Application Security Best Practices At Microsoft

Ensuring the lowest possible exposure and vulnerability to attacks

Published: 2003 January

Solution Overview
Situati Faced with the daunting task of inventorying, cataloging, assessing on
, and securing each LOB application, the Microsoft IT group needed to create an organizational framework for handling the job

Solutio Microsoft IT developed the Application Security Assurance n Benefits

Program (ASAP) to inventory, assess and when necessary ensure the resolution of security vulnerabilities found in LOB applications Lower cost of recovery and lost productivity Minimize loss of data Improve customer confidence Decrease legal risks

Motivation For Application Security

Cost of recovery and lost productivity Loss of data Impact on consumer confidence Legal risks

Security Principles

Confidentiality Integrity Authentication Authorization Availability Non-repudiation

Managing Risk

Strategic Tactical Operational Legal

Overview Of ASAP

Wide variety of LOB applications designed by Microsoft IT or individual business unit IT teams Securing applications and data has grown in significance and complexity LOB applications function in a complex operational and legal environment with an equally complex underlying infrastructure Every organization should develop its own plan for securing applications

ASAP Deployment

Risk assessment Design review Pre-production assessments Post-production followup

Assessment Criteria

Definition of an application Scope of assessments

High-risk Medium-risk Low-risk

Assessment Criteria

Types of Assessments

Limited assessments Comprehensive assessments

Participants
Corpora te Security Applicat ion Review Team Risk Assessment
Audits

Security Policy Threat Modeling

Action on Audit Findings

Operati ons IT

Business Unit IT Groups

Action on Audit Findings

Application Security Process Framework

Maintain and Publish Policies and Guidelines
Educate IT Professionals

Apply Lessons Learned

Design, Develop, Test, and Verify Secure Apps

Verify In Production Applications Respond to Security Exposure Incidents

Application Management Secure Infrastructure

NETWORK

HOST

APPLICATION

ACCOUNT

TRUST

Architectur e Transport Network device Access control list (ACL) permission settings

Operating system Services

Internet Informatio n Services (IIS) Simple Mail Transfer Protocol (SMTP) File Transfer Protocol (FTP) NetBIOS/R emote procedure call (RPC) Terminal

Input validation Clear text protocol Authentica tion Authorizati on Cryptograp hy Auditing and logging

Unused accounts Weak or blank passwords Shared accounts Access privileges

Rogue trusts

Services

Building Secure Networks Configuration

Network segmentation Firewalls Routers and switches

Building Secure Networks Intrusion Detections Systems And Network Encryption Detection systems should monitor for
Reconnaissance attacks Exploit attacks Denial of service attacks Network encryption Key tool in preventing sensitive data from being read Sensitive communication should be encrypted Industry-standard encryption methods: Secure Sockets Layer (SSL), secure shell program such as SSH, Internet Protocol Security (IPSec)

Building Secure Hosts For Applications Patch management

Patch management Configuration Permissions Simple Network Management Protocol community strings Antivirus software Server auditing and logging Server backup and restore

Application Layer Requirements Input validation

Input validation Session management Authentication and authorization Design and code review Application and server error handling Application auditing and logging Application backup and restore Private data encryption

Common Application Development Issues

User input validation Cookies, authentication, and access Passwords Access control lists COM+ application configuration Auditing and logging

Threat Modeling

Provides a consistent methodology for objectively evaluating threats to applications Microsoft IT uses STRIDE to identify threats

Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege

Architecture Modeling

Component selection Component location

Untrusted Semitrusted Trusted Untrusted Semitrusted Trusted

Connection identification

Environment component identification

Lessons Learned

If you wait until an application is already in production to make it secure, you are too late Good security practices take into account both the host and the application client Create clearly written and easily accessible security guideline documentation Create security checklists that include step-by-step instructions Develop a thoroughly considered policy exception tracking process Education is crucial to the success of a security program Processes and reporting are required to ensure that inventory information is maintained Security is an ongoing, always changing, concern

Policies

Applications should comply with application security policies and guidelines Applications should go through a security design review process Third-party application vendors should provide assurances that the software does not contain anything that could be used to compromise security controls Internet-facing applications should use existing methods of authentication Applications that reside on the corporate network should rely on Windows integrated authentication Applications that cannot use Windows integrated authentication should either encrypt or hash the password stores Credentials should never be stored or sent unencrypted User input should be filtered and examined at the Web server Web applications should use strong, nonpredictable session IDs Web applications should use an inactivity timeout Cookies that contain sensitive data should be marked as secure and nonpersistent

Future Security Considerations Authorization Manager

Authorization Manager Constrained Delegation

Summary

Business relies more and more on information technology to operate Securing access to critical resources ensures that they continue to function as expected Microsoft IT put policies and guidelines in place to help Microsoft development teams secure their existing applications Documenting and sharing the lessons that are learned by organizations are central to maintaining security both within and among businesses

For More Information

Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.com

Microsoft TechNet http://www.microsoft.com/technet/itshowcase Microsoft Case Study Resources http://www.microsoft.com/resources/casest udies

E-Mail iT Showcase showcase@microsoft.com

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.