Tuesday, February 17, 2015

Are u Aware of Security?

Security Awareness for .Net Developers

I wanted to share with you what I have learn form MS Tech Ed 2015.

"No language can prevent insecure code, although there are language features which could aid or hinder a security-conscious developer." 

                                                                             -Chris Shiflett


This article give some tips and tricks of secure a applications, understand security threat, tools and others.


Vulnerabilities & Solution


What are Vulnerabilities?


A vulnerability in Microsoft could allow an unauthenticated, remote attacker to execute arbitrary code, RegEx & ect.


  • RegEx vulnerability

    • RegEx - Regular Expressions provide a concise and flexible means for identifying strings. Also widely used in Text validations, Search engines and especially in security related applications, tools and libraries.

    • ReDoS - Regular expression Denial of Service is a denial-of-service attack that exploits the fact that most regular expression implementations may reach extreme situations that cause them to work very slowly. An attacker can then cause a program using a regular expression to enter these extreme situations and then hang for a very long time

    • The art of attacking the Web by ReDoS is by finding inputs which cannot be matched by the above Regexes and on these Regexes a Regex-based Web systems will get stuck.

  • External Binaries vulnerability
    • Due to an improper restriction by the affected software on the path used for loading external binaries.
  • Web Server vulnerability
    • The attack on specific web server configuration files and it allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability.

How MS helps to solve?

  • BinScope 
    • is to help detect potential vulnerabilities that can be introduced into Binary files. The tests it implements examine application binary files to identify coding and build practices that can potentially render the application vulnerable to attack or to being used as an exploit attack vector.

  • Attack Surface Analyzer
    • The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications. It's for the analysis of changes made to the attack surface of the OS.



Unsecured transportation & Solutions



Why Secure transportation channel?
  • Packet across network readable and there a risk to getting hacked. For example using Wireshark can caputer the  packets. Most important of online business is creating a trusted, secured & confident purchases environment.

How MS helps to solve?
  • The Secure Sockets Layer (SSL) is a computer networking protocol that manages server authentication, client authentication and encrypted communication between servers and clients. SSL uses a combination of public-key and symmetric-key encryption to secure a connection between two machines, typically a Web or mail server and a client machine, communicating over the Internet or an internal network.


Obfuscation & Solutions

What is Obfuscation?
  • Obfuscation is to make code harder to understand or read. The code is often obfuscated to protect it from such an attack. Deobfuscation techniques, such as program slicing, are sometimes employed to reverse engineer obfuscation.

What is the use of Obfuscators?
  • Compresses managed resources to reduce the size of the assembly. Takes all the DLLs and merges dependencies into the main assembly, so you don't have to load lots of DLL files, and so that they can also be obfuscated. Compresses and embeds your dependencies into your main assembly, simplifying the deployment of your software and reducing the size of your program. Remove unused codes make .NET assembly smaller.

Finally, This may helps you to understand application vulnerabilities & practice SDL

Specially thanks to MVP Walter Wong

References:

MS Tech Ed 2015 - Dev325: Security Awareness for .Net Developers by MVP Walter Wong

B' happiiiiiii always..............!

2 comments:

  1. Well very good day to you...
    It is a valuable article indeed. But yet not fulfilling the things... You've mentioned in the article - can use SSL or TLS as well as Obfuscations for code protections and application protection... For us SSL enabled TLS/SET can be penetrated in less than 10 Mins and Encrypted code (obfuscated/compressed) code can be Deobfuscated/Decrypted in any manner as well. Even we can defeat Armadillo, VM Code Protection, CopyMem, IsDebuggerPresent(), ASLR, DEP etc... Specially manage code/.NET code disassembly with IDA Pro or Immunity Debugger is piece of cake for reverse engineers.... small contribution from me....

    Need more info - contact me over - sameera@hackimpact.com

    Cheers and Adios
    Sameera

    Dr. Sameera de Alwis

    CEO/Snr. InfoSec/Cyber Defense, Digital Forensics and Cyber Law Consultant.
    HackImpact International INC/LLC,
    Tel-Aviv - Israel and Colombo - Sri Lanka.

    Snr. Computer, Cyber and Digital Forensics Consultant and Senior Lecturer.
    CID (Criminal Investigation Department),
    Department of Police,
    Colombo - Sri Lanka.

    Snr. InfoSec/CyberSec Consultant (Military/Intelligence).
    Command Base (II) (CyberSec Remote/Online Command & Control (Intel.) Division),
    Digital Cyber Defense Sector [IV],
    Level - 5 Security Cleared - Base (II),
    Tel-Aviv - Israel.

    LinkedIn: http://lnkd.in/brzUWrt

    POSTED WITH (HARD-HOST): BlackBerry 10 SmartPhone.
    CARRIER: Dialog Sri Lanka 4G LTE

    ReplyDelete
  2. Thank you very much sir for your valuable response.

    ReplyDelete