Application security auditing and logging

יום שני, מרץ 26, 2012

Auditing is one of the main pillars of security policies. The question is how to do it wisely The infrastructure can log almost everything. For example access to files, registry keys databases etc. The problem is that the infrastructure has no knowledge about the application use cases. It means that the context for these logs is missing. Let us ask what is the purpose of auditing? The trivial reason is to collect information that will be useful in case of a problem, yet how do you know that there is a problem after all? Auditing can...
no comments

My Application Security Talk on Canada's TechDays

יום שלישי, פברואר 28, 2012

Starting the end of February, Canada's TechDays TV will air brand new TechDays sessions (exclusive to TechDays Online). The experts will be LIVE and INTERACTIVE which means that throughout the session, as well as after the session, you’ll be able to post your questions via chat or Twitter and have them answered in real-time. To launch this new TV channel, MS Canada chose me to talk about "Securing.NET Applications", In this session I discuss a range of security topics including: what is application security, security design and the SDL, identity Management, role-based security and claim based identity, cryptography,...
no comments

ACS Live Demos

יום חמישי, מאי 12, 2011

My friend Alik Levin who works in the identity group pointed me to a list videos containing detailed demos of the Access Control Service. WCF web service that uses ACS with WIF. Securing WCF Services with ACS Web site that uses ACS (with and without WIF) Securing Web Applications with ACS Delegation with ACS. Code Sample: OAuth 2.0 Delegation Integration with ADFS 2.0 How To: Configure...
no comments

Asymmetric Encryption with RSACryptoServiceProvider

יום ראשון, ינואר 9, 2011

Traditional symmetric cryptography is all about hiding a secret using an algorithm and a key. The same key is used for encryption and decryption. Asymmetric encryption does much more. In Asymmetric encryption there are two key: one is kept secret (private) and the other is distributed (public). Both keys are mathematically the same – What makes the public key public is the fact that it was distributed. To perform a full cycle both keys are required (i.e. encryption with one key and decryption with the other). There are two possible scenarios: ...
one comment

Practical Application Security

יום ראשון, אוגוסט 9, 2009

Application Security is a problematic subject. It is a non functional requirement so it cannot be presented to a customer and it is expensive. The management feels that money is being spent without tangible results and the developers feel that security is a pain so they will do anything to avoid it. When being asked "what is application security?" so many different answers are given … So how can application security be implemented? In this article I will show how the broad concept of application security can be translated into simple tangible tasks. Application security...
no comments

Creating X.509 Certificates using makecert.exe

יום שלישי, אפריל 8, 2008

  Creating x.509  certificates is a very common task. Unfortunately the knowledge how to do it is quite rare. If you want a certificate that the whole world would trust you need to buy one, but if you need it for your own use you can create it using a tool called MakeCert.exe After downloading the tool you have to perform the following procedure: Creating a Root Certificate Authority makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r My_Root_CA.cer Import Root Certificate Authority Certificate into Trusted Root Store certutil.exe -f -addstore Root...

Threat Modeling summary

יום שבת, מרץ 1, 2008

Threat modeling is the heart of any application securuty design. I am often being asked about threat modeling so I wanted to write about it: Enjoy:    Threat Modeling Goal: Describe what  is threat modeling, and how it should be implemented. Terms: Attacker - Someone who could do harm to a system Threat - An attacker goal Vulnerability - A flaw in the system that could help an attacker realize a threat Mitigation - Something to do to protect against a threat. Attack - The process in which attackers takes advantage of a vulnerability Asset - Something of value to valid users vendors and attackers   Background: Application security is...
no comments

Federated Authentication – Performance and One Time passwords

יום חמישי, פברואר 8, 2007

It is quite common for large distributed application to ask the questions:"Should all services perform user authentication?""Can we afford this in terms of performance?" Well usually, we can not afford to repeatedly authenticate. Services are autonomous ! We all know that this is of the most important tenets of SOA. Business activities are rarely implemented in one service only.Business activities are composed of several services working together.The services are autonomous, they can "grow" and can switch technologies but never the less they are linked and dependent business wise. Around this link we can draw a line and call it: The business domain line.We should ask "What kind of authentication...
no comments

למה הבנקים בישראל מעודדים גניבת סיסמאות

יום חמישי, ינואר 11, 2007

למה הבנקים בישראל מעודדים Phishing  ? או איך לגנוב סיסמאות . נניח שחפצה נפשך לראת פרטים בנקאיים כאלה או אחרים של לקוחות בנק מסויים... מה צריך לעשות ? וכן כל מה שאתה צריך זה גרפיקאי טוב שיעתיק עבורך את חזות אתר הבנק שאתה רוצה לתקוף. כעת יש לכתוב מייל שמציע מבצע הנחות לרגל החג הקרוב ובמסגרתו יוכל הלקוח לקבל פטור מעמלות לחודש אם ירשם למבצע. את המייל יש להפיץ בתפוצת NATO . (כמה שיותר כמו כל Phishing Attack) מסתבר שאנשים סומכים על מה שהם רואים (יש מספיק מחקרים שמוכיחים זאת) ולכן אם האתר שלנו יהיה מספיק דומה לאתר הבנק ישמחו לקוחות רבים...

Membership, Roles and Tasks – Why don't people use membership provider

יום שישי, דצמבר 29, 2006

Membership, Roles and Tasks It is common knowledge that passwords should not be kept in a database. Too many Databases had been stolen and with them many usernames and passwords. In some countries it is against the low to save passwords in a database. Still a huge percentage of Identity systems still store passwords.  Why ?Well, Some people just do not know that passwords should not be kept persistent.Some are just lazy, They do not have the time to implement a system that creates a good random number (Salt) and hashes the salt concatenated to the password etc. It uses this...