SlideShare uma empresa Scribd logo

Securing .Net Hosted Services

Brett Nemec
Brett Nemec
Tecnologia
1 de 20
Securing Microsoft .Net Hosted Services INFORMATION SECURITY PRACTICUM CAPSTONE PROJECT LEWIS UNIVERSITY BRETT NEMEC
Introduction Myself ◦ Education ◦ Professional experience Project ◦ .Net Hosted Services ◦ WCF ◦ Web API ◦ Data Services ◦ OWASP ◦ Top Ten ◦ How it applies to hosted services BRETT NEMEC
Windows Communication Foundation Part of the .Net framework ◦ System.ServiceModel namespace ◦ Introduced in version 3.0 The Service Model ◦ Service oriented ◦ Interoperable ◦ Automatic configuration ◦ Follows security standards ◦ Supports multiple transports and encodings ◦ Extensible Security ◦ SOAP ◦ Message integrity ◦ Authentication on service and client ◦ Integration with existing technology BRETT NEMEC
BRETT NEMEC Host WAS ASP.NET Windows Service Service Model Services Endpoints Contracts Operations Messaging HTTP TCP Queues Transport Security Message Security XML or Binary Serialization
MVC Web API Formerly part of WCF ASP.NET MVC 4 ◦ Model-View-Controller pattern ◦ RESTful architecture ◦ CRUD Security ◦ Integration with existing technology ◦ Authentication ◦ Attributes ◦ HttpGet ◦ HttpPost ◦ Authorize BRETT NEMEC
Using the Authorize attribute BRETT NEMEC
Data Services Model driven architecture ◦ Object Relational Mapping ◦ Entity Framework Odata ◦ Open Data Protocol Data owner has more control over data Cloud ◦ Introduces added risk due to foreign environments ◦ Data owner can have less control BRETT NEMEC
OWASP Stands for Open Web Application Security Project Not for profit organization Dedicated to web security ◦ Helps raise awareness of trends in security threats Support for most popular web technologies ◦ Java ◦ C/C++ ◦ .Net ◦ PHP Top ten security risks of 2013 BRETT NEMEC
OWASP Top Ten Security Risks of 2013 RC A1 – Injection A2 – Broken authentication and session management A3 – Cross-site scripting (XSS) A4 – Insecure direct object references A5 – Security misconfigurations A6 – Sensitive data exposure A7 – Missing functional level access control A8 – Cross-site request forgery (CSRF) A9 – Using known vulnerable components A10 – Unvalidated redirects and forwards BRETT NEMEC
A1 - Injection SQL Injection ◦ Example ◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1” ◦ Executes SQL ◦ var query = “select * from Person where name = „” + p1 + “‟”; ◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟” ◦ One of the the most prominent classes of input validation errors ◦ Don’t use command interpreters ◦ Use a parameterized interface ◦ var query = “select * from Person where name = @name”; ◦ Entity Framework v5 ◦ ORM ◦ SQL is generated behind the scenes ◦ Model driven ◦ Linq to SQL BRETT NEMEC
A2 – Broken authentication and session management WCF is stateless by default ◦ Stateful session can be enabled in configuration Message Authentication ◦ Certificate authentication over transport security ◦ Satisfies Level 1 requirements of the OWASP Application Security Verification Standard (ASVS) ◦ Section V2, all pages and resources must be authenticated except those that are public ◦ Certificate authentication pre-authenticates the client ◦ Authorize attribute is used for business authentication, while client is authenticated to the service BRETT NEMEC
A3 – Cross-site scripting (XSS) WCF is not directly vulnerable to XSS ◦ Messages are XML based, not URLs Implement custom input/output parameter inspectors ◦ IParameterInspector interface BRETT NEMEC
A4 – Insecure direct object references Authorize attribute ◦ Using role-based authentication ◦ When a message is sent to an endpoint, service calls custom role provider for the requested operation ◦ Example: [Authorize(“Administrators”)] public void GetAllUsers(); BRETT NEMEC
A5 – Security misconfigurations Don’t expose metadata ◦ Can be turned on for debugging in configuration ◦ App.config or web.config, using the system.serviceModel element ◦ Must be disabled for production ◦ Custom web page BRETT NEMEC
A6 – Sensitive data exposure Store sensitive data in it’s encrypted form Passwords ◦ Don’t actually store the password, store a hash ◦ Random salt (256 bytes) ◦ RSA Pseudo random number generator ◦ SHA-256(Salt + Password) = Salted Password Hash ◦ Every time user changes the password, a new salt is used ◦ Database table has two columns, allows for one way validation ◦ PasswordSalt, non-sensitive ◦ PasswordHash ◦ Timeout after specified number of failed attempts ◦ Stops brute force attacks BRETT NEMEC
A7 – Missing functional level access control Related to A4, Insecure Direct Object References WCF by default is stateless ◦ If using default, sessions are not of concern ◦ If using sessions, control with OperationContract ◦ IsInitiating property ◦ IsTerminating property Windows Identity Foundation ◦ Supports federated claims based security ◦ Authorized claim sets ◦ Used similarly as role-based authorization BRETT NEMEC
A8 – Cross-site request forgery (CSRF) WCF is message based, not as much of a risk It is possible to implement controls for this risk Windows Identity Foundation ◦ If implemented, service is already using a Security Token Service (STS) ◦ STS processes user validation request ◦ Provides a claim-set for the user ◦ When the user sends a message request to the service, the claim-set is provided as a token, STS evaluates the token BRETT NEMEC
A9 – Using known vulnerable components Don’t use components that are untested or source is unknown Most controls and tools are already part of the .Net framework ◦ Entity Framework v5 ◦ Tight integration with existing Microsoft .Net technologies ◦ Beta versions are not a good idea OWASP ESAPI for .Net ◦ Website states it’s not suitable for production use ◦ Good reason not to use it BRETT NEMEC
A10 – Unvalidated redirects and forwards Redirects and forwards should be avoided WCF not at risk like web applications are ◦ Sometimes parameters can contain the target page ◦ IParameterInspector custom inspector BRETT NEMEC
Review Windows Communication Foundation ASP.NET MVC Web API OWASP Top Ten project BRETT NEMEC

Recomendados

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
Mikhail Shcherbakov
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
Weblogic server
Weblogic serverWeblogic server
Weblogic server
Smartittrainings
 

Recomendados

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
Mikhail Shcherbakov
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
Weblogic server
Weblogic serverWeblogic server
Weblogic server
Smartittrainings
 
Weblogic online training
Weblogic online trainingWeblogic online training
Weblogic online training
Smartittrainings
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and Infrastructure
Phi Huynh
 
Microservices - not just with Java
Microservices - not just with JavaMicroservices - not just with Java
Microservices - not just with Java
Eberhard Wolff
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
Karthik Bhat
 
OWASP Serverless Top 10
OWASP Serverless Top 10OWASP Serverless Top 10
OWASP Serverless Top 10
Chandrapal Badshah
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFOWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
Minded Security
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
Ram Dutt Shukla
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
Dejan Glozic
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Microservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale AgileMicroservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale Agile
Eberhard Wolff
 
How Small Can Java Microservices Be?
How Small Can Java Microservices Be?How Small Can Java Microservices Be?
How Small Can Java Microservices Be?
Eberhard Wolff
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
Build 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersBuild 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for Containers
Windows Developer
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Techcello
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Techcello
 

Mais conteúdo relacionado

Mais procurados

[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
Ram Dutt Shukla
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 

Mais procurados (20)

Weblogic online training
Weblogic online trainingWeblogic online training
Weblogic online training
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and Infrastructure
 
Microservices - not just with Java
Microservices - not just with JavaMicroservices - not just with Java
Microservices - not just with Java
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 
OWASP Serverless Top 10
OWASP Serverless Top 10OWASP Serverless Top 10
OWASP Serverless Top 10
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFOWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Microservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale AgileMicroservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale Agile
 
How Small Can Java Microservices Be?
How Small Can Java Microservices Be?How Small Can Java Microservices Be?
How Small Can Java Microservices Be?
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Build 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersBuild 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for Containers
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 

Semelhante a Securing .Net Hosted Services

Developing and deploying windows azure applications
Developing and deploying windows azure applicationsDeveloping and deploying windows azure applications
Developing and deploying windows azure applications
Manish Corriea
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 

Semelhante a Securing .Net Hosted Services (20)

Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
 
Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11
 
Service Management Dec 11
Service Management Dec 11Service Management Dec 11
Service Management Dec 11
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Developing and deploying windows azure applications
Developing and deploying windows azure applicationsDeveloping and deploying windows azure applications
Developing and deploying windows azure applications
 
Struts 2 - Introduction
Struts 2 - Introduction Struts 2 - Introduction
Struts 2 - Introduction
 
Session 41 - Struts 2 Introduction
Session 41 - Struts 2 IntroductionSession 41 - Struts 2 Introduction
Session 41 - Struts 2 Introduction
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Building a secure BFF at Postman
Building a secure BFF at PostmanBuilding a secure BFF at Postman
Building a secure BFF at Postman
 
Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows Azure
 
SCCM Cloud Management Gateway
SCCM Cloud Management Gateway SCCM Cloud Management Gateway
SCCM Cloud Management Gateway
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Securing .Net Hosted Services

  • 1. Securing Microsoft .Net Hosted Services INFORMATION SECURITY PRACTICUM CAPSTONE PROJECT LEWIS UNIVERSITY BRETT NEMEC
  • 2. Introduction Myself ◦ Education ◦ Professional experience Project ◦ .Net Hosted Services ◦ WCF ◦ Web API ◦ Data Services ◦ OWASP ◦ Top Ten ◦ How it applies to hosted services BRETT NEMEC
  • 3. Windows Communication Foundation Part of the .Net framework ◦ System.ServiceModel namespace ◦ Introduced in version 3.0 The Service Model ◦ Service oriented ◦ Interoperable ◦ Automatic configuration ◦ Follows security standards ◦ Supports multiple transports and encodings ◦ Extensible Security ◦ SOAP ◦ Message integrity ◦ Authentication on service and client ◦ Integration with existing technology BRETT NEMEC
  • 4. BRETT NEMEC Host WAS ASP.NET Windows Service Service Model Services Endpoints Contracts Operations Messaging HTTP TCP Queues Transport Security Message Security XML or Binary Serialization
  • 5. MVC Web API Formerly part of WCF ASP.NET MVC 4 ◦ Model-View-Controller pattern ◦ RESTful architecture ◦ CRUD Security ◦ Integration with existing technology ◦ Authentication ◦ Attributes ◦ HttpGet ◦ HttpPost ◦ Authorize BRETT NEMEC
  • 6. Using the Authorize attribute BRETT NEMEC
  • 7. Data Services Model driven architecture ◦ Object Relational Mapping ◦ Entity Framework Odata ◦ Open Data Protocol Data owner has more control over data Cloud ◦ Introduces added risk due to foreign environments ◦ Data owner can have less control BRETT NEMEC
  • 8. OWASP Stands for Open Web Application Security Project Not for profit organization Dedicated to web security ◦ Helps raise awareness of trends in security threats Support for most popular web technologies ◦ Java ◦ C/C++ ◦ .Net ◦ PHP Top ten security risks of 2013 BRETT NEMEC
  • 9. OWASP Top Ten Security Risks of 2013 RC A1 – Injection A2 – Broken authentication and session management A3 – Cross-site scripting (XSS) A4 – Insecure direct object references A5 – Security misconfigurations A6 – Sensitive data exposure A7 – Missing functional level access control A8 – Cross-site request forgery (CSRF) A9 – Using known vulnerable components A10 – Unvalidated redirects and forwards BRETT NEMEC
  • 10. A1 - Injection SQL Injection ◦ Example ◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1” ◦ Executes SQL ◦ var query = “select * from Person where name = „” + p1 + “‟”; ◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟” ◦ One of the the most prominent classes of input validation errors ◦ Don’t use command interpreters ◦ Use a parameterized interface ◦ var query = “select * from Person where name = @name”; ◦ Entity Framework v5 ◦ ORM ◦ SQL is generated behind the scenes ◦ Model driven ◦ Linq to SQL BRETT NEMEC
  • 11. A2 – Broken authentication and session management WCF is stateless by default ◦ Stateful session can be enabled in configuration Message Authentication ◦ Certificate authentication over transport security ◦ Satisfies Level 1 requirements of the OWASP Application Security Verification Standard (ASVS) ◦ Section V2, all pages and resources must be authenticated except those that are public ◦ Certificate authentication pre-authenticates the client ◦ Authorize attribute is used for business authentication, while client is authenticated to the service BRETT NEMEC
  • 12. A3 – Cross-site scripting (XSS) WCF is not directly vulnerable to XSS ◦ Messages are XML based, not URLs Implement custom input/output parameter inspectors ◦ IParameterInspector interface BRETT NEMEC
  • 13. A4 – Insecure direct object references Authorize attribute ◦ Using role-based authentication ◦ When a message is sent to an endpoint, service calls custom role provider for the requested operation ◦ Example: [Authorize(“Administrators”)] public void GetAllUsers(); BRETT NEMEC
  • 14. A5 – Security misconfigurations Don’t expose metadata ◦ Can be turned on for debugging in configuration ◦ App.config or web.config, using the system.serviceModel element ◦ Must be disabled for production ◦ Custom web page BRETT NEMEC
  • 15. A6 – Sensitive data exposure Store sensitive data in it’s encrypted form Passwords ◦ Don’t actually store the password, store a hash ◦ Random salt (256 bytes) ◦ RSA Pseudo random number generator ◦ SHA-256(Salt + Password) = Salted Password Hash ◦ Every time user changes the password, a new salt is used ◦ Database table has two columns, allows for one way validation ◦ PasswordSalt, non-sensitive ◦ PasswordHash ◦ Timeout after specified number of failed attempts ◦ Stops brute force attacks BRETT NEMEC
  • 16. A7 – Missing functional level access control Related to A4, Insecure Direct Object References WCF by default is stateless ◦ If using default, sessions are not of concern ◦ If using sessions, control with OperationContract ◦ IsInitiating property ◦ IsTerminating property Windows Identity Foundation ◦ Supports federated claims based security ◦ Authorized claim sets ◦ Used similarly as role-based authorization BRETT NEMEC
  • 17. A8 – Cross-site request forgery (CSRF) WCF is message based, not as much of a risk It is possible to implement controls for this risk Windows Identity Foundation ◦ If implemented, service is already using a Security Token Service (STS) ◦ STS processes user validation request ◦ Provides a claim-set for the user ◦ When the user sends a message request to the service, the claim-set is provided as a token, STS evaluates the token BRETT NEMEC
  • 18. A9 – Using known vulnerable components Don’t use components that are untested or source is unknown Most controls and tools are already part of the .Net framework ◦ Entity Framework v5 ◦ Tight integration with existing Microsoft .Net technologies ◦ Beta versions are not a good idea OWASP ESAPI for .Net ◦ Website states it’s not suitable for production use ◦ Good reason not to use it BRETT NEMEC
  • 19. A10 – Unvalidated redirects and forwards Redirects and forwards should be avoided WCF not at risk like web applications are ◦ Sometimes parameters can contain the target page ◦ IParameterInspector custom inspector BRETT NEMEC
  • 20. Review Windows Communication Foundation ASP.NET MVC Web API OWASP Top Ten project BRETT NEMEC