Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure...
Transcript of Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure...
![Page 1: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/1.jpg)
Tips and Tricks To Secure .Net Web
Application
Walter Wong
Gain Secure
MVP – Developer Security
walterwws.wordpress.com
![Page 2: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/2.jpg)
Security Updates Operation Malaysia http://world.yes.my/?id=511&q=ytlc
![Page 3: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/3.jpg)
Agenda
• Introduction to ASP.Net – Security Perspective
• Securing Layers Architecture
• Secure Deployment Environment
• .Net Obfuscation
![Page 4: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/4.jpg)
Introduction to ASP.Net – Security
Perspective
• Preventing XSS input by default
• Tools ensure security level of the application
• Prevent buffer overrun by default
• Application behavior configured via
web.config
![Page 5: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/5.jpg)
Demo Introduction to ASP.Net (Security Perspective)
![Page 6: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/6.jpg)
Securing Layers Architecture
• Standard practice, deploy into at least 3
layers – Web Application, Business Logic,
Database
• How to ensure attackers do not by pass
second layer?
• Identity should be transfer across different
layers
![Page 7: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/7.jpg)
Secure Web Services
• Most of the web services available internal or externally are accepting and allowing anonymous requests
• Security Token should be used to validate the request
• Recommend to use federation to secure the web services
• Microsoft way of implement Federation – Windows Identity Foundation (WIF)
![Page 8: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/8.jpg)
Demo Secure WCF Services using WIF
![Page 9: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/9.jpg)
Secure Application
• Web Application Configuration Analyzer
(WACA)
• Rules based driven scanner
• 3 main categories
– General Application
– IIS
– SQL
![Page 10: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/10.jpg)
Secure Server
• Microsoft Based Security Analyzer 2.2
• Advice based on best practice for
– Windows
– SQL Server
– Desktop Application
• Explanation of
– What was scanned
– Results
– Recommend correction step
![Page 11: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/11.jpg)
Demo Web Application Configuration Analyzer 2.0 Microsoft Baseline Security Analyzer
![Page 12: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/12.jpg)
Obfuscation
• Microsoft.Net Framework is managed
framework
• Assemblies able to “reverse engineer” by
using tools
• Recommend to obfuscate before deploy
![Page 13: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/13.jpg)
Demo Obfuscation
![Page 14: Tips and Tricks To Secure .Net Web Application - OWASP · 2020-01-17 · Tips and Tricks To Secure .Net Web Application Walter Wong Gain Secure MVP – Developer Security walterwws.wordpress.com](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2d34672e086277dc61ac8b/html5/thumbnails/14.jpg)
Conclusion
• Users are EVIL
• Obfuscate every deployment projects
• Developers seldom involve in IT
administrative tasks which is not healthy
• Learn how to secure application today
• Learn how to secure server and IIS