Happy November 1st, trust everyone enjoyed
Halloween yesterday. I have been my
usual busy self this last weekend.
Saturday was host to the second Mid-Atlantic Code Camp in Reston, VA,
the theme of the day was security.
When it comes down to software security, I, like a lot of
developers I know, tend to shy away from the technology because securing
computers and software is a fine art, left to a different group of people. Many developers will tell you that securing
their PC and software is a secondary consideration, because security prevents
developers from being productive. On the
other hand, discussing software development with security experts is akin to me
telling a fire prevention expert that I have no fire extinguisher in my house –
they tend to freak out when I explain certain development practices. After spending the day listening to various
talks at the code camp I can honestly say that my opinions have changed, and I
am now thinking more about security.
What is software and computer security anyway? Well, I believe that Randy Hayes said it best
– “Security is not a product it is a process”.
So many developers leave the securing of their applications to last
stage of the project, which usually results in a poorly secured application, or
as more often is the case, the securing of said application is never
implemented. This is not the correct
approach – security needs to be considered through all stages of software
development, which means your design documents should include some form of threat
modeling, implementation should reflect a secure design from the start, and QA
procedures should include vulnerability tests.
So, how should one go about adding security to their
project? This is an open ended question
with no single answer. Many books exist
on this subject, security experts regularly post to weblogs, and their now
exist a few security methodologies to parallel the tried and testing SDL
methodologies. This post is not about
answering this question, but more of an invitation to all those developers and
software engineers among us to start thinking securely. Those working with Microsoft .NET on the
Windows platform have to look no further than the latest release of the .NET
Framework v2.0 to see how Microsoft are helping the developers by making it
easier to create secure applications.
I want to thank Andrew Duthie and like minded individuals
for organizing free educational events like the MAD Code Camps. Developers and software engineers no longer
have an excuse for not being better educated in their field, and not just in
the security area but in all aspects of development. Since Saturday I have employed steps to
better secure my home computers and work computer, I have begun introducing my
employer to threat modeling techniques on software projects, and now consider
security implications when writing code.
You can too.
Without any further rambling, I shall cover the finer points
of the second Mid-Atlantic Code Camp:
Code camp usually runs at least three interest tracks,
and each track consists of six or more sessions. The following are details on the sessions I
attended.
Session 1 (Data
Track) – Secure Data from A to Z – William Ryan
Unfortunately Bill was not able to make the code camp to
perform his talk, so Sahil Malik stepped in at the last minute with an
impromptu session on ADO.NET 2.0. The
best part of all code camp sessions is the ability of the presenters, none of
these guys (and gals) are Microsoft speakers, they’re regular developers and
software engineers like the rest of us.
Rarely have I encountered a speaker who does not know their material and
cannot answer quick fire questions on the spot, and Sahil is no exception. Sahil is an excellent speaker, and knows all
there is to know about ADO.NET – his latest book “Pro ADO.NET 2.0” is testament
to that fact. I was impressed by Sahil’s
ability to talk for an hour on ADO.NET 2.0 topics, including connection
pooling, transactions and SQL CLR, without jumping around topics – the entire
session was performed without slides or prepped material. Sure, the session was
less about security, but a thrill to listen to - I only wish that I could
present as well as Sahil one day.
Session 2
(Application Track) – Security in ASP.NET 2.0 – Scott Allen
If there had to be one person who I could list as knowing a
lot about ASP.NET, then it would be Scott Allen. I have had the pleasure of being a part of a
couple of presentations hosted by Scott, and I leave each with a better
understanding of how to write good web application code. In his session Saturday, Scott discussed the
introduction of the new Member API in ASP.NET 2.0, new login controls and
configuration file encryption – all invented to make securing web applications
easier for developers. I also have to
mention Scott’s ability to keep his audience entertained with witty jokes about
Vampires – thanks Scott.
Session 3 (Best
Practices Track) – Real-world Threat Modeling – Robert Hurlbut
Just to mix up the day, I decided to attend a non-code-based
session. Robert’s talk on threat
modeling was very inspiring, and like the sessions I attended earlier, I left
this session with a yearning to go and try what I had learned. Robert introduced the audience in ways to
simplify documentation of security threats to software systems at the design
phase of a project. The biggest problem
with security is being able to quantify it, and documenting potential threats
to software systems. Threat modeling has
been invented to make this process of documentation easier. Robert successfully educated session
participants on ways to employ threat modeling by working through real examples
on the white board, with input from the audience. Of all the sessions I attended on Saturday,
this was the only session that I wrote extensive notes. I plan to employ threat modeling in the
design of the current project I am working on.
Session 4 (Data
Track) – Enterprise
Library and Data Security – Gary Blatt
Gary’s
session about the Enterprise Library was an interesting look into the view of
coding for enterprise architecture using pre-coded modules, called building
blocks. Specifically, Gary’s
presentation focused on the security application block (SAB), the configuration
application block (CAB), and Gary
touched on the database access application block (DAAB). At this time, the EL has not been ported to
the 2.0 framework, but most of the material in Gary’s session was very useful to those still
working in a NET 1.1 environment.
Session 5 (Best
Practices) – Developing Web Applications for Partial Trust – Joe Brinkman
I had been looking forward to this session all day! I have been recently reading about code
access security (CAS) and operating low trust code in sandbox environments, so
I was very excited to hear about what Joe had to say about running ASP.NET at partial
trust. By default, ASP.NET runs in an
AppDomain with full trust, and Joe demonstrated how this trust level can be
exploited by hackers on a shared hosted environment to gain access to other
hosted ASP.NET applications. Microsoft
is pushing for all hosting organizations to move to medium trust – at this
level ASP.NET looses access to the file system, reflection, and a number of
higher privileged areas more commonly used by hackers to penetrate ASP.NET
applications. Joe’s session included a
demonstrating the various trust levels, starting with full trust (maximum
functionality and low security) and ending with minimum trust (low
functionality, high security). Since
sandboxing and CAS was fresh on my topic of interest list, I had a number of
questions, all of which Joe answered.
During the break, after this session, I sat and talked with Joe about
his thoughts on running sandbox AppDomains in parallel to full trusted
AppDomains in WinForm applications (as mentioned in the latest MSDN magazine
publication). I really wish I could have
had more time to converse with Joe on CAS, and I thank him for his time that we
shared.
Session 6 (Best
Practices) – Running as non-admin – Randy Hayes
This session gets the award for the most influential
presentation of the day – at least where I am concerned. Randy is passionate about educating
developers and other users of the Windows platform to not run day-to tasks in
an administrative account. By default
Windows XP installs the default user as an administrator, which is an open
security hole waiting to be exploited. Hackers,
spy ware merchants, and virus developers are becoming smarter, and the simple
tactics of installing network firewalls are no longer enough to prevent
penetration by malicious software. 9 out
of 10 of Windows users are blissfully unaware that they may have spy ware or
virus software running on their computer, slowing down the processor, eating
memory and potentially compromising their personal files and applications. This problem can be partially attributed to
surfing the Internet – an unsafe domain full of exploits and nasty pieces of
code waiting to be downloaded and installed without any knowledge of the
Internet user – whilst running in as an administrator. Simply configuring your Windows machine to
run day-to-day tasks as a low privileged user (LPU) will lower the attack
surface open to malicious code.
Approaching developers to run as LPU is the first step in convincing
Windows users to be more security conscious.
Randy’s talk was very convincing (made me a little paranoid to be
honest), and by the intense concentration captured from the audience I would
say he was getting the correct message across that Windows needs to be actively
secured by users. Randy informed the
attendees that he is testament to LPU working, because for two years he has
been spy ware and virus free, and yet he has no anti-virus or anti-spy ware
applications running on his computer.
Well Randy, you convinced me, I went home that very evening and locked
down my servers and desktop computers. I am now running as LPU on all my
computers, and yes all my development tools still work! Those of you still not convinced – better get
used to LPU if you’re planning on running Windows Vista, because the default
user in Vista is LPU.
Well that about covers Code Camp, I cannot wait for the next
one.