Synopses & Reviews
Keep black-hat hackers at bay with the tips and techniques in this entertaining, eye-opening book! Developers will learn how to padlock their applications throughout the entire development process—from designing secure applications to writing robust code that can withstand repeated attacks to testing applications for security flaws. Easily digested chapters reveal proven principles, strategies, and coding techniques. The authors—two battle-scarred veterans who have solved some of the industry’s toughest security problems—provide sample code in several languages. This edition includes updated information about threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. It also includes enhanced coverage of buffer overruns, Microsoft .NET security, and Microsoft ActiveX development, plus practical checklists for developers, testers, and program managers.
Covers topics such as the importance of secure systems, threat modeling, canonical representation issues, solving database input, denial-of-service attacks, and security code reviews and checklists.
Includes bibliographical references (p. 741-745) and index.
About the Author
Michael Howard, CISSP, is a leading security expert. He is a senior security program manager at Microsoft® and the coauthor of The Software Security Development Lifecycle. Michael has worked on Windows security since 1992 and now focuses on secure design, programming, and testing techniques. He is the consulting editor for the Secure Software Development Series of books by Microsoft Press.
David LeBlanc, Ph.D., is a founding member of the Trustworthy Computing Initiative at Microsoft®. He has been developing solutions for computing security issues since 1992 and has created award-winning tools for assessing network security and uncovering security vulnerabilities. David is a senior developer in the Microsoft Office Trustworthy Computing group.
Table of Contents
Copyright; Dedication; Introduction; Who Should Read This Book; Organization of This Book; Installing and Using the Sample Files; System Requirements; Support Information; Acknowledgments; Part I: Contemporary Security; Chapter 1: The Need for Secure Systems; 1.1 Applications on the Wild Wild Web; 1.2 The Need for Trustworthy Computing; 1.3 Getting Everyones Head in the Game; 1.4 Some Ideas for Instilling a Security Culture; 1.5 The Attackers Advantage and the Defenders Dilemma; 1.6 Summary; Chapter 2: The Proactive Security Development Process; 2.1 Process Improvements; 2.2 The Role of Education; 2.3 Design Phase; 2.4 Development Phase; 2.5 Test Phase; 2.6 Shipping and Maintenance Phases; 2.7 Summary; Chapter 3: Security Principles to Live By; 3.1 SD3: Secure by Design, by Default, and in Deployment; 3.2 Security Principles; 3.3 Summary; Chapter 4: Threat Modeling; 4.1 Secure Design Through Threat Modeling; 4.2 Security Techniques; 4.3 Mitigating the Sample Payroll Application Threats; 4.4 A Cornucopia of Threats and Solutions; 4.5 Summary; Part II: Secure Coding Techniques; Chapter 5: Public Enemy #1: The Buffer Overrun; 5.1 Stack Overruns; 5.2 Heap Overruns; 5.3 Array Indexing Errors; 5.4 Format String Bugs; 5.5 Unicode and ANSI Buffer Size Mismatches; 5.6 Preventing Buffer Overruns; 5.7 The Visual C++ .NET /GS Option; 5.8 Summary; Chapter 6: Determining Appropriate Access Control; 6.1 Why ACLs Are Important; 6.2 What Makes Up an ACL?; 6.3 A Method of Choosing Good ACLs; 6.4 Creating ACLs; 6.5 Getting the ACE Order Right; 6.6 Be Wary of the Terminal Server and Remote Desktop SIDs; 6.7 NULL DACLs and Other Dangerous ACE Types; 6.8 Other Access Control Mechanisms; 6.9 Summary; Chapter 7: Running with Least Privilege; 7.1 Least Privilege in the Real World; 7.2 Brief Overview of Access Control; 7.3 Brief Overview of Privileges; 7.4 Brief Overview of Tokens; 7.5 How Tokens, Privileges, SIDs, ACLs, and Processes Relate; 7.6 Three Reasons Applications Require Elevated Privileges; 7.7 Solving the Elevated Privileges Issue; 7.8 A Process for Determining Appropriate Privilege; 7.9 Low-Privilege Service Accounts in Windows XP and Windows .NET Server 2003; 7.10 The Impersonate Privilege and Windows .NET Server 2003; 7.11 Debugging Least-Privilege Issues; 7.12 Summary; Chapter 8: Cryptographic Foibles; 8.1 Using Poor Random Numbers; 8.2 Using Passwords to Derive Cryptographic Keys; 8.3 Key Management Issues; 8.4 Key Exchange Issues; 8.5 Creating Your Own Cryptographic Functions; 8.6 Using the Same Stream-Cipher Encryption Key; 8.7 Bit-Flipping Attacks Against Stream Ciphers; 8.8 Reusing a Buffer for Plaintext and Ciphertext; 8.9 Using Crypto to Mitigate Threats; 8.10 Document Your Use of Cryptography; 8.11 Summary; Chapter 9: Protecting Secret Data; 9.1 Attacking Secret Data; 9.2 Sometimes You Dont Need to Store a Secret; 9.3 Getting the Secret from the User; 9.4 Protecting Secrets in Windows 2000 and Later; 9.5 Protecting Secrets in Windows NT 4; 9.6 Protecting Secrets in Windows 95, Windows 98, Windows Me, and Windows CE; 9.7 Not Opting for a Least Common Denominator Solution; 9.8 Managing Secrets in Memory; 9.9 Locking Memory to Prevent Paging Sensitive Data; 9.10 Protecting Secret Data in Managed Code; 9.11 Raising the Security Bar; 9.12 Trade-Offs When Protecting Secret Data; 9.13 Summary; Chapter 10: All Input Is Evil!; 10.1 The Issue; 10.2 Misplaced Trust; 10.3 A Strategy for Defending Against Input Attacks; 10.4 How to Check Validity; 10.5 Using Regular Expressions for Checking Input; 10.6 Regular Expressions and Unicode; 10.7 A Regular Expression Rosetta Stone; 10.8 A Best Practice That Does Not Use Regular Expressions; 10.9 Summary; Chapter 11: Canonical Representation Issues; 11.1 What Does Canonical Mean, and Why Is It a Problem?; 11.2 Canonical Filename Issues; 11.3 Canonical Web-Based Issues; 11.4 Visual Equivalence Attacks and the Homograph Attack; 11.5 Preventing Canonicalization Mistakes; 11.6 Web-Based Canonicalization Remedies; 11.7 A Final Thought: Non-File-Based Canonicalization Issues; 11.8 Summary; Chapter 12: Database Input Issues; 12.1 The Issue; 12.2 Pseudoremedy #1: Quoting the Input; 12.3 Pseudoremedy #2: Use Stored Procedures; 12.4 Remedy #1: Never Ever Connect as sysadmin; 12.5 Remedy #2: Building SQL Statements Securely; 12.6 An In-Depth Defense in Depth Example; 12.7 Summary; Chapter 13: Web-Specific Input Issues; 13.1 Cross-Site Scripting: When Output Turns Bad; 13.2 Other XSS-Related Attacks; 13.3 XSS Remedies; 13.4 Dont Look for Insecure Coooooonstructs; 13.5 But I Want Users to Post HTML to My Web Site!; 13.6 How to Review Code for XSS Bugs; 13.7 Other Web-Based Security Topics; 13.8 Summary; Chapter 14: Internationalization Issues; 14.1 The Golden I18N Security Rules; 14.2 Use Unicode in Your Application; 14.3 Prevent I18N Buffer Overruns; 14.4 Validate I18N; 14.5 Character Set Conversion Issues; 14.6 Use MultiByteToWideChar with MB_PRECOMPOSED and MB_ERR_INVALID_CHARS; 14.7 Use WideCharToMultiByte with WC_NO_BEST_FIT_CHARS; 14.8 Comparison and Sorting; 14.9 Unicode Character Properties; 14.10 Normalization; 14.11 Summary; Part III: Even More Secure Coding Techniques; Chapter 15: Socket Security; 15.1 Avoiding Server Hijacking; 15.2 TCP Window Attacks; 15.3 Choosing Server Interfaces; 15.4 Accepting Connections; 15.5 Writing Firewall-Friendly Applications; 15.6 Spoofing and Host-Based and Port-Based Trust; 15.7 IPv6 Is Coming!; 15.8 Summary; Chapter 16: Securing RPC, ActiveX Controls, and DCOM; 16.1 An RPC Primer; 16.2 Secure RPC Best Practices; 16.3 Secure DCOM Best Practices; 16.4 An ActiveX Primer; 16.5 Secure ActiveX Best Practices; 16.6 Summary; Chapter 17: Protecting Against Denial of Service Attacks; 17.1 Application Failure Attacks; 17.2 CPU Starvation Attacks; 17.3 Memory Starvation Attacks; 17.4 Resource Starvation Attacks; 17.5 Network Bandwidth Attacks; 17.6 Summary; Chapter 18: Writing Secure .NET Code; 18.1 Code Access Security: In Pictures; 18.2 FxCop: A "Must-Have" Tool; 18.3 Assemblies Should Be Strong-Named; 18.4 Specify Assembly Permission Requirements; 18.5 Overzealous Use of Assert; 18.6 Further Information Regarding Demand and Assert; 18.7 Keep the Assertion Window Small; 18.8 Demands and Link Demands; 18.9 Use SuppressUnmanagedCodeSecurityAttribute with Caution; 18.10 Remoting Demands; 18.11 Limit Who Uses Your Code; 18.12 No Sensitive Data in XML or Configuration Files; 18.13 Review Assemblies That Allow Partial Trust; 18.14 Check Managed Wrappers to Unmanaged Code for Correctness; 18.15 Issues with Delegates; 18.16 Issues with Serialization; 18.17 The Role of Isolated Storage; 18.18 Disable Tracing and Debugging Before Deploying ASP.NET Applications; 18.19 Do Not Issue Verbose Error Information Remotely; 18.20 Deserializing Data from Untrusted Sources; 18.21 Dont Tell the Attacker Too Much When You Fail; 18.22 Summary; Part IV: Special Topics; Chapter 19: Security Testing; 19.1 The Role of the Security Tester; 19.2 Security Testing Is Different; 19.3 Building Security Test Plans from a Threat Model; 19.4 Testing Clients with Rogue Servers; 19.5 Should a User See or Modify That Data?; 19.6 Testing with Security Templates; 19.7 When You Find a Bug, Youre Not Done!; 19.8 Test Code Should Be of Great Quality; 19.9 Test the End-to-End Solution; 19.10 Determining Attack Surface; 19.11 Summary; Chapter 20: Performing a Security Code Review; 20.1 Dealing with Large Applications; 20.2 A Multiple-Pass Approach; 20.3 Low-Hanging Fruit; 20.4 Integer Overflows; 20.5 Checking Returns; 20.6 Perform an Extra Review of Pointer Code; 20.7 Never Trust the Data; 20.8 Summary; Chapter 21: Secure Software Installation; 21.1 Principle of Least Privilege; 21.2 Clean Up After Yourself!; 21.3 Using the Security Configuration Editor; 21.4 Low-Level Security APIs; 21.5 Summary; Chapter 22: Building Privacy into Your Application; 22.1 Malicious vs. Annoying Invasions of Privacy; 22.2 Major Privacy Legislation; 22.3 Privacy vs. Security; 22.4 Building a Privacy Infrastructure; 22.5 Designing Privacy-Aware Applications; 22.6 Summary; Chapter 23: General Good Practices; 23.1 Dont Tell the Attacker Anything; 23.2 Service Best Practices; 23.3 Dont Leak Information in Banner Strings; 23.4 Be Careful Changing Error Messages in Fixes; 23.5 Double-Check Your Error Paths; 23.6 Keep It Turned Off!; 23.7 Kernel-Mode Mistakes; 23.8 Add Security Comments to Code; 23.9 Leverage the Operating System; 23.10 Dont Rely on Users Making Good Decisions; 23.11 Calling CreateProcess Securely; 23.12 Dont Create Shared/Writable Segments; 23.13 Using Impersonation Functions Correctly; 23.14 Dont Write User Files to \Program Files; 23.15 Dont Write User Data to HKLM; 23.16 Dont Open Objects for FULL_CONTROL or ALL_ACCESS; 23.17 Object Creation Mistakes; 23.18 Care and Feeding of CreateFile; 23.19 Creating Temporary Files Securely; 23.20 Implications of Setup Programs and EFS; 23.21 File System Reparse Point Issues; 23.22 Client-Side Security Is an Oxymoron; 23.23 Samples Are Templates; 23.24 Dogfood Your Stuff!; 23.25 You Owe It to Your Users If
; 23.26 Determining Access Based on an Administrator SID; 23.27 Allow Long Passwords; 23.28 Be Careful with _alloca; 23.29 Dont Embed Corporate Names; 23.30 Move Strings to a Resource DLL; 23.31 Application Logging; 23.32 Migrate Dangerous C/C++ to Managed Code; Chapter 24: Writing Security Documentation and Error Messages; 24.1 Security Issues in Documentation; 24.2 Security Issues in Error Messages; 24.3 A Typical Security Message; 24.4 Information Disclosure Issues; 24.5 A Note When Reviewing Product Specifications; 24.6 Security Usability; 24.7 Summary; Part V: Appendixes; Appendix A: Dangerous APIs; APIs with Buffer Overrun Issues; APIs with Name-Squatting Issues; APIs with Trojaning Issues; Windows Styles and Control Types; Impersonation APIs; APIs with Denial of Service Issues; Networking API Issues; Miscellaneous APIs; Appendix B: Ridiculous Excuses Weve Heard; No one will do that!; Why would anyone do that?; Weve never been attacked.; Were securewe use cryptography.; Were securewe use ACLs.; Were securewe use a firewall.; Weve reviewed the code, and there are no security bugs.; We know its the default, but the administrator can turn it off.; If we dont run as administrator, stuff breaks.; But well slip the schedule!; Its not exploitable!; But thats the way weve always done it.; If only we had better tools
.; Appendix C: A Designers Security Checklist; Appendix D: A Developers Security Checklist; General; Web and Database-Specific; RPC; ActiveX, COM, and DCOM; Crypto and Secret Management; Managed Code; Appendix E: A Testers Security Checklist; A Final Thought; Appendix F: Annotated Bibliography; About the Author;