subhashini (Moderator):
the chat begins at 5.00 pm IST
subhashini (Moderator):
Request all of you to refrain from sending any private messages
as that lead sto disconnection of the expert from the chat
subhashini (Moderator):
hello everbody . A very good evening to all of you.
subhashini (Moderator):
welcome to today's chat on writing Secure .NET code
subhashini (Moderator):
we had chats on writing secure code earlier on 13'th and 14'th April
.
and today is the last part in series.
subhashini (Moderator):
We have with us Vipul Patel (MVP)
subhashini (Moderator):
to host today's chat
subhashini (Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul
pursued a Masters in Computer Application from Gujarat University
for the sheer love for computers. He is currently with Patni Computer
Systems, and has been working on .NET technologies since last 1.5
years. Once the Chairperson of the Computer Society of India's college
chapter at Nirma Institute of Technology (www.nit.edu
) in his academic days, he sincerely believes that communities can
be a powerful platform for developers to share their experiences
and queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com
or vipul.patel@patni.com
subhashini (Moderator):
before we begin the chat
subhashini (Moderator):
few chat rules
subhashini (Moderator):
Please refrain from sending any private messages to the expert during
the chat
subhashini (Moderator):
This leads to disconnection of the expert from the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts
will respond to as many questions as they can. Please understand
that there may be some questions we cannot respond to due to lack
of information or because the information is not yet public. We
encourage you to submit questions for our Experts. We ask that you
stay on topic for the duration of the chat. This helps the Guests
and Experts follow the conversation more easily. We invite you to
ask off topic questions after this chat is over.
subhashini (Moderator):
let's welcome Vipul and hope you find this chat useful and informative
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini
Vipul Patel (Expert):
Welcome all to the final episode of writing secure code. Today we
shall focus on "Writing Secure .NET code"
Vipul Patel (Expert):
I shall skim thru the best practises and tips on writing secure
.NET code.... and will answers the questions on completion of the
best practises.
Vipul Patel (Expert):
While the .NET Framework is a robust one, we need to exercise care
while coding to make the application secure.
Vipul Patel (Expert):
The good thing about .NET Framework is that common security attacks
are not bound to happen with .NET application. But vulnerabilities
are still possible.
Vipul Patel (Expert):
A classical example will be sQL injection.... To avoid such an attach,
you need to follow the best practises as outlines in the earlier
web chats.....
Vipul Patel (Expert):
today will focus more on the .NET side of coding practises...
Vipul Patel (Expert):
Dont forget to apply secure coding techniques like:
Vipul Patel (Expert):
a. Dont store secrets in code or web.config files
Vipul Patel (Expert):
b. Dont create your own encryption; use the one provided by the
framework. Use the classes in the System.Security.Cryptography namespace.
Vipul Patel (Expert):
c. Dont trust user input till you have validated its correctness.
Vipul Patel (Expert):
.NET code helps migitate a number of common security vulnerabilities
such as buffer overruns. Security in .NET provides code with different
level of trust based not only on the user's capabilities but also
on system policy and evidence (digital signature) of code.
Vipul Patel (Expert):
But before that a question to the audience.....
Vipul Patel (Expert):
How many of you are aware of FxCop?
Vipul Patel (Expert):
please reply using the Guest Chat option.....
Vipul Patel (Expert):
thats great. we have one user who actively uses that....
Vipul Patel (Expert):
Tip: Add your own rules to FxCOp if you want to implement coding
rules beyond the ones provided by the FxCop...
Vipul Patel (Expert):
For those who are not aware, Fxcop is available from http://www.gotdotnet.com.
It is a code analysis tool that checks.NET assemblies for conformation
to .NET Framework Design guidelines at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconnetframeworkdesignguidelines.asp
Vipul Patel (Expert):
FxCop can produce an XMLfile that lists any design guideline violoations
in your assembly.
Vipul Patel (Expert):
What are the two most common errors flagged by FxCop are ?
Vipul Patel (Expert):
a. Lack of strong name on the assembly
Vipul Patel (Expert):
b. Failure of the assembly to specify permssion requests.
Vipul Patel (Expert):
How to prevent these errors. Lets take them one by one
Vipul Patel (Expert):
Use strong name for assemblies:
Lack of strong name
Vipul Patel (Expert):
sn -k keypair.snk
Vipul Patel (Expert):
Over and above strong names, you may want to Authenticode-sign an
assembly to identify the publisher. Do this after strong naming
your assemblies.
Vipul Patel (Expert):
You cannot use Authenticode first because the string name signature
will appear as "tampering" to the Authenicode signature
check.
Vipul Patel (Expert):
Additionally, You can delay-sign your assemblies to prevent information
disclosure by a careless developer.
Vipul Patel (Expert):
Tip: Strong nammed assemblies can only refer to other strong named
assemblies. Get your application design ready to use GAC.
Vipul Patel (Expert):
Next we come to second most popular finding of FxCop - Failure of
the assembly to specify permssion requests.
Vipul Patel (Expert):
pinto: can you rephrase your question?
Vipul Patel (Expert):
For that, we need to know about CAS or Code Access Security: The
theory of the same is located at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconcodeaccesssecurity.asp
Vipul Patel (Expert):
Best practises for CAS
Vipul Patel (Expert):
a. Request minimal permission set: Requesting helps ensure that
your code is granted only the permissions it needs.
Vipul Patel (Expert):
eg. if your appliation requires only FileIOPermissions to read one
file, and nothing more, add this line to your code:
Vipul Patel (Expert):
[assembly: FileIOPermission(SecurityAction.RequestMinimum,
Read = @"c:\FileName.xml")]
Vipul Patel (Expert):
pinto: that depends on your FxCop settings.....
Vipul Patel (Expert):
pinto: you need to disable this rule if it is already on....
Vipul Patel (Expert):
coming back to CAS, you should use RequestMinimum to define the
minimum must-have grant set. If the runtime cannot grant the minimum
set to the application, it will raise a PolicyException exception
and your application will not run.
Vipul Patel (Expert):
b. Refuse Unneeded Permission: Simply refuse permissions you dont
need.
Vipul Patel (Expert):
e.g. If there is no FileIO operations in the application,
[assembly: FileIOPermission (SecurityAction.RequestRefuse, Unrestricted=
true)]
Vipul Patel (Expert):
a simple code snippet such as above will refuse File IO access thru
your secure code.....
Vipul Patel (Expert):
Tip: If you dont get the requisite permissions, there will be exceptions.
Handle these possible exceptions that may arise if the requested
permissions are not granted.
Vipul Patel (Expert):
c. use Assert wisely
Vipul Patel (Expert):
What we need to apply for this is that we should make sure that
code permissions are granted rationally.
Vipul Patel (Expert):
Suppose A has permissions to do anything on the server
And B has permission to make calls on A.
Vipul Patel (Expert):
now if A makes an Assert statement, B will get access to all resources
permitted to A.
This implies that Thru A, B can make any changes on the server and
this may not be the desired scenario.
Vipul Patel (Expert):
Q: aren't you trying to say about the SecurityExceptions?
A: no, the exception being referred here is PolicyException.....
Vipul Patel (Expert):
d. Keep the Assertion as small as possible
Vipul Patel (Expert):
If you do need to Assert, make sure that you revertAssert as soon
as you are done.
Vipul Patel (Expert):
in C# code, this will be implied by
CodeAccessPermission.RevertAccess();
Vipul Patel (Expert):
Tip: When Deny, Assert and PermitOnly are used together, Deny has
the highest precedence.
Vipul Patel (Expert):
e. Limit who uses your code
Vipul Patel (Expert):
How: Consider sealing your classes. This will make them non-inhertiable.
Vipul Patel (Expert):
Also, You can use InheritanceDemand to require that derived classes
have a specified identity or permission.
Vipul Patel (Expert):
[EnvironmentPermission (securityAction.InheritanceDemand,
Unrestricted = true)]
public class A
{
}
public class B : A
{
}
Vipul Patel (Expert):
this will imply that if the inheriting class request a actions thru
an inherited class, the framework will see if the calling class
has the permissions needed to do the action.....
Vipul Patel (Expert):
in the earlier example, B must have environmentPermission, if it
were to inherit A.
Vipul Patel (Expert):
Other security Tips for .NET programmers
Vipul Patel (Expert):
Q: How to protect Images in a ASP.NET Project i.e
Print, Print Screen, Save Page.... etc
A: i <b>believe<b> that disabling
menu options on browsers is achievable thru JavaScript....... I
need time to investigate this in details. Please email me at vipul_d_patel@hotmail.com
stating your complete requirement.
Vipul Patel (Expert):
a. No Sensitive Data in XML or Configuration files
Vipul Patel (Expert):
Storing data of non secure nature is ok in configuration files such
as web.config.
subhashini (Moderator):
Please use the radial button "submit a question " to ask
any questions to the expert
Vipul Patel (Expert):
It is an oxymoron that storing data in registry is safer
than storing in the web.config... We need to make a judicious call
here...as registry access violates No touch deployment fundas.
Vipul Patel (Expert):
A better option will be to use SQL Server as data storage for confidential
information.
Vipul Patel (Expert):
ASP.NET v1.1 supports optional data Protection API encryption of
secrets stored in registry. The configurations ectiosn that take
advantage of this are <processModel>, <identity>, and
<sessionState>....
Vipul Patel (Expert):
aspnet_setreg.exe is a cool tool to explore for using registry to
store confidential information....
Vipul Patel (Expert):
Tip: Review Assemblies that allow partial trust
Vipul Patel (Expert):
if you want your assembly to be invoked from partially trust sources,
you need to tag it
[assembly: AllowPartiallyTrustedCallers]
Vipul Patel (Expert):
Further more you need the review in details all the assemblies that
make calls to this assembly in partial trusted mode... thats because
a partial trusted code has considerable access on the resources
handled by the called assembly...
Vipul Patel (Expert):
IMP: Assemblies that allow partially trusted callers should never
expose objects from assemblies that do not allow partially trusted
callers.
Vipul Patel (Expert):
Never forget to review the code of the calling assembly lest it
causes any security breach.
Vipul Patel (Expert):
Tip: Check Managed Wrappers to Unmananged code for correctness
Make sure that code calling into unmanaged is well written and safe.
Vipul Patel (Expert):
Issues with Serialization
Vipul Patel (Expert):
Give special attention to classes that implement the ISerializable
interface if an object based on the class could contain sensitive
object information.
Vipul Patel (Expert):
If these classes store password, it could pose as a considerable
security concern.
Vipul Patel (Expert):
Q: Vipul: i have learned that you can save the
session in SQL to identify the broken sessions to continue with
where they stoped... and do you think suggest such kind of storage?
A: yes, storing session information in SQL server
would be a good option... optionally if that code or the user has
access to registry, you can use the DPAPI also....
SQL server is better...
Vipul Patel (Expert):
Using Isolated storage
Vipul Patel (Expert):
using Isolated STorage provided by the .NET Framework has the advantage
that only the code in a given assembly can access the isolated data
when any of the following conditions are met: application is running
when the assembly created the store is using the assembly, or when
the user who created the store is running the application.
Vipul Patel (Expert):
using System.IO.IsolatedStorage;
..
IsolatedStorageFile isoFile = IsolatedStorageFile.GetStore (IsloatedStorageScope.User
|| IsloatedStorageScope.Assembly, null, null);
Vipul Patel (Expert):
The major advantage of using isolated storage is that it does not
require FileIOPermission to operate correctly.
subhashini (Moderator):
Friends , we have the last 15 minutes left for the chat to conclude
Vipul Patel (Expert):
But Don't use isolated storage to store sensitive data, because
it is not protected from highly trusted code or trusted users of
the computer.
Vipul Patel (Expert):
Other tips
Vipul Patel (Expert):
Disable Tracing and Debugging Before Deploying ASP.NET Application
Vipul Patel (Expert):
Because: you can potentially give an attacker too much information
subhashini (Moderator):
So please rush in your questions to Vipul
Vipul Patel (Expert):
How to do this:
Vipul Patel (Expert):
1. Remove Debug verb from IIS.
2. Disable debugging ad tracing within ASP.NET aplication pAge directive
<%@ Page Language="VB" Trace="False" Debug="False"
%>
3. In web.Config file
<trace enabled = 'false'/>
<compilation debug ='false'/>
Vipul Patel (Expert):
Also, Do not deserialize data from untrusted sources.
Vipul Patel (Expert):
in case the application fails, do not tell the attacker too much
when you fail.. Rather , write to the application log an error code
which is known only to developers
Vipul Patel (Expert):
Thats all for the tips and tricks. Now to your questions.....
Vipul Patel (Expert):
Q: Vipul: can you through some light on "SecurityException"?
A: Security exception occurs when a security error
is detected, like making IO calls when the user does not rights
on it...
POlicyexception on the other hand is generated when code requests
more permissions than the policy will grant or the policy is configured
to prohibit running the code.
Vipul Patel (Expert):
OK team,,, the recsources that should keep you going.....
Vipul Patel (Expert):
A book by Michaol Howard titles "Writing Secure Code".
It is by Microsoft Press. Its an extremely good book. Recommend
all to read when you get time....
Vipul Patel (Expert):
visit digitalblackbelt.com and view the webcasts on security they
are great.
Vipul Patel (Expert):
Also on MSDN webcasts, there is a series of webcasts on Writing
Secure Code, you can view them if you can get hands on the book....
Vipul Patel (Expert):
thats all from my side....
Vipul Patel (Expert):
Q: Vipul: i have a small situation.. can i ask
you now?
A: sure..
Vipul Patel (Expert):
Q: thnx vipul
A: anytime man
Vipul Patel (Expert):
u can visit http://msdn.microsoft.com/asp.net/articles/security/default.aspx
for more information on security /
subhashini (Moderator):
Well, we are almost close to time-up!
subhashini (Moderator):
There's time for one last question
subhashini (Moderator):
To ask any additional queries , please feel free to email Vipul
subhashini (Moderator):
at vipul_d_patel@hotmail.com
subhashini (Moderator):
Hope this chat in series was informative
subhashini (Moderator):
To read chat transcripts of earlier chats , visit http://www.microsoft.com/india/communities/chat/Transcripts.aspx
subhashini (Moderator):
thanks to all of you for attending today's chat\
Vipul Patel (Expert):
chakravarty: can you email me this question? I shall reply ASAP.
My email id is vipul_D_patel@hotmail.com
subhashini (Moderator):
Special thanks to Vipul for taking time out for this informative
session with his geographical constraints regarding timings
Vipul Patel (Expert):
Thanks all for attending this chat
subhashini (Moderator):
Thanks a lot Vipul
Vipul Patel (Expert):
welcome subhashini
subhashini (Moderator):
request all of you to pool in your queries through email
subhashini (Moderator):
Have a lovely evening
subhashini (Moderator):
Also feel free to pool in your feedback for these chats at commind@microsoft.com
subhashini (Moderator):
enjoy your evening all of you and Vipul , have a great day :-)
|
