Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and...
-
Upload
ulysses-harnage -
Category
Documents
-
view
215 -
download
1
Transcript of Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and...
Application Security Best Practices Application Security Best Practices At MicrosoftAt Microsoft
Ensuring the lowest possible exposure Ensuring the lowest possible exposure and vulnerability to attacksand vulnerability to attacks
Published: January 2003Published: January 2003
Solution OverviewSolution OverviewSolution OverviewSolution Overview
Faced with the daunting task of inventorying, cataloging, assessing , and securing each LOB Faced with the daunting task of inventorying, cataloging, assessing , and securing each LOB application, the Microsoft IT group needed to create an organizational framework for handling application, the Microsoft IT group needed to create an organizational framework for handling the jobthe job
SituationSituation
BenefitsBenefits
Microsoft IT developed the Application Security Assurance Program (ASAP) to Microsoft IT developed the Application Security Assurance Program (ASAP) to inventory, assess and – when necessary – ensure the resolution inventory, assess and – when necessary – ensure the resolution of security vulnerabilities found in LOB applicationsof security vulnerabilities found in LOB applications
Lower cost of recovery and lost productivityLower cost of recovery and lost productivity Minimize loss of dataMinimize loss of data Improve customer confidenceImprove customer confidence Decrease legal risksDecrease legal risks
SolutionSolution
Motivation For Motivation For Application SecurityApplication SecurityMotivation For Motivation For Application SecurityApplication Security Cost of recovery and lost productivityCost of recovery and lost productivity Loss of dataLoss of data Impact on consumer confidenceImpact on consumer confidence Legal risksLegal risks
Security Principles Security Principles Security Principles Security Principles
ConfidentialityConfidentiality IntegrityIntegrity AuthenticationAuthentication AuthorizationAuthorization AvailabilityAvailability Non-repudiationNon-repudiation
Managing RiskManaging RiskManaging RiskManaging Risk
Strategic Strategic Tactical Tactical OperationalOperational LegalLegal
Overview Of ASAPOverview Of ASAPOverview Of ASAPOverview Of ASAP
Wide variety of LOB applications designed by Wide variety of LOB applications designed by Microsoft IT or individual business unit IT teamsMicrosoft IT or individual business unit IT teams
Securing applications and data has grown in Securing applications and data has grown in significance and complexitysignificance and complexity
LOB applications function in a complex operational LOB applications function in a complex operational and legal environment with an equally complex and legal environment with an equally complex underlying infrastructureunderlying infrastructure
Every organization should develop its own plan for Every organization should develop its own plan for securing applicationssecuring applications
ASAP DeploymentASAP DeploymentASAP DeploymentASAP Deployment
Risk assessmentRisk assessment Design reviewDesign review Pre-production assessmentsPre-production assessments Post-production followupPost-production followup
Assessment CriteriaAssessment CriteriaAssessment CriteriaAssessment Criteria
Definition of an applicationDefinition of an application Scope of assessmentsScope of assessments
High-riskHigh-risk Medium-riskMedium-risk Low-riskLow-risk
Assessment CriteriaAssessment CriteriaAssessment CriteriaAssessment Criteria
Types of Assessments Types of Assessments Limited assessmentsLimited assessments Comprehensive assessmentsComprehensive assessments
ParticipantsParticipantsParticipantsParticipants
Security PolicySecurity Policy Threat ModelingThreat Modeling
CorporateCorporateSecuritySecurity
ApplicationApplicationReviewReviewTeamTeam
OperationsOperationsITIT
BusinessBusinessUnit ITUnit ITGroupsGroups
Risk AssessmentRisk Assessment AuditsAudits
Action on AuditAction on AuditFindingsFindings
Action on AuditAction on AuditFindingsFindings
Application Security Application Security Process FrameworkProcess FrameworkApplication Security Application Security Process FrameworkProcess Framework
Verify In Production ApplicationsVerify In Production Applications
Design, Develop, Test, and Verify Secure AppsDesign, Develop, Test, and Verify Secure Apps
Educate IT ProfessionalsEducate IT Professionals
Maintain and Publish Policies and GuidelinesMaintain and Publish Policies and Guidelines
Respond to Security Exposure IncidentsRespond to Security Exposure Incidents
Apply Lessons LearnedApply Lessons Learned
Application Management – Secure Application Management – Secure InfrastructureInfrastructureApplication Management – Secure Application Management – Secure InfrastructureInfrastructureNETWORKNETWORK HOSTHOST APPLICATIONAPPLICATION ACCOUNTACCOUNT TRUSTTRUST
ArchitectureArchitecture TransportTransport Network device Network device Access control Access control
list (ACL) list (ACL) permission permission settingssettings
Operating Operating systemsystem
ServicesServices Internet Internet
Information Information Services (IIS)Services (IIS)
Simple Mail Simple Mail Transfer Transfer Protocol Protocol (SMTP)(SMTP)
File Transfer File Transfer Protocol (FTP)Protocol (FTP)
NetBIOS/NetBIOS/Remote Remote procedure call procedure call (RPC)(RPC)
TerminalTerminal ServicesServices
Microsoft Microsoft SQL Server SQL Server TMTM
Input validationInput validation Clear text Clear text
protocolprotocol AuthenticationAuthentication AuthorizationAuthorization CryptographyCryptography Auditing and Auditing and
logginglogging
Unused Unused accountsaccounts
Weak or blank Weak or blank passwordspasswords
Shared Shared accountsaccounts
Access Access privilegesprivileges
Rogue trustsRogue trusts
Building Secure Networks – ConfigurationBuilding Secure Networks – ConfigurationBuilding Secure Networks – ConfigurationBuilding Secure Networks – Configuration
Network segmentationNetwork segmentation FirewallsFirewalls Routers and switchesRouters and switches
Building Secure Networks – Intrusion Building Secure Networks – Intrusion Detections Systems And Network EncryptionDetections Systems And Network EncryptionBuilding Secure Networks – Intrusion Building Secure Networks – Intrusion Detections Systems And Network EncryptionDetections Systems And Network Encryption
Detection systems should monitor forDetection systems should monitor for Reconnaissance attacksReconnaissance attacks Exploit attacksExploit attacks Denial of service attacks Denial of service attacks
Network encryptionNetwork encryption Key tool in preventing sensitive data from being read Key tool in preventing sensitive data from being read Sensitive communication should be encryptedSensitive communication should be encrypted Industry-standard encryption methods: Secure Sockets Industry-standard encryption methods: Secure Sockets
Layer (SSL), secure shell program such as SSH, Internet Layer (SSL), secure shell program such as SSH, Internet Protocol Security (IPSec)Protocol Security (IPSec)
Building Secure Hosts For ApplicationsBuilding Secure Hosts For ApplicationsBuilding Secure Hosts For ApplicationsBuilding Secure Hosts For Applications
Patch managementPatch management ConfigurationConfiguration PermissionsPermissions Simple Network Management Protocol Simple Network Management Protocol
community stringscommunity strings Antivirus softwareAntivirus software Server auditing and loggingServer auditing and logging Server backup and restoreServer backup and restore
Application Layer RequirementsApplication Layer RequirementsApplication Layer RequirementsApplication Layer Requirements
Input validationInput validation Session managementSession management Authentication and authorizationAuthentication and authorization Design and code reviewDesign and code review Application and server error handlingApplication and server error handling Application auditing and loggingApplication auditing and logging Application backup and restoreApplication backup and restore Private data encryptionPrivate data encryption
Common Application Development IssuesCommon Application Development IssuesCommon Application Development IssuesCommon Application Development Issues
User input validationUser input validation Cookies, authentication, and accessCookies, authentication, and access PasswordsPasswords Access control listsAccess control lists COM+ application configurationCOM+ application configuration Auditing and loggingAuditing and logging
Threat ModelingThreat ModelingThreat ModelingThreat Modeling
Provides a consistent methodology for objectively Provides a consistent methodology for objectively evaluating threats to applicationsevaluating threats to applications
Microsoft IT uses STRIDE to identify threatsMicrosoft IT uses STRIDE to identify threats Spoofing identitySpoofing identity Tampering with dataTampering with data RepudiationRepudiation Information disclosureInformation disclosure Denial of serviceDenial of service Elevation of privilegeElevation of privilege
Architecture ModelingArchitecture ModelingArchitecture ModelingArchitecture Modeling
Component selection Component selection Component location Component location
UntrustedUntrusted SemitrustedSemitrusted TrustedTrusted
Connection identificationConnection identification UntrustedUntrusted SemitrustedSemitrusted TrustedTrusted
Environment component identificationEnvironment component identification
Lessons LearnedLessons LearnedLessons LearnedLessons Learned If you wait until an application is already in production to make it secure, you If you wait until an application is already in production to make it secure, you
are too lateare too late Good security practices take into account both the host and the application Good security practices take into account both the host and the application
clientclient Create clearly written and easily accessible security guideline documentationCreate clearly written and easily accessible security guideline documentation Create security checklists that include Create security checklists that include
step-by-step instructionsstep-by-step instructions Develop a thoroughly considered policy exception tracking processDevelop a thoroughly considered policy exception tracking process Education is crucial to the success of a security programEducation is crucial to the success of a security program Processes and reporting are required to ensure that inventory information is Processes and reporting are required to ensure that inventory information is
maintainedmaintained Security is an ongoing, always changing, concernSecurity is an ongoing, always changing, concern
PoliciesPoliciesPoliciesPolicies Applications should comply with application security policies and guidelinesApplications should comply with application security policies and guidelines Applications should go through a security design review processApplications should go through a security design review process Third-party application vendors should provide assurances that the software does not contain Third-party application vendors should provide assurances that the software does not contain
anything that could be used to compromise security controlsanything that could be used to compromise security controls Internet-facing applications should use existing methods of authenticationInternet-facing applications should use existing methods of authentication Applications that reside on the corporate network should rely on Windows integrated Applications that reside on the corporate network should rely on Windows integrated
authentication authentication Applications that cannot use Windows integrated authentication should either encrypt or hash Applications that cannot use Windows integrated authentication should either encrypt or hash
the password stores the password stores Credentials should never be stored or sent unencryptedCredentials should never be stored or sent unencrypted User input should be filtered and examined at the Web serverUser input should be filtered and examined at the Web server Web applications should use strong, nonpredictable session IDsWeb applications should use strong, nonpredictable session IDs Web applications should use an inactivity timeoutWeb applications should use an inactivity timeout Cookies that contain sensitive data should be marked as secure and nonpersistentCookies that contain sensitive data should be marked as secure and nonpersistent
Future Security ConsiderationsFuture Security ConsiderationsFuture Security ConsiderationsFuture Security Considerations
Authorization ManagerAuthorization Manager Constrained DelegationConstrained Delegation
SummarySummarySummarySummary
Business relies more and more on information technology Business relies more and more on information technology to operateto operate
Securing access to critical resources ensures that they Securing access to critical resources ensures that they continue to function as expectedcontinue to function as expected
Microsoft IT put policies and guidelines in place to help Microsoft IT put policies and guidelines in place to help Microsoft development teams secure their existing Microsoft development teams secure their existing applicationsapplications
Documenting and sharing the lessons that are learned by Documenting and sharing the lessons that are learned by organizations are central to maintaining security both organizations are central to maintaining security both within and among businesseswithin and among businesses
For More InformationFor More InformationFor More InformationFor More Information
Additional content on Microsoft IT deployments Additional content on Microsoft IT deployments and best practices can be found on and best practices can be found on http://www.microsoft.comhttp://www.microsoft.com Microsoft TechNet Microsoft TechNet
http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase Microsoft Case Study ResourcesMicrosoft Case Study Resources
http://www.microsoft.com/resources/casestudieshttp://www.microsoft.com/resources/casestudies E-Mail iT ShowcaseE-Mail iT Showcase
[email protected]@microsoft.com
This document is provided for informational purposes only. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2003 Microsoft Corporation. All rights reserved. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. owners.