Application Security in .NET

Transcript

1. Application Security in .NET

2. Disclaimer • This talk represents my own options and views

   not the opinions of my employer or their employees. • Dave is Cool • He didn’t ask me to do this.

3. Who Am I? • I have been working as a

   .NET developer since 2005 • Throughout that time I have been focused on developer practices. • I have worked for 8 fortune 500 companies and 3 nationally recognized non-profits in a consulting role. • My current role at BlueBolt Solutions is Security Engineer / Enterprise Architect / Solutions Developer • I am around the internet under the handle @punkcoder

4. What qualifies me to talk about application security? • Nothing

   really. • Graduated from Murray State with a TSM degree focused on Security. • More than anything this is a passion.

5. Please, Don't Hate Me. We are all red team. We

   are all blue team.

6. Quick Polls • Have you been the victim of identity

   theft / stolen credit card? • Is this your first security talk? • Does your company have a security plan in place? • How many people have internal security teams? • How many people are testing for security before deployment? • How many people are testing for security after deployment? • Have you been exposed to a security audit? • Have you had your (day, week, month, year) ruined by a security event?

7. Security Primer • Security Triad • Confidentiality • Integrity •

   Availability • If I can own any one of these I (as the bad guy) have succeeded. • Security is something that isn't important until it's really important.

8. OWASP Top 10 • Injection * • Broken authentication and

   Session Management * • Cross Site Scripting * • Insecure Direct Object References * • Security Misconfiguration * • Sensitive Data Exposure * • Missing Function Level Access Control • Cross-Site Request Forgery • Using Components with Known Vulnerabilities • Invalidated redirects and forwards

9. General Data Protection Regulation • GDPR goes into effect May

   25, 2018, and applies to all European Businesses as well as businesses that do business in the EU. • The following sanctions can be imposed: • a warning in writing in cases of first and non-intentional non-compliance • regular periodic data protection audits • a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4 [14])) • a fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83, Paragraph 5 & 6[14])”

10. SQL Injection

11. Broken Authentication / Session Management

12. Cross Site Scripting

13. Insecure Direct Object References

14. Security Misconfiguration / Poor Config

15. Fighting the Tide • As with all bugs… The earlier

    that they are detected the easier they are to solve. • This is a problem that is getting worse, and the front line of this war is developers and ops teams. • Education is Essential • Practice is Prevention • Security isn’t something that you can bolt on afterwards, it needs to be part of the initial plan. • Work with people offering responsible disclosure, address issues quickly and communicate effectively.

16. Building a Culture of Security Awareness • Find Coworkers that

    are interested in security • Get management buy in • Help train other coworkers to spot things that don’t look right and escalate. • Plan events around application security awareness.

17. References and Stuff to Read • OWASP Top 10 (2013)

    • http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20- %202013.pdf • Writing Secure Code • https://www.amazon.com/Writing-Secure-Code-Strategies- Applications/dp/0735617228 • MSDN: Securing Web Applications • https://msdn.microsoft.com/en-us/library/330a99hc.aspx

18. Stuff to Do • Hack This Site • https://www.hackthissite.org/pages/index/index.php •

    We Chall • https://www.wechall.net/ • CTF Time • https://ctftime.org/

19. Evals – No Seriously… • Feed back is the only

    way I can improve and the only way that amegala can help to get only the best speakers. • http://prairiecode.amegala.com/evals • http://prairiecode.amegala.com/evals