Securing .NET Web Applications

Foundation

Misconceptions

• Misconception #1
• Security: The Complete Picture
• TJX: Anatomy of a Disaster?
• So What is the Point?
• 2012 Attacks Continued to Evolve
• Causes of Data Breaches
• Heartland – Slipping Past PCI Compliance
• What's the Point?
• Verizon’s 2012 Data Breach Report
• 360M Down to 4M in 2010???
• US Secret Service Continued to Battle
• Verizon’s 2013 Data Breach Report
• The Numbers are Abstract, but…
• Are You Concerned Yet?
• Verizon AppSec Recommendations

Security Concepts

• Terminology and Players
• Assets, Threats, and Attacks
• OWASP
• WASC

Defensive Coding Principles

• Security Is a Lifecycle Issue
• Bolted on Versus Baked
• Minimize Attack Surface Area
• Examples of Minimization
• Defense in Depth
• Manage Resources
• Layers of Defense: Tenacious D
• Compartmentalize
• Consider All Application States
• Do NOT Trust the Untrusted
• Fix Security Defects Correctly
• Learning From Vulnerabilities

Reality

• Recent, Relevant Incidents
• Finding Security Defects In Web Applications

Top Security Vulnerabilities

Unvalidated Input

• OWASP/WASC Coverage
• Unvalidated Input: Description
• Buffer Overflows
• Format String Attacks
• Null Byte Injection Attacks
• Integer Arithmetic Vulnerabilities
• Unvalidated Input: From the Web
• Hidden Values in HTTP Communications
• Unvalidated Input: Symptoms and Detection
• Detection Through Fuzz Testing
• Unvalidated Input: Fixes
• Identifying Trust Boundaries
• Designing An Appropriate Response
• Testing Defenses And Responses

Overview of Regular Expressions

• Description with working example

Broken Access Control

• OWASP/WASC Coverage
• Access Control Issues
• Broken Access Control: Description
• Excessive Privileges
• Insufficient Flow Control/Forceful Browsing
• Primary Concerns in URL/Resource Access
• Unprotected URL/Resource Access: Fixes
• Protecting Sessions
• Addressing Client-Side Caching of Content
• Authorization Security Overview
• .NET authorization security overview
• Defending Special Privileges Such As Administrative Functions
• Application Authorization Best Practices

Broken Authentication And Session Management

• OWASP/WASC Coverage
• Quality of Authentication Credentials
• Multi-Layered Defenses Of Authentication Services
• Password Management Strategies
• Password Handling With Hashing
• Mitigating Password Caching
• Testing Defenses And Responses For Weaknesses
• Alternative Authentication Mechanisms
• Best Practices For Session Management
• Defending Session Hijacking Attacks

Cross Site Scripting (XSS) Flaws

• OWASP/WASC Coverage
• XSS Mechanisms
• Character Encoding Complications
• Blacklisting
• Whitelisting
• HTML/XML Entity Encoding
• Trust Boundary Definition
• Implementing An Effective Layered Defense
• Designing An Appropriate Response

Injection Flaws

• OWASP/WASC Coverage
• SQL Injection Continues to be Prevalent
• Injection Flaws: Description
• Injection Flaws: Symptoms and Detection
• SQL Injection Examples
• SQL Injection Attacks Evolve
• Attackers have a Variety of Tools
• SQL Injection: Drill Down on Stored Procedures
• SQL Injection: Drill Down on ORM
• Minimize SQL Injection Vulnerabilities
• Minimizing Injection Flaws
• Command Injection Vulnerabilities
• LDAP Injection Vulnerabilities
• Server-Side Include (SSI) Vulnerabilities

Error Handling And Information Leakage

• OWASP/WASC Coverage
• Four Dimensions of Designing Error Respones
• Error Response Best Practices
• Error, Auditing, And Logging Content Management
• Error, Auditing, And Logging Service Management
• Best Practices For Supporting Web Attack Forensics
• Information Leaks
• Data Loss Prevention (DLP)
• Solving DLP Challenges
• DLP: What and Where
• DLP: Best Practices

Insecure Data Handling

• OWASP/WASC Coverage
• Sony and Related Exploits
• Protecting Data can Mitigate Impact of Exploit
• Data Handling Concerns
• Unexpected Data Repositories
• In-Memory Data Handling
• Secure Pipes
• Transport-Level Security
• SSL
• Recent Failures in SSL Framework
• BEAST Attacks on SSL

Insecure Management of Configuration

• OWASP/WASC Coverage
• System hardening
• Server configuration “Gotchas!”
• Hardening software installation

Direct Object Access

• OWASP/WASC Coverage
• Dynamic Loading Mechanisms
• Race Conditions
• Direct Object References

Spoofing and Redirects

• OWASP/WASC Coverage
• Spoofing: Description
• Name Resolution Vulnerabilities
• Targeted Spoofing Attacks Against RSA
• Attacks are Constant and Changing
• Spoofing: Fixes
• Cross Site Request Forgeries (CSRF)
• How To Get Victim To Select URL?
• CSRF Defenses are Entirely Server-Side
• CSRF Defenses are Evolving
• Redirects and Forwards
• Safe Redirects and Forwards

Understanding What’s Important

• Prioritizing Your Efforts
• Common Vulnerabilities and Exposures
• OWASP Top Ten
• Caveats and Context
• OWASP Top Ten for 2013
• How Many Principles Can be Violated?
• CWE/SANS Top 25 Most Dangerous SW Errors
• Monster Mitigations
• Defense In Depth - Layered Defense
• Defense in Depth – An Example
• Defense in Depth – Damage Control
• Strength Training: Project Teams/Developers
• Strength Training: IT Organizations
• .NET Issues and Best Practices

Defending XML Processing

Defending XML

• Understanding common attacks and how to defend
• Operating in safe mode
• Using standards-based security
• XML-aware security infrastructure

Defending Web Services

• Security exposures
• Transport-level security
• Message-level security
• WS-Security
• Attacks and defenses

Defending Ajax

• Ajax Security Exposures
• Attack Surface Changes
• Injection Threats And Concerns
• Bridging and Potential Problems
• Managing Bridges
• Effective Defenses And Practices