Prepare a 250-300 word overview of the Microsoft SDLC practices. Summarize all 12 of the practices in SDLC.
Please read full details on paper before asking to complete work . will be on turnitin.com so please no plagiarism. see file attached
Research Paper: Microsoft Software Development Security
Overview
The purposes of this assignment is:
1) To analyze and inspect main components of Microsoft SDLC (Secure Development Lifecycle Process).
2) To describe and explain security features and essential security configuration of Microsoft .NET framework and ASP.NET.
Research
Please refer to following resources to complete this project:
· Textbook Chapter 26 and Chapter 29
· SDLC: https://www.microsoft.com/en-us/securityengineering/sdl/practices
· .NET: https://docs.microsoft.com/en-us/dotnet/standard/security/
· .NET:https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DotNet_Security_Cheat_Sheet.md
· ASP.NET: https://support.microsoft.com/en-us/help/891028/asp-net-security-overview
· Other resources you find
Write
Part 1: Microsoft SDLC Practices
· Carefully review the Microsoft SDLC page.
· Prepare a 250-300 word overview of the Microsoft SDLC practices. Summarize all 12 of the practices in SDLC.
· Select one of the following practices. In one paragraph, research and summarize available tools in the market:
· Practice #4 – Threat modeling
· Practice #9 – Perform Static Analysis Security Testing (SAST)
· Practice #10 – Perform Dynamic Analysis Security Testing (DAST)
· Practice #11 – Perform Penetration Testing
Part 2: .NET Security Guidelines
Describe essential items in a.NET security guidelines in 150-200 words. Use the textbook, Microsoft .NET security page, OWASP GitHub page, and any other authoritative resources you find.
Part 3: ASP.NET Security Guidelines
,
CHAPTER
26 Secure Application Design
This chapter covers the important security considerations that should be part of the development cycle of web applications, client applications, and remote administration, illustrating potential security issues and how to solve them.
After an application is written, it is deployed into an environment of some sort, where it remains for an extended period of time with only its original features to defend it from whatever threats, mistakes, or misuse it encounters. A malicious agent in the environment, on the other hand, has that same extended period of time to observe the application and tailor its attack techniques until something works. At this point, any number of undesirable things could happen. For example, there could be a breach, there could be a vulnerability disclosure, malware exploiting the vulnerability could be released, or the exploit technique could be sold to the highest bidder.
Most of these undesirable things eventually lead to customers who are unhappy with their software vendors, regardless of whether or not the customers were willing to pay for security before the incident occurred. For that reason, security is becoming more important to organizations that produce software, and building security into the software up front is easier (and cheaper) than waiting until the software is already out in the field and then providing security updates.
While the deployment environment can help protect the application to some extent, every application must be secure enough to protect itself from whatever meaningful attacks the deployment environment cannot prevent, for long enough for the operator to notice and respond to attacks in progress. This chapter describes techniques for developing applications that are secure enough for their intended use, during the development cycle, to save time and money down the road.
Secure Development Lifecycle A secure development lifecycle (SDL, or sometimes SSDL, for secure software development lifecycle) is essentially a development process that includes security practices and decision-making inputs. In some cases, an SDL is a stand-alone process, such as in the case of Microsoft’s well-known Security Development Lifecycle (www.microsoft.com/security/sdl/default.aspx), but most organizations
find that altering their existing practices and processes is easier and more efficient than creating and managing an additional, separate process.
Despite the name, which implies a single lifecycle, a typical SDL actually affects two to three lifecycles, the specifics of which vary by organization:
• The application lifecycle, in which an application begins as an idea and then is planned, designed, developed, tested, documented (hopefully), released, sometimes deployed and operated, maintained, and eventually “end-of-lifed.”
• The employee lifecycle, in which an employee is selected, hired, brought on board, changes job responsibilities, and eventually leaves the organization.
• The project or contract lifecycle, if any development is outsourced, in which a contract is negotiated, results are accepted, and vendors are paid.
The SDL itself is created, operated, measured, and changed over time following a business process lifecycle. Sometimes people call the process of developing and maintaining an SDL and other application security activities an application security assurance program.
Typically, an SDL contains three primary elements: • Security activities that don’t exist at all in the original lifecycle; for instance,
threat modeling • Security modifications to existing activities; for instance, adding security checks
to existing peer reviews of code • Security criteria that should affect existing decisions; for instance, the number of
open high-severity security issues when a decision to ship is made Figure 26-1 shows the application lifecycle portion of an SDL for an
organization that uses an Agile development lifecycle.
Figure 26-1 Secure development lifecycle in Agile
Like any other quality, adding security is cheapest if it is included from the beginning of the lifecycle. Like other bugs, security vulnerabilities are less expensive to fix the earlier they are resolved, and the cheapest thing to do is to avoid inserting bugs at all. Therefore, the pre-ship activities in an SDL usually focus on either preventing security bugs in each development deliverable or detecting security bugs in a deliverable that was just produced.
Waterfall SDLs frequently involve a security reviewer from outside the team, who must approve the application at different points in the process. Agile SDLs frequently provide access to security coaches from outside the team, so that the team has someone to consult when they need security help.
Finally, because different applications have different security requirements, it is common for an SDL to require all applications to determine their requirements, and then allow applications with lower security requirements to skip some security activities or perform checks less rigorously.
Application Security Practices This section provides a brief overview of the practices and decisions that appear in some form in most secure development lifecycles. Security Training Typically, a security training program for development teams includes technical security-awareness training for everyone and role-specific training for most individuals. Role-specific training goes into more detail about the security activities a particular individual participates in, and the technologies in use (for developers). Secure Development Infrastructure At the beginning of a new project, source code repositories, file shares, and build servers must be configured for team members’ exclusive access, bug tracking software must be configured to disclose security bugs only according to organization policies, project contacts must be registered in case any application security issues occur, and licenses for secure development tools must be acquired. Security Requirements Security requirements may include access control matrices, security objectives (which specify actions attackers with specific privileges should not be able to perform), abuse cases, references to policies and standards, logging requirements, security bug bars, assignment of a security risk or impact level, and low-level security requirements such as key sizes or how specific error conditions should be handled. Secure Design Secure design activities usually revolve around secure design principles and patterns. They also frequently include adding information about security properties and responsibilities to design documents. For more information on secure application design, see Chapter 27. Threat Modeling
Threat modeling is a technique for reviewing the security properties of a design and identifying potential issues and fixes. Architects can perform it as a secure design activity, or independent design reviewers can perform it to verify architects’ work. There is a variety of threat modeling methodologies to choose from. For more information, see Chapter 27. Secure Coding Secure coding includes using safe or approved versions of functions and libraries, eliminating unused code, following policies, handling data safely, managing resources correctly, handling events safely, and using security technology correctly. Chapter 27 covers these concepts in more detail. Security Code Review To find security issues by inspecting application code, development teams may use static analysis tools, manual code review, or a combination. Static analysis tools are very effective at finding some kinds of mechanical security issues but are usually ineffective at finding algorithmic issues like incorrect enforcement of business logic. Static analysis tools usually require tuning to avoid high numbers of false positives. Manual code review by someone other than the code author is more effective at finding issues that involve code semantics, but requires training and experience. Manual code review is also time-consuming and may miss mechanical issues that require tracing large numbers of lines of code or remembering many details. Security Testing To find security issues by running application code, developers and independent testers perform repeatable security testing, such as fuzzing and regression tests for past security issues, and exploratory security testing, such as penetration testing. Security Documentation When an application will be operated by someone other than the development team, the operator needs to understand what security the application needs the deployment environment to provide, what settings can affect security, and how to handle any error messages that have security impact. The operator also needs to know if a release fixes any vulnerabilities in previous releases. Secure Release Management When an application will be shipped, it should be built on a limited-access build server and packaged and distributed in such a way that the recipients can verify it is unchanged. Depending on the target platform, this may mean code signing or distributing signed checksums with the binaries.
Dependency Patch Monitoring Any application that includes third-party code should monitor that external dependency for known security issues and updates, and issue a patch to update the application when any are discovered. Product Security Incident Response Like operational security incident response (as described in Chapter 33), product security incident response includes contacting people who should help respond, verifying and diagnosing the issue, figuring out and implementing a fix, and possibly managing public relations. It does not usually include forensics. Decisions to Proceed Any decision to ship an application or continue its development should take security into account. At ship time, the relevant question is whether the application can be reasonably expected to meet its security objectives. Frequently, this means that security validation activities have occurred and no critical or high-severity security issues remain open. Decisions to continue development should include some indicator of expected security risk, so that business stakeholders can draw conclusions regarding the expected business risk.
Web Application Security This section covers web application security, including the vulnerabilities attackers can exploit in insecure web applications in order to compromise a web server or deface a web site, and how developers can avoid introducing these vulnerabilities.
There are several web application security concerns to be considered: • SQL injection • Forms and scripts • Cookies and session management • General attacks
NOTE In this chapter, the term server-side scripts refers to any available server-side programming technology, such as Java, ASP (Active Server Pages), PHP (PHP: Hypertext Preprocessor), or CGI (Common Gateway Interface). SQL Injection SQL (Structured Query Language) is standardized by the American National Standards Institute (ANSI) and serves as a common language for communicating with databases. Every database system adds some proprietary features to the basic ANSI SQL.
SQL injection is a technique to inject crafted SQL into user input fields that are part of web forms—it is mostly used to bypass custom logins to web sites.
However, SQL injection can also be used to log in to or even to take over a web site, so it is important to secure against such attacks. Simple Login Bypass The most basic form of SQL injection is bypassing a login to a web site. Consider the following example, where the victim web site has a simple login form (see Figure 26-2):
Figure 26-2 A typical login form for a web site
This page requests two pieces of information from the user (username and
password), and it submits the information in the fields to login.asp. The login.asp file looks like this:
This script takes the entered username and password and places them into a SQL command that selects data from the users table based on the username and
password. If the login is valid, the database will return the user’s record. If not, it will return an empty record.
NOTE SQL injection is demonstrated here with ASP and ADO (ActiveX Data Objects), but it’s a general problem that is not limited to these technologies.
The following SQL statement is built when a user enters admin as the username and somepassword as the password (as shown in Figure 26-3):
Figure 26-3 A user signing in using the login web form
Let’s go over the query:
• select * means “give me all the data” • from users means “take it from the table called users” • where username=’admin’ and password=’somepassword’ means “find a row where both
the username is admin and the password is somepassword” The username and password are placed inside the SQL string without any
sanity checks. (Sanity checks, known as “form field validation,” are performed to make sure user input doesn’t contain any characters an attacker could use to modify the SQL statement.) This means that an attacker can inject custom code into the user input fields without being detected.
In this case, the attacker will enter ‘a’ or “1”=“1” for the username, and any password at all, because it will be ignored (see Figure 26-4). The resulting SQL looks like this:
Figure 26-4 An attacker attacking the login web form with SQL injection
The — stands for a code remark, which means that everything that follows will be disregarded (for example, the trailing apostrophe (’) will be ignored). This SQL phrase will always return data because “1”=“1” is always true. The server will have to evaluate the statement “false and false or true,” and because it will evaluate the “and” statement first, it’ll become “false or true,” which is true—the attacker will get access into the system.
This attack was made possible because the programmer didn’t filter the apostrophe (’) inside the user input fields, which allowed the attacker to break the SQL syntax and enter custom code.
The following code solves this problem by filtering the apostrophes (every occurrence of ‘ in the user input is removed):
When SQL Injection Goes Bad The previous example was very straightforward, but sometimes the SQL phrase is not so simple. Most login scripts check information in the user record: can the user log in, what is the level of subscription, and so on. A typical SQL login phrase can look like this:
This SQL phrase looks for users that are also administrators and are active; the SQL in the previous example simply identified a user and didn’t pay attention to whether the user was active or an administrator.
Attackers don’t usually know the exact format of the SQL phrase (unless they managed to view the server-side script using a web server exploit), so they need to submit bad SQL in order to gain more information. For example, an attacker might submit someusername for the username and a’aaa (or any other value
that isn’t part of the SQL syntax) for the password. Because the resulting SQL is invalid, it will be rejected by the SQL server, which will send back an error that may look like this:
Now the attacker can see the SQL phrase and can craft better input,
like someusername for the username and ‘a’ or ‘3’=‘3’ for the password, which will be interpreted like this:
Procedure Invocations and SQL Administration The attacker can use built-in stored procedures (functions supplied by the database to perform administrative and maintenance tasks) to write or read files, or to invoke programs in the database’s computer. For example, the xp_cmdshell stored procedure invokes shell commands on the server’s computer, like dir, copy, move, rename, and so on. Using the same scenario from the previous section, an attacker can enter someusername as the username and a’ exec master..xp_cmdshell ‘del c:winntsystem32*.dll’ as the password, which will cause the database to delete all DLLs in the specified directory. Table 26- 1 lists some stored procedures and SQL commands that can be used to further elevate an attack.
Table 26-1 Common SQL Server Stored Procedures That Are Abused by Attackers Solutions for SQL Injection Developers and administrators can take a number of different steps in order to solve the SQL injection problem.
These are some solutions for developers:
• Filter all input fields for apostrophes (’) to prevent unauthorized logins. • Filter all input fields for SQL commands like insert, select, union, delete, and exec to
prevent server manipulation. (Make sure you do this after filtering for the apostrophes.)
• Limit input field length (which will limit attackers’ options), and validate the input length with server-side scripts.
• Use the option to filter “escape characters” (characters that can be used to inject SQL code, such as apostrophes) if the database offers that function.
• Place the database on a different computer than the web server. If the database is hacked, it’ll be harder for the attacker to reach the web server.
• Limit the user privileges of the server-side script. A common practice is to use the administrative user when logging in from the server-side script to the database, but this can allow an attacker to run database tasks (such as modifying tables or running stored procedures) that require the administrative user. Assign a user with minimal privileges for this purpose.
• Delete all unneeded extended stored procedures to limit attackers’ possibilities. • Place the database in a separate container (behind a firewall), separated from the
web container and application server. Unlike developers, the administrator has no control over the code and can’t
make changes on behalf of the programmers. However, the administrator can mitigate the risks by running some tests and making sure that the code is secure:
• Make sure the web server returns a custom error page. This way, the server won’t return the SQL error, which will make it harder for the attacker to gain data about the SQL query. (A custom error page should not contain any information that might aid the attacker, unlike the regular error page, which will return part of the SQL statement.)
• Deploy only web applications that separate the database from the web server. • Hire an outside agency to perform penetration tests on the web server and to
look for SQL injection exploits. • Use a purpose-built automated scanning device to discover SQL injection exploits
that result from programmers’ mistakes. • Deploy security solutions that validate user input and that filter SQL injection
attempts. Forms and Scripts Forms are used to allow a user to enter input, but forms can also be used to manage sessions (discussed in the “Cookies and Session Management” section, later in this chapter) and to transfer crucial data within the session (such as a user or session identifier). Attackers can exploit the data embedded inside forms and can trick the web application into either exposing information about another
user or to charge a lower price in e-commerce applications. Three methods of exploiting forms are these:
• Disabling client-side scripts • Passing parameters in the URLs • Passing parameters via hidden fields
Client-Side Scripts Some developers use client-side scripts to validate input fields in various ways:
• Limit the size of the input fields • Disallow certain characters (such as apostrophes) • Perform other types of validation (these can be specific to each site)
By disabling client-side scripting (either JavaScript or VBScript), this validation can be easily bypassed. A developer should validate all fields at the server side. This may require additional resources on the server. Passing Parameters via URLs A form has two methods of passing data: post and get. The post command sends the data in the content stream and the get command sends the data in the URL. Attackers can exploit the get command to send invalid or incorrect data, or to send malicious code.
For example, suppose we have this kind of form:
Let’s assume the user enters someusername as the username and somepassword as the password. The browser will be redirected to this URL: http://thesite/login.asp?username=someusername?password=somepassword An attacker can exploit this type of URL by simply modifying the URL’s data (in the browser’s address bar). This method can be used in e-commerce sites to change the prices of items. For example, look at the following URL: http://somesite/checkout.asp?totalprice=100 The attacker could simply change the value of “totalprice” and perform a checkout that has a lower price than was intended. This can be done simply by changing the URL like this: http://somesite/checkout.asp?totalprice=50
The web application will perform the checkout, but with $50 as the total price (instead of $100).
Another scenario is that, after the login, the user identification is sent using get, allowing an attacker to modify it and perform actions on another user’s behalf. An example is shown in the following URL: http://somesite/changeuserinfo.asp?user=134 The attacker could change the value of “user” and get the data of that user, if the user exists. Passing Data via Hidden Fields The post method sends the data using the POST HTTP command. Unlike get, this method doesn’t reveal the data in the URL, but it can be exploited rather easily as well. Consider the following form:
This form transmits the user identifier using POST. An attacker can save the
HTML, modify the UserID field, modify the checkout.asp path (to link to the original site, like this: <form action=“http://example/checkout.asp”…), run it (by double-clicking on the modified local version of the HTML page), and submit the modified data. Solving Data-Transfer Problems The developer can prevent attackers from modifying data that is supposed to be hidden by managing the session information, by using GUIDs, or by encrypting the information. Managing Session Information Most server-side scripting technologies allow the developer to store session information about the user—this is the most secure method to save session-specific information because all the data is stored locally on the web server machine. Using GUIDs A globally unique identifier, or GUID, is a 128-bit randomly generated number that has 2128 possible values. GUIDs can be used as user identifiers by the web application programmer. Assuming a web server has 4 billion users (about 232, which is more than the number of people who have Internet access), this means there are on average 296 possible values per user (2128/232 = 296). Since 296 is approximately 7 followed by 28 zeros, the attacker will have no chance of guessing, and thus accessing, a correct GUID. Encrypting Data The developer can pass encrypted data rather than passing the data in cleartext. The data should be encrypted using a master key (a symmetric key that is stored only at the web server, and used to store data at the client side).
If an attacker tries to modify the encrypted data, the client will detect that someone has tampered with the data.
NOTE Never use a derivative of the user’s information as a hidden identifier, such as an MD5 hash of the username. Attackers will try to find such shortcuts and exploit them. Cookies and Session Management Web sessions are implemented differently by each server-side scripting technology, but in general they start when the user enters the web site, and they end when the user closes the browser or the session times out. Sessions are used to track user activities, such as a user adding items to their shopping cart—the site keeps track of the items by using the session identifier.
Sessions use cookies (data sent by the web site, per site or per page, stored by the user’s browser). Each time the user visits a web site that sent a cookie, the browser will send the cookie back to the web site. (Although cookies can be used to track users’ surfing behavior and are considered a major privacy threat, they are also the best medium for session management.) Sessions use cookies to identify users and pair them with an active session identifier.
Attackers can abuse both sessions and cookies, and this section will deal with the various risks:
• Session theft • Managing sessions by sending data to the user • Web server cookie attacks • Securing sessions
Session Theft Suppose that a user logs in to a web site that uses sessions. The web site tags the session as authenticated and allows the user to browse to secure areas for authenticated users. Using post or get in order to save a weak session identifier or other relevant identifying data (such as e-mail addresses) is not the best choice. Instead, the web site can use cookies in order to save sensitive data, but an attacker can exploit this as well. Server-side cookies are another alternative.
Let’s assume the web site uses e-mail addresses as the identifying data. After the user has logged in, the system will send the browser a cookie containing the userȁ
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.