2. 本日課程主題
• Part I
• 網際網路安全概觀
• 常見安全漏洞與攻擊
• Part II
• .NET 安全開發 – 常見問題防禦
• .NET 安全開發 – Web From and MVC 補充
• Part III
• IIS 與安全網站開發部屬設定
• MSSQL 安全設定
• Part IV
• 開發與檢測工具介紹
• 安全軟體開發生命週期
11. 了解您的使用者
• 在許多應用程式中,使用者會匿名存取網站 (不需提供認證)。如果是這樣,
應用程式存取資源是在預先定義使用者的內容中執行的。根據預設,這個
內容是本機 ASPNET 使用者 (在 Windows 2000 或 Windows XP 上) 或
在 Web 伺服器電腦上的 NETWORK SERVICE 使用者 (在 Windows
Server 2003 上)。若要限制對已驗證使用者的存取,請遵循以下方針:
• 如果應用程式為內部網路應用程式,將其設定為使用 Windows 整合安全性。這樣
一來,使用者的登入認證就能用來存取資源。如需詳細資訊,請參閱 ASP.NET 模
擬。
• 如果必須向使用者收集認證,使用其中一項 ASP.NET 驗證策略。如需範例,請參
閱使用成員資格管理使用者。
12. 防範惡意使用者輸入
• 通則就是,絕對不要假設從使用者取得的輸入是安全的。惡意使用者輕易
就能從用戶端傳送具有潛在危險性的資訊到您的應用程式。若要防範惡意
的輸入資料,請遵循以下方針:
• 在 ASP.NET Web 網頁中,篩選使用者輸入並檢查內容與其中可能含有指令碼。請
參閱 HOW TO:利用將 HTML 編碼套用至字串的方法,防止會在 Web 應用程式
中發生的指令碼攻擊。
• 絕對不要 echo (顯示) 未篩選的使用者輸入。在顯示未受信任的資訊前,將 HTML
編碼,使具有潛在傷害性的指令碼轉換成顯示字串。
• 請勿將未篩選的使用者輸入存放在資料庫中。
• 如果收到來自使用者的 HTML,用手動方式篩選。在篩選條件中,明確定義您可
以接受的內容。
• 請勿假設您從 HTTP 要求標頭 (在 HttpRequest 物件中) 取得的資訊是安全的
• 不要將機密資訊儲存在瀏覽器可以存取的地方,如隱藏欄位或 Cookie。例如,不
要將密碼儲存在 Cookie 中。
Part I (75 mins)
網際網路安全概觀
常見安全漏洞與攻擊
Part II (165 mins)
.NET 安全開發 – 常見問題防禦
.NET 安全開發 – Web From and MVC 補充(60 min)
Part III(60 mins)
IIS 與安全網站開發部屬設定
MSSQL 安全設定
Part IV(30 mins)
開發與檢測工具介紹
安全軟體開發生命週期
回顧重點(30 mins)
Apply the principle of least privilege to the database account
What does it really need to be able to do?
Always parameterise untrusted data
Never just concatenate query and data
Stored procedures also offer protection via parameterisation
Just remember you can still build an injection risk into them
Always validate untrusted data against a whitelist
Remember type conversion, regexes and known good values
Use ORMs and their native ability to parameterise
They’re also a great time saver
Remember the ease of exploitation by automated tools
Injection consequences can be severe and be easily exploited
Keep session IDs out of the URL (use the more secure cookie default)
Don’t expect anything in the URL to be secure
Make use of the ASP.NET membership provider
It abstracts away all the hard work of managing authentication
Customise your session and forms timeout
Find the right balance between convenient and secure
If possible, disable sliding forms authentication expiration
Consider the potential adverse impact on usability
Remember that broken authentication and session management is a broad risk
Don’t forget the other areas of the Top 10 that can jeopardise this one
Insecure direct object references are ultimately about access control
It always boils back down to insufficient authorisation
Indirect references can be used to conceal internal keys
But they’re never a substitute for access controls
Surrogate keys can assist in obfuscating IDs
Bit it’s still not an access control and has other downsides
CSRF is made possible when a legitimate request is reconstructed into one with malicious intent
The authenticated state of the victim is abused and the browser tricked into issuing the request
The only real mitigation is anti-forgery tokens
Easy in MVC, messier in web forms
Because the request is issued by the victim’s browser, it appears legitimate thus difficult to implement other defences around
Like with XSS, browsers offer some defenses
Also like XSS, don’t rely on them!
Simple configuration changes can introduce serious security risks
Get custom errors and tracing under control
Make sure you have a strategy for keep frameworks current NuGet
makes package management easy
Protect sensitive data in the web.config
Automate the security configuration of the web.config settings
Use config transforms to correctly configure it during deployment
Consider retail mode on the server as a safety net
Cryptographic storage is the last line of defence in a system
It’s what saves us after a risk such as SQL injection is exploited
Password hashing is all about trying to slow the process down in order to increase the time and cost of cracking
It’s not about being 100% secure, it’s about increasing difficulty
Creating higher workloads through approaches such as PBKDF2 and bcrypt is the best defence
Salt is still important, but not as useful as many people think
The problem with encryption remains key management
DPAPI makes it easy to solve this problem (but introduces other problems)
Character rotation and encoding aren’t cryptographic!
Remember Kerckhoffs's principle; are you happy for the enemy to view your implementation?