Auditing is one of the main pillars of security policies. The question is how to do it wisely The infrastructure can log almost everything. For example access to files, registry keys databases etc. The problem is that the infrastructure has no knowledge about the application use cases. It means that the context for these logs is missing. Let us ask what is the purpose of auditing? The trivial reason is to collect information that will be useful in case of a problem, yet how do you know that there is a problem after all? Auditing can...
Starting the end of February, Canada's TechDays TV will air brand new TechDays sessions (exclusive to TechDays Online). The experts will be LIVE and INTERACTIVE which means that throughout the session, as well as after the session, you’ll be able to post your questions via chat or Twitter and have them answered in real-time. To launch this new TV channel, MS Canada chose me to talk about "Securing.NET Applications", In this session I discuss a range of security topics including: what is application security, security design and the SDL, identity Management, role-based security and claim based identity, cryptography,...
My friend Alik Levin who works in the identity group pointed me to a list videos containing detailed demos of the Access Control Service. WCF web service that uses ACS with WIF. Securing WCF Services with ACS Web site that uses ACS (with and without WIF) Securing Web Applications with ACS Delegation with ACS. Code Sample: OAuth 2.0 Delegation Integration with ADFS 2.0 How To: Configure...
Traditional symmetric cryptography is all about hiding a secret using an algorithm and a key. The same key is used for encryption and decryption. Asymmetric encryption does much more. In Asymmetric encryption there are two key: one is kept secret (private) and the other is distributed (public). Both keys are mathematically the same – What makes the public key public is the fact that it was distributed. To perform a full cycle both keys are required (i.e. encryption with one key and decryption with the other). There are two possible scenarios: ...
Application Security is a problematic subject. It is a non functional requirement so it cannot be presented to a customer and it is expensive. The management feels that money is being spent without tangible results and the developers feel that security is a pain so they will do anything to avoid it. When being asked "what is application security?" so many different answers are given … So how can application security be implemented? In this article I will show how the broad concept of application security can be translated into simple tangible tasks. Application security...
Creating x.509 certificates is a very common task. Unfortunately the knowledge how to do it is quite rare. If you want a certificate that the whole world would trust you need to buy one, but if you need it for your own use you can create it using a tool called MakeCert.exe
After downloading the tool you have to perform the following procedure:
Creating a Root Certificate Authority
makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r My_Root_CA.cer
Import Root Certificate Authority Certificate into Trusted Root Store
certutil.exe -f -addstore Root...
Threat modeling is the heart of any application securuty design.
I am often being asked about threat modeling so I wanted to write about it:
Goal: Describe what is threat modeling, and how it should be implemented.
Attacker - Someone who could do harm to a system
Threat - An attacker goal
Vulnerability - A flaw in the system that could help an attacker realize a threat
Mitigation - Something to do to protect against a threat.
Attack - The process in which attackers takes advantage of a vulnerability
Asset - Something of value to valid users vendors and attackers
Background: Application security is...
It is quite common for large distributed application to ask the questions:"Should all services perform user authentication?""Can we afford this in terms of performance?"
Well usually, we can not afford to repeatedly authenticate.
Services are autonomous ! We all know that this is of the most important tenets of SOA. Business activities are rarely implemented in one service only.Business activities are composed of several services working together.The services are autonomous, they can "grow" and can switch technologies but never the less they are linked and dependent business wise.
Around this link we can draw a line and call it: The business domain line.We should ask "What kind of authentication...
למה הבנקים בישראל מעודדים Phishing ? או איך לגנוב סיסמאות .
נניח שחפצה נפשך לראת פרטים בנקאיים כאלה או אחרים של לקוחות בנק מסויים... מה צריך לעשות ?
וכן כל מה שאתה צריך זה גרפיקאי טוב שיעתיק עבורך את חזות אתר הבנק שאתה רוצה לתקוף. כעת יש לכתוב מייל שמציע מבצע הנחות לרגל החג הקרוב ובמסגרתו יוכל הלקוח לקבל פטור מעמלות לחודש אם ירשם למבצע. את המייל יש להפיץ בתפוצת NATO . (כמה שיותר כמו כל Phishing Attack)
מסתבר שאנשים סומכים על מה שהם רואים (יש מספיק מחקרים שמוכיחים זאת) ולכן אם האתר שלנו יהיה מספיק דומה לאתר הבנק ישמחו לקוחות רבים...
Membership, Roles and Tasks
It is common knowledge that passwords should not be kept in a database. Too many Databases had been stolen and with them many usernames and passwords. In some countries it is against the low to save passwords in a database.
Still a huge percentage of Identity systems still store passwords. Why ?Well, Some people just do not know that passwords should not be kept persistent.Some are just lazy, They do not have the time to implement a system that creates a good random number (Salt) and hashes the salt concatenated to the password etc. It uses this...