures

Auditing benefits include:
Help for administrators to detect intrusions and suspicious activities Traceability for legal, non-repudiation disputes Diagnosis of security breaches

Service Packs and Updates
Security update

Address a single issue or a small number of issues Can be combined by using QChain

Security rollup package

Multiple hotfixes packaged for easy installation Provide major updates Cumulative set of previous updates May contain previously unannounced fixes May contain feature changes

Service pack

The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Proactive Security Development
Integrate security improvements throughout the development process Focus on security and ensure your code can withstand new attacks Promote the key role of education
Raise awareness within your team Learn from your mistakes and other’s mistakes

Adopt the SD3 Security Framework
Secure by Design
Build threat models Conduct code reviews, penetration tests Run code with minimal privileges Minimize your attack surface Enable services securely

Secure by Default

Secure in Deployment

Leverage the security best practices Create security guidance Build tools to assess application

Microsoft Java Virtual Machine
End of Support Alert
Java Support Alert!
MSJVM no longer ships with Windows XP SP1a or Windows Server 2003 Microsoft will discontinue support Sept 30, 2004
No security fixes will be made after that date Security issues after that date may require removal of MSJVM

Developers should
Update MSJVM dependent applications Offer upgrades to customers

For more information:

Session Summary
The Importance of Application Security Secure Application Development Practices Security Technologies Secure Development Guidelines

Next Steps

Stay informed about security

Sign up for security bulletins: Get the latest Microsoft security guidance:

Get additional security training

Find online and in-person training seminars:

Find a local CTEC for hands-on training:

For More Information
Microsoft Security Site (all audiences)

MSDN Security Site (developers)

TechNet Security Site (IT professionals)

Questions and Answers