I attended the Microsoft Security Summit 2007 that was held in Kolkata on Dec 6th 2007. The venue was Taj Bengal. The session was primarily meant for developers. Registrations started from 0900 and by 0945, the summit started in full throttle.
Platform Security
The first session, "Microsoft Platform Security – An Overview" was delivered by a Microsoft ACE team member Mr. Prasad Nelabhotla. The discussion centered around the different forms of attacks that were prevalent on the Windows platform, starting from the cross site scripting attacks and how to defend against potentially harmful user inputs. Input validation at all stages was suggested as the primary means of defense. The "blacklisting" vs "white listing" approaches were addressed.
Typical problems of unmanaged code like buffer overflow was discussed and how managed code like .NET manages to address some of them were discussed. We learnt that the protection mechanisms should be built into all the different layers of our application and not just the outermost layer which interacts directly with the client. Ideally the developers should assume that all the layers before them are insecure and proceed to build maximum security features into their layer. Microsoft SD3 philosophy was discussed; Security by Design, Security by Default and Security by Deployment.
Developers were introduced to Threat Modeling which takes into account the different types of threats relevant to a particular scenario and the paths of them. It further marks the threats into different criterion based on the STRIDE classification. The DREAD method of evaluation of threats were discussed which attaches weights to threats by the five parameters : Damage potential, Exploitablity, Affected users and Discoverability. The importance of Logging and Auditing was stressed upon for analyzing the different threats.
Application Platform Security
The second session was on "Application Platform Security" and was delivered by the same person from the Microsoft ACE team, Mr. Prasad Nelabhotla. In this session the security features related to a .NET application was discussed. The features of .NET like Type Safe Expressions, Assembly Isolation, Authorized memory Access only were discussed and how they make the platform secure was brought out. The security features provided by Windows were talked about and how .NET security complemented it was shown.
The Code Access Security (CAS) was a major topic and how the platform grants security privileges to the assemblies were discussed in detail. The CAS policies and permission sets were demonstrated. The different levels of security available were talked about.
Encryption of data transmitted through a non secure channel was discussed and a brief overview of the .NET platform built in cryptography library was given. We were introduced to the different types of symmetric and asymmetric encryption algorithms supported by the System.Security.Cryptography namespace. Usage of DPAPI was advised for storage of sensitive information.
Data Platform Security
The next session was on Data Platform Security, conducted by L. Srividya, Architect and Evangelist, Microsoft India. She talked about various forms of attack on data platform, resulting in loss, corruption or leak of Databases which might prove devastation to the company. Cross site scripting and SQL injection were the chief topics.
Importance of backups and checking their restorability and status was discussed. The issue of physical security and software security were talked about. The kind of error message to display to the end user was also a good point. Messages like "Incorrect Password" could mean that the user name was correct and this should be replaced with "username and password did not match" type of messages.
The fact that hackers these days are professionals were stressed upon, so any loophole could be exploited. Even the amount of time available to developers are far less than what hackers have at their disposition. So best effort of secure the Database must be used. So every critical patches must be applied as quickly as possible, even if it means getting the server offline for a couple of hours. Some example of attacks were cited and their impact on the company were shown as an example.
The best practices turned out to be validation of user input, encrypting data through a unreliable channel, encrypting the database. The programs should be given as low privilege as possible. We do not need to give all our programs the SA privilege. The default username-password pairs like "scott-tiger" should be changed. The impact of a security breach from the inside was also discussed with the remedy that the number of most privileged users should be very low in number.
Web Platform Security
This fourth and final session was conducted by Vimal Rajyaguru, another member of the ACE team. He discusses the various threats imminent on the web today and how ASP.NET provides counter measures against them. ASP.NET and IIS were used to demonstrated some of the typical attacks like the cross site scripting, one click attack, and how their remedy through ASP.NET inbuilt features.
Various add-on packages like Anti XSS library were discussed. View state protection, HMAC message authentication, forms authentication were discussed. A comparative study of IIS across various versions were done along with the new features.
Conclusion
The one day long summit, although targeted for developers, was very informative for computer science students like myself. I am quite interested in cryptography and the practical usage of them were quite interesting. The various security threats were an eye opener and importance of security in application was well conveyed. Threat modeling was a completely new thing to me. Not being a web developer I could not understand most of the ASP.NET discussions but Vimal made it interesting enough with his hands on demonstrations.
The goodies were great. Each of the attendees got a copy of the book "The Security Development Lifecycle" by Mchael Howard and Steve Lipner from the MS Press. We also got two DVDs, "Microsoft Developers Security Resource Kit" for VS 2005 and a Visual Studio Team Suite Beta 2 editions usable up to March 2008.