Flylib.com
Improving Web Application Security: Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors:
Microsoft Corporation
BUY ON AMAZON
Table of Contents
BackCover
Improving Web Application Security - Threats and Countermeasures
Forewords
Foreword by Joel Scambray
Foreword by Erik Olson
Foreword by Michael Howard
Introduction
What Is a Hack-Resilient Application?
Scope of This Guide
Who Should Read This Guide
How to Use This Guide
Organization of This Guide
Approach Used in This Guide
Positioning of This Guide
Feedback and Support
The Team Who Brought You This Guide
Tell Us About Your Success
Summary
Solutions at a Glance
Development Solutions
Administration Solutions
Fast Track - How To Implement the Guidance
The Holistic Approach
Securing Your Network
Securing Your Host
Securing Your Application
Identify Threats
Applying the Guidance to Your Product Life Cycle
Implementing the Guidance
Who Does What?
Summary
Part I: Introduction to Threats and Countermeasures
Chapter 1: Web Application Security Fundamentals
We Are Secure - We Have a Firewall
What Do We Mean By Security?
Threats, Vulnerabilities, and Attacks Defined
How Do You Build a Secure Web Application?
Secure Your Network, Host, and Application
Securing Your Network
Securing Your Host
Securing Your Application
Security Principles
Summary
Additional Resources
Chapter 2: Threats and Countermeasures
Overview
How to Use This Chapter
Anatomy of an Attack
Understanding Threat Categories
Network Threats and Countermeasures
Host Threats and Countermeasures
Application Threats and Countermeasures
Input Validation
Authentication
Authorization
Configuration Management
Sensitive Data
Session Management
Cryptography
Parameter Manipulation
Exception Management
Auditing and Logging
Summary
Additional Resources
Chapter 3: Threat Modeling
Overview
Before You Begin
How to Use This Chapter
Threat Modeling Principles
Step 1. Identify Assets
Step 2. Create an Architecture Overview
Step 3. Decompose the Application
Step 4. Identify the Threats
Step 5. Document the Threats
Step 6. Rate the Threats
What Comes After Threat Modeling?
Summary
Additional Resources
Part II: Designing Secure Web Applications
Chapter 4: Design Guidelines for Secure Web Applications
Overview
How to Use This Chapter
Architecture and Design Issues for Web Applications
Deployment Considerations
Input Validation
Authentication
Authorization
Configuration Management
Sensitive Data
Session Management
Cryptography
Parameter Manipulation
Exception Management
Auditing and Logging
Design Guidelines Summary
Summary
Additional Resources
Chapter 5: Architecture and Design Review for Security
Overview
How to Use This Chapter
Architecture and Design Review Process
Deployment and Infrastructure Considerations
Input Validation
Authentication
Authorization
Configuration Management
Sensitive Data
Session Management
Cryptography
Parameter Manipulation
Exception Management
Auditing and Logging
Summary
Additional Resources
Part III: Building Secure Web Applications
Chapter 6: .NET Security Overview
Overview
How to Use This Chapter
Managed Code Benefits
User vs. Code Security
.NET Framework Role-Based Security
.NET Framework Security Namespaces
Summary
Additional Resources
Chapter 7: Building Secure Assemblies
Overview
How to Use This Chapter
Threats and Countermeasures
Privileged Code
Assembly Design Considerations
Class Design Considerations
Strong Names
Authorization
Exception Management
File IO
Event Log
Registry
Data Access
Unmanaged Code
Delegates
Serialization
Threading
Reflection
Obfuscation
Cryptography
Summary
Additional Resources
Chapter 8: Code Access Security in Practice
Overview
How to Use This Chapter
Code Access Security Explained
APTCA
Privileged Code
Requesting Permissions
Authorizing Code
Link Demands
Assert and RevertAssert
Constraining Code
File IO
Event Log
Registry
Data Access
Directory Services
Environment Variables
Web Services
Sockets and DNS
Unmanaged Code
Delegates
Serialization
Summary
Additional Resources
Chapter 9: Using Code Access Security with ASP.NET
Overview
How to Use This Chapter
Resource Access
Full Trust and Partial Trust
Configuring Code Access Security in ASP.NET
ASP.NET Policy Files
ASP.NET Policy
Developing Partial Trust Web Applications
Trust Levels
Approaches for Partial Trust Web Applications
Customize Policy
Sandbox Privileged Code
Deciding Which Approach to Take
Medium Trust
Medium Trust Restrictions
Summary
Additional Resources
Chapter 10: Building Secure ASP.NET Pages and Controls
Overview
How to Use This Chapter
Threats and Countermeasures
Design Considerations
Input Validation
Cross-Site Scripting
Authentication
Authorization
Impersonation
Sensitive Data
Session Management
Parameter Manipulation
Exception Management
Auditing and Logging
Summary
Additional Resources
Chapter 11: Building Secure Serviced Components
Overview
How to Use This Chapter
Threats and Countermeasures
Design Considerations
Authentication
Authorization
Configuration Management
Sensitive Data
Auditing and Logging
Building a Secure Serviced Component
Code Access Security Considerations
Deployment Considerations
Summary
Additional Resources
Chapter 12: Building Secure Web Services
Overview
How to Use This Chapter
Threats and Countermeasures
Design Considerations
Input Validation
Authentication
Authorization
Sensitive Data
Parameter Manipulation
Exception Management
Auditing and Logging
Proxy Considerations
Code Access Security Considerations
Deployment Considerations
Summary
Additional Resources
Chapter 13: Building Secure Remoted Components
Overview
How to Use This Chapter
Threats and Countermeasures
Design Considerations
Input Validation
Authentication
Authorization
Sensitive Data
Denial of Service
Exception Management
Auditing and Logging
Code Access Security (CAS) Considerations
Summary
Additional Resources
Chapter 14: Building Secure Data Access
Overview
How to Use This Chapter
Threats and Countermeasures
Design Considerations
Input Validation
SQL Injection
Authentication
Authorization
Configuration Management
Sensitive Data
Exception Management
Building a Secure Data Access Component
Code Access Security Considerations
Deployment Considerations
Summary
Additional Resources
Part IV: Securing Your Network, Host, and Application
Chapter 15: Securing Your Network
Overview
How to Use This Chapter
Threats and Countermeasures
Methodology
Router Considerations
Firewall Considerations
Switch Considerations
Additional Considerations
Snapshot of a Secure Network
Summary
Additional Resources
Chapter 16: Securing Your Web Server
Overview
How to Use This Chapter
Threats and Countermeasures
Methodology for Securing Your Web Server
IIS and .NET Framework Installation Considerations
Installation Recommendations
Steps for Securing Your Web Server
Step 1. Patches and Updates
Step 2. IISLockdown
Step 3. Services
Step 4. Protocols
Step 5. Accounts
Step 6. Files and Directories
Step 7. Shares
Step 8. Ports
Step 9. Registry
Step 10. Auditing and Logging
Step 11. Sites and Virtual Directories
Step 12. Script Mappings
Step 13. ISAPI Filters
Step 14. IIS Metabase
Step 15. Server Certificates
Step 16. Machine.Config
Step 17. Code Access Security
Snapshot of a Secure Web Server
Staying Secure
Remote Administration
Simplifying and Automating Security
Summary
Additional Resources
Chapter 17: Securing Your Application Server
Overview
How to Use This Chapter
Threats and Countermeasures
Methodology
Communication Channel Considerations
Firewall Considerations
.NET Remoting Security Considerations
Enterprise Services (COM) Security Considerations
Summary
Additional Resources
Chapter 18: Securing Your Database Server
Overview
How to Use This Chapter
Threats and Countermeasures
Methodology for Securing Your Server
SQL Server Installation Considerations
SQL Server Installation Recommendations
Steps for Securing Your Database Server
Step 1. Patches and Updates
Step 2. Services
Step 3. Protocols
Step 4. Accounts
Step 5. Files and Directories
Step 6. Shares
Step 7. Ports
Step 8. Registry
Step 9. Auditing and Logging
Step 10. SQL Server Security
Step 11. SQL Server Logins, Users, and Roles
Step 12. SQL Server Database Objects
Snapshot of a Secure Database Server
Additional Considerations
Staying Secure
Remote Administration
Summary
Additional Resources
Chapter 19: Securing Your ASP.NET Application and Web Services
Overview
How to Use This Chapter
Methodology
What You Must Know
Machine.Config and Web.Config Explained
Machine.Config and Web.Config Guidelines
Trust Levels in ASP.NET
Process Identity for ASP.NET
Impersonation
Authentication
Authorization
Session State
View State
Machine Key
Debugging
Tracing
Exception Management
Remoting
Web Services
Forbidden Resources
Bin Directory
Event Log
File Access
ACLs and Permissions
Registry
Data Access
UNC Shares
COMDCOM Resources
Denial of Service Considerations
Web Farm Considerations
Snapshot of a Secure ASP.NET Application
Summary
Additional Resources
Chapter 20: Hosting Multiple Web Applications
Overview
ASP.NET Architecture on Windows 2000
ASP.NET Architecture on Windows Server 2003
Isolating Applications by Identity
Isolating Applications with Application Pools
Isolating Applications with Code Access Security
Forms Authentication Issues
UNC Share Hosting
Summary
Part V: Assessing Your Security
Chapter 21: Code Review
Overview
FxCop
Performing Text Searches
Cross-Site Scripting (XSS)
SQL Injection
Buffer Overflows
Managed Code
Code Access Security
Unmanaged Code
ASP.NET Pages and Controls
Web Services
Serviced Components
Remoting
Data Access Code
Summary
Additional Resource
Chapter 22: Deployment Review
Overview
Web Server Configuration
IIS Configuration
Machine.Config
Web Services
Enterprise Services
Remoting
Database Server Configuration
Network Configuration
Summary
Related Security Resources
Security-Related Web Sites
Microsoft Security Services
Partners and Service Providers
Communities and Newsgroups
Patches and Updates
Alerts and Notification
Additional Resources
Index of Checklists
Designing Checklist
Building Checklists
Securing Checklists
Assessing Checklist
Checklist: Architecture and Design Review
Deployment and Infrastructure Considerations
Application Architecture and Design Considerations
Checklist: Securing ASP.NET
Design Considerations
Application Categories Considerations
Configuration File Settings
Checklist: Securing Web Services
Design Considerations
Development Considerations
Administration Considerations
Checklist: Securing Enterprise Services
Developer Checks
Administrator Checklist
Checklist: Securing Remoting
Design Considerations
Input Validation
Authentication
Authorization
Configuration Management
Sensitive Data
Exception Management
Auditing and Logging
Checklist: Securing Data Access
SQL Injection Checks
Authentication
Authorization
Configuration Management
Sensitive Data
Exception Management
Deployment Considerations
Checklist: Securing Your Network
Router Considerations
Firewall Considerations
Switch Considerations
Checklist: Securing Your Web Server
Dos and Don ts
Checklist: Securing Your Database Server
Installation Considerations for Production Servers
Patches and Updates
Services
Protocols
Accounts
Files and Directories
Shares
Ports
Registry
Auditing and Logging
SQL Server Security
SQL Server Logins, Users, and Roles
SQL Server Database Objects
Additional Considerations
Staying Secure
Checklist: Security Review for Managed Code
General Code Review Guidelines
Managed Code Review Guidelines
Resource Access Considerations
Code Access Security Considerations
How To: Index
How To: Implement Patch Management
Summary
What You Must Know
Before You Begin
Contents
Detecting
Assessing
Acquiring
Testing
Deploying
Maintaining
Additional Considerations
Additional Resources
How To: Harden the TCPIP Stack
Summary
What You Must Know
Contents
Protect Against SYN Attacks
Protect Against ICMP Attacks
Protect Against SNMP Attacks
AFD.SYS Protections
Additional Protections
Pitfalls
Additional Resources
How To: Secure Your Developer Workstation
Summary
Before You Begin
Steps to Secure Your Developer Workstation
Run Using a Least-Privileged Account
Patch and Update
Secure IIS
Secure SQL Server and MSDE
Evaluate Your Configuration Categories
Stay Secure
How To: Use IPSec for Filtering Ports and Authentication
Summary
Contents
What You Must Know
Restricting Web Server Communication
Restricting Database Server Communication
Restricting Server-to-Server Communication
Using IPSec Tools
Additional Resources
How To: Use the Microsoft Baseline Security Analyzer
Summary
Contents
Before You Begin
What You Must Know
Scanning for Security Updates and Patches
Scanning Multiple Systems for Updates and Patches
SQL Server and MSDE Specifics
Scanning for Secure Configuration
Additional Information
Additional Resources
How To: Use IISLockdown.exe
Summary
What Does IISLockdown Do?
Installing IISLockdown
Running IISLockdown
Log Files
Undoing IISLockdown Changes
Unattended Execution
Pitfalls
How To: Use URLScan
Summary
Contents
Installing URLScan
Log Files
Removing URLScan
Configuring URLScan
Throttling Request Sizes with URLScan
Debugging VS .NET with URLScan Installed
Masking Content Headers (Banners)
Pitfalls
References
How To: Create a Custom Encryption Permission
Summary
Before You Begin
Summary of Steps
How To: Use Code Access Security Policy to Constrain an Assembly
Summary
Before You Begin
Summary of Steps
Step 1. Create an Assembly That Performs File IO
Step 2. Create a Web Application
Step 3. Test File IO with No Code Access Security Constraints
Step 4. Configure Code Access Security Policy to Constrain File IO
Step 5. Test File IO With Code Access Security Constraints
Index
Index_A
Index_B
Index_C
Index_D
Index_E
Index_F
Index_G
Index_H
Index_I
Index_K
Index_L
Index_M
Index_N
Index_O
Index_P
Index_Q
Index_R
Index_S
Index_T
Index_U
Index_V
Index_W
Index_X
Index_Z
List of Figures
List of Tables
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors:
Microsoft Corporation
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Introduction to Assessing Network Vulnerabilities
Network Vulnerability Assessment
Risk-Assessment Methodologies
Ranking Your Findings
Document Tracking Form
Metrics and Models in Software Quality Engineering (2nd Edition)
The Cleanroom Methodology
Defect Removal Effectiveness
In-Process Metrics for Software Testing
Software Process Maturity Assessment and Software Project Assessment
Using Function Point Metrics to Measure Software Process Improvements
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Cisco IPC Express System Architecture
The Cisco Analog Telephony Adaptor
PSTN Call Switching
Summary
General Troubleshooting Techniques
Snort Cookbook
Monitoring Multiple Network Interfaces
Viewing Traffic While Logging
Detecting IM
Detecting IDS Evasion
Generating Text-Based Log Analysis
Documenting Software Architectures: Views and Beyond
Overview
Discussion Questions
Advanced Concepts
Mapping Between Views
Directory
An Introduction to Design Patterns in C++ with Qt 4
Reference Variables
Widget Categories
Anti-patterns
Exceptions
Appendix C. The Development Environment
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies