Security Awareness for .Net Developers
I wanted to share with you what I have learn form MS Tech Ed 2015.
I wanted to share with you what I have learn form MS Tech Ed 2015.
"No language can prevent insecure code, although there are language features which could aid or hinder a security-conscious developer."
-Chris Shiflett
This article give some tips and tricks of secure a applications, understand security threat, tools and others.
Vulnerabilities & Solution
What are Vulnerabilities?
A vulnerability in Microsoft could allow an unauthenticated, remote attacker to execute arbitrary code, RegEx & ect.
- RegEx vulnerability
- RegEx - Regular Expressions provide a concise and flexible means for identifying strings. Also widely used in Text validations, Search engines and especially in security related applications, tools and libraries.
- ReDoS - Regular expression Denial of Service is a denial-of-service attack that exploits the fact that most regular expression implementations may reach extreme situations that cause them to work very slowly. An attacker can then cause a program using a regular expression to enter these extreme situations and then hang for a very long time
- The art of attacking the Web by ReDoS is by finding inputs which cannot be matched by the above Regexes and on these Regexes a Regex-based Web systems will get stuck.
- External Binaries vulnerability
- Due to an improper restriction by the affected software on the path used for loading external binaries.
- Web Server vulnerability
- The attack on specific web server configuration files and it allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability.
How MS helps to solve?
- BinScope
- is to help detect potential vulnerabilities that can be introduced into Binary files. The tests it implements examine application binary files to identify coding and build practices that can potentially render the application vulnerable to attack or to being used as an exploit attack vector.
- Attack Surface Analyzer
- The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications. It's for the analysis of changes made to the attack surface of the OS.
Unsecured transportation & Solutions
Why Secure transportation channel?
- Packet across network readable and there a risk to getting hacked. For example using Wireshark can caputer the packets. Most important of online business is creating a trusted, secured & confident purchases environment.
How MS helps to solve?
- The Secure Sockets Layer (SSL) is a computer networking protocol that manages server authentication, client authentication and encrypted communication between servers and clients. SSL uses a combination of public-key and symmetric-key encryption to secure a connection between two machines, typically a Web or mail server and a client machine, communicating over the Internet or an internal network.
Obfuscation & Solutions
What is Obfuscation?
- Obfuscation is to make code harder to understand or read. The code is often obfuscated to protect it from such an attack. Deobfuscation techniques, such as program slicing, are sometimes employed to reverse engineer obfuscation.
What is the use of Obfuscators?
- Compresses managed resources to reduce the size of the assembly. Takes all the DLLs and merges dependencies into the main assembly, so you don't have to load lots of DLL files, and so that they can also be obfuscated. Compresses and embeds your dependencies into your main assembly, simplifying the deployment of your software and reducing the size of your program. Remove unused codes make .NET assembly smaller.
Finally, This may helps you to understand application vulnerabilities & practice SDL
Specially thanks to MVP Walter Wong
References:
MS Tech Ed 2015 - Dev325: Security Awareness for .Net Developers by MVP Walter Wong
B' happiiiiiii always..............!