An introduction to Security Principals and Patterns in Application Architectural Design.

1. Threat Modeling an introduction toSecurity Principals and Patterns in Application Architectural Design Caleb Jenkins Software Ninja | Architecthttp://DevelopingUX.com

2. Threat

3. + Threat Attack

4. or is your world more like this?

10. T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 BOSTON - A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information. Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.

11. T.J. Maxx theft believed largest hack ever TJX cos. put number to loss Wednesday, acknowledges it could still go up By Mark Jewell Associated Press March 30, 2007 Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.

12. Assets are the things an attacker wants to take from you Threats are the ways in which the attacker will try to get at your assets Mitigations are the ways you block the attacker from getting the assets Vulnerabilities are unmitigated threats Threat Models are an assessment of the Assets, Threats, Mitigations and Vulnerabilities of the system you are building or have built

13. Assets are more than money… Reputation & Customer Confidence Confidential Data Processor, Storage, Bandwidth Availability Performance

14. Threat Analysis Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever How will attackers attempt to compromise the system? Asset Mitigation Threat Vulnerability

16. Written by the user in non-technical languageAs an attacker I want to <attack> So that <crime> By <method>

17. Security User Stories As an attacker I want to obtain credentials So that I can plunder bank accounts By tricking users into logging into my bogus site with a Phishing mail

22. Understand Your Attack Surface Networking protocols that are enabled by default Network Endpoints Code that auto-starts or will execute when accessed Examples: Services, daemons, ISAPI filters and applications, SOAP services, and Web roots Reusable components ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute) Process identities for all the code you run User accounts installed

23. Reducing Attack Surface TCP/UDP TCP/UDP TCP/UDP Service: Autostart SYSTEM

24. Reducing Attack Surface TCP/UDP TCP/UDP TCP/UDP Service: Autostart SYSTEM Turn off less-used ports

25. Reducing Attack Surface TCP/UDP TCP only Service: Autostart SYSTEM Turn off UDP connections

26. Reducing Attack Surface TCP only Service: Autostart SYSTEM Restrict requests to subnet/IP range

27. Reducing Attack Surface TCP only Service: Autostart SYSTEM Authenticate connections

28. Reducing Attack Surface TCP only Service: Manual NetService Lower privilege Turn feature off

29. Reducing Attack Surface TCP only Service: Manual NetService Everyone (Full Control) Admin (Full Control) Everyone (Read) Service (RW) Harden ACLs on data store

31. Defense In Depth Don’t count on one line of defense for everything What if the attacker penetrates that defense? Contain the damage Example – Nuclear Plants

33. “ Multiple redundant safety systems. Nuclear plants are designed according to a "defense in depth" philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection. - Nuclear Energy Institute “

34. System Failures can be Bad

35. Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003

36. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003

37. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003

38. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003

39. The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003

40. The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003

41. The underlying DLL (NTDLL.DLL) not vulnerable Even if the buffer was large enough Code made more conservative during Security Push Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’ Defense in Depth (MS03-007)Windows Server 2003 Unaffected Microsoft Security Bulletin MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Affected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software: Microsoft Windows Server 2003

44. Use code access security

46. Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success

47. Fail To Secure Mode Function Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return Authenticated End Function Authenticated As Boolean = True Danger!! Assumes Success Authenticated flag may still be true here Catch ex As Exception

49. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review

50. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password

51. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments

52. Try Dim conn As SqlConnection = Nothing Dim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo") conn.Open() sqlString = "SELECT HasShipped" + _ " FROM Shipment WHERE ID='" + ID + "'" cmd = New SqlCommand(sqlString, conn) Dim adapter As New SqlDataAdapter(cmd) adapter.Fill(results) Catch se As SqlException Dim status As String status = sqlString + " failed" For Each err As SqlError In se.Errors status = status + err.Message Next MesssageBox.Show(status) End Try Security Code Review Never connect as SA Don’t Embed Secrets user id=sa password=password Unencrypted & Weak Password WHERE ID='" + ID + "'" Don’t Concatenate arguments Don’t reveal everything to an attacker For Each err As SqlError

53. Why not connect as SA? Violates the principle of least privilege Threat: Code is subject to attacker elevating privilege Mitigation Recommendation Defense in depth Action: Run SQL as Network Service rather than Local System Reduce surface area: eliminate privileges on everything except for the required stored procedures Action: Create stored procedures Least privilege: run as a lesser privileged user when connecting to database Action: Fix the connection string

54. Why not embed secrets? Violates the principle of avoiding security by obscurity Threat: Secrets are easily discovered Mitigation Recommendation Don’t Store Secrets Tip: Use Windows Authentication Encrypt secrets For .NET 1.1 consider Enterprise Library For .NET 2.0 use Enterprise Library or System.Security.Cryptography.ProtectedData For SQL Server 2005 use EncryptByKey / DecryptByKey

55. Storing Secrets Hackers use search engines to locate secrets Search engines will find anything you have hidden

56. Storing Secrets MySQL Data Dumps Config Files on *nix systems

57. Fix Connection String Not good Much Better

58. Never create your own encryption

59. Never create your own encryption

60. Never create your own encryption

62. Enable password policy enforcement on SQL Server

64. Password Policy SQL Server 2005 Management Studio Tool Shown

66. Use parameters with SQL

67. Create stored procedures and grant access only to the stored procedure

68. Consider Table-Valued Functions in SQL 2005

70. Reduce SQL Surface Area

71. Reduce SQL Surface Area If you don’t connect in a sysadmin role the account used by xp_cmdshell will be the one defined by xp_cmdshell_proxy_account which may have reduced privilege

72. Evil Input Attack - Hotmail October 2001 an XSS vulnerability which allowed an attacker to steal a user's Microsoft .NET Passport session cookies. Exploit for this vulnerability consisted of sending a malicious email to a Hotmail user, which contained malformed HTML. The script filtering code in Hotmail's site failed to remove the broken HTML and Internet Explorer's parsing algorithm happily interpreted the malicious code.

74. Set Max Length to 5

75. Use Regular Expressions to permit only what you want

78. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete”

79. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete”

80. discussion: White Listing vs Black Listing Input “Look for valid data and reject everything else” SQL Example: string.Replace(“delete”, “”) “deldeleteete” “deldeleteete” “delete”

81. demo: SQL Injection Sanitizing User Input Select Count(*) From Users Where User Name = ‘’ OR 1+1=2; -- ‘ and password = ‘’

82. demo: SQL Injection Sanitizing User Input

83. Discussion: XSS Sanitizing User Input

86. observe: Security Architectureis a moving target.

87. review

89. Capture your work in a threat model document

90. Investigate threats

91. Track and prioritize vulnerabilities through to mitigation and testing

92. Take advantage of security guidance http://msdn.microsoft.com/securityguidancevuln threat asset

94. exercise: Use the Threat Analysis & Modeling Tool

96. http://msdn.microsoft.com/securityguidance

98. Thank you DevelopingUX.com