Upload
harva
View
28
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Subtle Security flaws: Why you must follow the basic principles of software security. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India. Agenda. Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation - PowerPoint PPT Presentation
Citation preview
Varun Sharma
Application Consulting and Engineering (ACE) Team,
Microsoft India
Flaw – 1 Custom AuthenticationFlaw – 2 Lack of Rule based AuthorizationFlaw – 3 Black list input validationFlaw – 4 Improper use of CryptoFlaw – 5 App layer DOS attack
Site implements custom forms authenticationBuggy codeDemo
Principles:-Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
Authorization implemented by disabling UIRule based authorization not consideredDemo
Principles:-Do not rely on UI for authorizationDisabled buttons is not authorizationConsider rule based authorization in your design
Only set of bad characters are checked forBecomes vulnerable in special situationsDemo
Principles:-Validate for valid allowed values (white list)If white list validation is not possible,
Encode to prevent XSSParameterize to prevent SQL Injection…
Not knowing what services are provided by what mechanisms
For example, what services do Digital Signatures provide?
Demo
Product 1 ‘s Site
Product 2 ‘s Site
Product 3 ‘s Site
Central Payment Site
Signed XML POST
Principles:-Know what service each mechanism providesDo not implement crypto mechanisms yourselfUse system provided methods
Book movie ticket Screen 1 for User 1
Book movie ticket Screen 2 for User 1
You have 7 minutes left
Enter Payment details:-
Name:-Credit Card Number:-Address:-….
Click to Book
Book movie ticket Screen 1 for User 2
Book movie ticket Screen 1 for User 2 after 7 minutes
Principles:-Use CAPTCHA to avoid automated attacksDesign with security in mind