Application Security Best Practices Application Security Best Practices At MicrosoftAt Microsoft

Ensuring the lowest possible exposure Ensuring the lowest possible exposure and vulnerability to attacksand vulnerability to attacks

Published: January 2003Published: January 2003

Solution OverviewSolution OverviewSolution OverviewSolution Overview

Faced with the daunting task of inventorying, cataloging, assessing , and securing each LOB Faced with the daunting task of inventorying, cataloging, assessing , and securing each LOB application, the Microsoft IT group needed to create an organizational framework for handling application, the Microsoft IT group needed to create an organizational framework for handling the jobthe job

SituationSituation

BenefitsBenefits

Microsoft IT developed the Application Security Assurance Program (ASAP) to Microsoft IT developed the Application Security Assurance Program (ASAP) to inventory, assess and – when necessary – ensure the resolution inventory, assess and – when necessary – ensure the resolution of security vulnerabilities found in LOB applicationsof security vulnerabilities found in LOB applications

Lower cost of recovery and lost productivityLower cost of recovery and lost productivity Minimize loss of dataMinimize loss of data Improve customer confidenceImprove customer confidence Decrease legal risksDecrease legal risks

SolutionSolution

Motivation For Motivation For Application SecurityApplication SecurityMotivation For Motivation For Application SecurityApplication Security Cost of recovery and lost productivityCost of recovery and lost productivity Loss of dataLoss of data Impact on consumer confidenceImpact on consumer confidence Legal risksLegal risks

Security Principles Security Principles Security Principles Security Principles

ConfidentialityConfidentiality IntegrityIntegrity AuthenticationAuthentication AuthorizationAuthorization AvailabilityAvailability Non-repudiationNon-repudiation

Managing RiskManaging RiskManaging RiskManaging Risk

Strategic Strategic Tactical Tactical OperationalOperational LegalLegal

Overview Of ASAPOverview Of ASAPOverview Of ASAPOverview Of ASAP

Wide variety of LOB applications designed by Wide variety of LOB applications designed by Microsoft IT or individual business unit IT teamsMicrosoft IT or individual business unit IT teams

Securing applications and data has grown in Securing applications and data has grown in significance and complexitysignificance and complexity

LOB applications function in a complex operational LOB applications function in a complex operational and legal environment with an equally complex and legal environment with an equally complex underlying infrastructureunderlying infrastructure

Every organization should develop its own plan for Every organization should develop its own plan for securing applicationssecuring applications

ASAP DeploymentASAP DeploymentASAP DeploymentASAP Deployment

Risk assessmentRisk assessment Design reviewDesign review Pre-production assessmentsPre-production assessments Post-production followupPost-production followup

Assessment CriteriaAssessment CriteriaAssessment CriteriaAssessment Criteria

Definition of an applicationDefinition of an application Scope of assessmentsScope of assessments

High-riskHigh-risk Medium-riskMedium-risk Low-riskLow-risk

Assessment CriteriaAssessment CriteriaAssessment CriteriaAssessment Criteria

Types of Assessments Types of Assessments Limited assessmentsLimited assessments Comprehensive assessmentsComprehensive assessments

ParticipantsParticipantsParticipantsParticipants

Security PolicySecurity Policy Threat ModelingThreat Modeling

CorporateCorporateSecuritySecurity

ApplicationApplicationReviewReviewTeamTeam

OperationsOperationsITIT

BusinessBusinessUnit ITUnit ITGroupsGroups

Risk AssessmentRisk Assessment AuditsAudits

Action on AuditAction on AuditFindingsFindings

Action on AuditAction on AuditFindingsFindings

Application Security Application Security Process FrameworkProcess FrameworkApplication Security Application Security Process FrameworkProcess Framework

Verify In Production ApplicationsVerify In Production Applications

Design, Develop, Test, and Verify Secure AppsDesign, Develop, Test, and Verify Secure Apps

Educate IT ProfessionalsEducate IT Professionals

Maintain and Publish Policies and GuidelinesMaintain and Publish Policies and Guidelines

Respond to Security Exposure IncidentsRespond to Security Exposure Incidents

Apply Lessons LearnedApply Lessons Learned

Application Management – Secure Application Management – Secure InfrastructureInfrastructureApplication Management – Secure Application Management – Secure InfrastructureInfrastructureNETWORKNETWORK HOSTHOST APPLICATIONAPPLICATION ACCOUNTACCOUNT TRUSTTRUST

ArchitectureArchitecture TransportTransport Network device Network device Access control Access control

list (ACL) list (ACL) permission permission settingssettings

Operating Operating systemsystem

ServicesServices Internet Internet

Information Information Services (IIS)Services (IIS)

Simple Mail Simple Mail Transfer Transfer Protocol Protocol (SMTP)(SMTP)

File Transfer File Transfer Protocol (FTP)Protocol (FTP)

NetBIOS/NetBIOS/Remote Remote procedure call procedure call (RPC)(RPC)

TerminalTerminal ServicesServices

Microsoft Microsoft SQL Server SQL Server TMTM

Input validationInput validation Clear text Clear text

protocolprotocol AuthenticationAuthentication AuthorizationAuthorization CryptographyCryptography Auditing and Auditing and

logginglogging

Unused Unused accountsaccounts

Weak or blank Weak or blank passwordspasswords

Shared Shared accountsaccounts

Access Access privilegesprivileges

Rogue trustsRogue trusts

Building Secure Networks – ConfigurationBuilding Secure Networks – ConfigurationBuilding Secure Networks – ConfigurationBuilding Secure Networks – Configuration

Network segmentationNetwork segmentation FirewallsFirewalls Routers and switchesRouters and switches

Building Secure Networks – Intrusion Building Secure Networks – Intrusion Detections Systems And Network EncryptionDetections Systems And Network EncryptionBuilding Secure Networks – Intrusion Building Secure Networks – Intrusion Detections Systems And Network EncryptionDetections Systems And Network Encryption

Detection systems should monitor forDetection systems should monitor for Reconnaissance attacksReconnaissance attacks Exploit attacksExploit attacks Denial of service attacks Denial of service attacks

Network encryptionNetwork encryption Key tool in preventing sensitive data from being read Key tool in preventing sensitive data from being read Sensitive communication should be encryptedSensitive communication should be encrypted Industry-standard encryption methods: Secure Sockets Industry-standard encryption methods: Secure Sockets

Layer (SSL), secure shell program such as SSH, Internet Layer (SSL), secure shell program such as SSH, Internet Protocol Security (IPSec)Protocol Security (IPSec)

Building Secure Hosts For ApplicationsBuilding Secure Hosts For ApplicationsBuilding Secure Hosts For ApplicationsBuilding Secure Hosts For Applications

Patch managementPatch management ConfigurationConfiguration PermissionsPermissions Simple Network Management Protocol Simple Network Management Protocol

community stringscommunity strings Antivirus softwareAntivirus software Server auditing and loggingServer auditing and logging Server backup and restoreServer backup and restore

Application Layer RequirementsApplication Layer RequirementsApplication Layer RequirementsApplication Layer Requirements

Input validationInput validation Session managementSession management Authentication and authorizationAuthentication and authorization Design and code reviewDesign and code review Application and server error handlingApplication and server error handling Application auditing and loggingApplication auditing and logging Application backup and restoreApplication backup and restore Private data encryptionPrivate data encryption

Common Application Development IssuesCommon Application Development IssuesCommon Application Development IssuesCommon Application Development Issues

User input validationUser input validation Cookies, authentication, and accessCookies, authentication, and access PasswordsPasswords Access control listsAccess control lists COM+ application configurationCOM+ application configuration Auditing and loggingAuditing and logging

Threat ModelingThreat ModelingThreat ModelingThreat Modeling

Provides a consistent methodology for objectively Provides a consistent methodology for objectively evaluating threats to applicationsevaluating threats to applications

Microsoft IT uses STRIDE to identify threatsMicrosoft IT uses STRIDE to identify threats Spoofing identitySpoofing identity Tampering with dataTampering with data RepudiationRepudiation Information disclosureInformation disclosure Denial of serviceDenial of service Elevation of privilegeElevation of privilege

Architecture ModelingArchitecture ModelingArchitecture ModelingArchitecture Modeling

Component selection Component selection Component location Component location

UntrustedUntrusted SemitrustedSemitrusted TrustedTrusted

Connection identificationConnection identification UntrustedUntrusted SemitrustedSemitrusted TrustedTrusted

Environment component identificationEnvironment component identification

Lessons LearnedLessons LearnedLessons LearnedLessons Learned If you wait until an application is already in production to make it secure, you If you wait until an application is already in production to make it secure, you

are too lateare too late Good security practices take into account both the host and the application Good security practices take into account both the host and the application

clientclient Create clearly written and easily accessible security guideline documentationCreate clearly written and easily accessible security guideline documentation Create security checklists that include Create security checklists that include

step-by-step instructionsstep-by-step instructions Develop a thoroughly considered policy exception tracking processDevelop a thoroughly considered policy exception tracking process Education is crucial to the success of a security programEducation is crucial to the success of a security program Processes and reporting are required to ensure that inventory information is Processes and reporting are required to ensure that inventory information is

maintainedmaintained Security is an ongoing, always changing, concernSecurity is an ongoing, always changing, concern

PoliciesPoliciesPoliciesPolicies Applications should comply with application security policies and guidelinesApplications should comply with application security policies and guidelines Applications should go through a security design review processApplications should go through a security design review process Third-party application vendors should provide assurances that the software does not contain Third-party application vendors should provide assurances that the software does not contain

anything that could be used to compromise security controlsanything that could be used to compromise security controls Internet-facing applications should use existing methods of authenticationInternet-facing applications should use existing methods of authentication Applications that reside on the corporate network should rely on Windows integrated Applications that reside on the corporate network should rely on Windows integrated

authentication authentication Applications that cannot use Windows integrated authentication should either encrypt or hash Applications that cannot use Windows integrated authentication should either encrypt or hash

the password stores the password stores Credentials should never be stored or sent unencryptedCredentials should never be stored or sent unencrypted User input should be filtered and examined at the Web serverUser input should be filtered and examined at the Web server Web applications should use strong, nonpredictable session IDsWeb applications should use strong, nonpredictable session IDs Web applications should use an inactivity timeoutWeb applications should use an inactivity timeout Cookies that contain sensitive data should be marked as secure and nonpersistentCookies that contain sensitive data should be marked as secure and nonpersistent

Future Security ConsiderationsFuture Security ConsiderationsFuture Security ConsiderationsFuture Security Considerations

Authorization ManagerAuthorization Manager Constrained DelegationConstrained Delegation

SummarySummarySummarySummary

Business relies more and more on information technology Business relies more and more on information technology to operateto operate

Securing access to critical resources ensures that they Securing access to critical resources ensures that they continue to function as expectedcontinue to function as expected

Microsoft IT put policies and guidelines in place to help Microsoft IT put policies and guidelines in place to help Microsoft development teams secure their existing Microsoft development teams secure their existing applicationsapplications

Documenting and sharing the lessons that are learned by Documenting and sharing the lessons that are learned by organizations are central to maintaining security both organizations are central to maintaining security both within and among businesseswithin and among businesses

For More InformationFor More InformationFor More InformationFor More Information

Additional content on Microsoft IT deployments Additional content on Microsoft IT deployments and best practices can be found on and best practices can be found on http://www.microsoft.comhttp://www.microsoft.com Microsoft TechNet Microsoft TechNet

http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase Microsoft Case Study ResourcesMicrosoft Case Study Resources

http://www.microsoft.com/resources/casestudieshttp://www.microsoft.com/resources/casestudies E-Mail iT ShowcaseE-Mail iT Showcase

showcase@microsoft.comshowcase@microsoft.com

This document is provided for informational purposes only. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2003 Microsoft Corporation. All rights reserved. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. owners.