Browse by Tags
All Tags »
Application security (
RSS)
My friend Alik Levin who works in the identity group pointed me to a list videos containing detailed demos of the Access Control Service. WCF web service that uses ACS with WIF. Securing WCF Services with ACS Web site that uses ACS (with and without WIF) Securing Web Applications with ACS Delegation with ACS. Code Sample: OAuth 2.0 Delegation Integration with ADFS 2.0 How To: Configure AD FS 2.0 as an Identity Provider Integration with OpenID How To: Use Management Service to Configure an OpenID...
Traditional symmetric cryptography is all about hiding a secret using an algorithm and a key. The same key is used for encryption and decryption. Asymmetric encryption does much more. In Asymmetric encryption there are two key: one is kept secret (private) and the other is distributed (public). Both keys are mathematically the same – What makes the public key public is the fact that it was distributed. To perform a full cycle both keys are required (i.e. encryption with one key and decryption with...
Application Security is a problematic subject. It is a non functional requirement so it cannot be presented to a customer and it is expensive. The management feels that money is being spent without tangible results and the developers feel that security is a pain so they will do anything to avoid it. When being asked "what is application security?" so many different answers are given … So how can application security be implemented? In this article I will show how the broad concept of application...
Creating x.509 certificates is a very common task. Unfortunately the knowledge how to do it is quite rare. If you want a certificate that the whole world would trust you need to buy one, but if you need it for your own use you can create it using a tool called MakeCert.exe After downloading the tool you have to perform the following procedure: Creating a Root Certificate Authority makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine...
Threat modeling is the heart of any application securuty design. I am often being asked about threat modeling so I wanted to write about it: Enjoy: Threat Modeling Goal: Describe what is threat modeling, and how it should be implemented. Terms: Attacker - Someone who could do harm to a system Threat - An attacker goal Vulnerability - A flaw in the system that could help an attacker realize a threat Mitigation - Something to do to protect against a threat. Attack - The process in which attackers takes...
It is quite common for large distributed application to ask the questions: "Should all services perform user authentication?" "Can we afford this in terms of performance?" Well usually, we can not afford to repeatedly authenticate. Services are autonomous ! We all know that this is of the most important tenets of SOA. Business activities are rarely implemented in one service only. Business activities are composed of several services working together. The services are autonomous, they can "grow" and...
למה הבנקים בישראל מעודדים Phishing ? או איך לגנוב סיסמאות . נניח שחפצה נפשך לראת פרטים בנקאיים כאלה או אחרים של לקוחות בנק מסויים... מה צריך לעשות ? וכן כל מה שאתה צריך זה גרפיקאי טוב שיעתיק עבורך את חזות אתר הבנק שאתה רוצה לתקוף. כעת יש לכתוב מייל שמציע מבצע הנחות לרגל החג הקרוב ובמסגרתו יוכל הלקוח לקבל פטור מעמלות לחודש אם ירשם למבצע. את המייל יש להפיץ בתפוצת NATO . (כמה שיותר כמו כל Phishing Attack ) מסתבר שאנשים סומכים על מה שהם רואים (יש מספיק מחקרים שמוכיחים זאת) ולכן אם האתר שלנו יהיה מספיק...
Membership, Roles and Tasks It is common knowledge that passwords should not be kept in a database. Too many Databases had been stolen and with them many usernames and passwords. In some countries it is against the low to save passwords in a database. Still a huge percentage of Identity systems still store passwords. Why ? Well, Some people just do not know that passwords should not be kept persistent. Some are just lazy, They do not have the time to implement a system that creates a good random...
Security Testing tools & links http://www.OWASP.org http://www.Webappsec.org Discovery: SamSpade : http://www.samspade.org/ Manual Testing: WebScrab : http://www.owasp.org/software/webscrab.html Fiddler: http://www.fiddlertool.com/Fiddler/ Paros: http://parosproxy.org/download.shtml Crackers: ObiWaN: http://www.phenoelit.de/obiwan/ Brutus: http://www.hoobie.net/brutus/ Crowbar: http://www.sensepost.com/research/crowbar/ Lcrack: http://www.nestonline.com/lcrack MD5 Online Crackers : http://gdataonline...
Buffer Overflow / Overrun examples Everybody knows the buffer overrun problem but many people asked me to see a real life example. So I bring here 5 examples of different kinds of buffer overrun. By the way these example do not work on vista as vista protects the stack. So Vista is a secure environment … Enjoy. Manu Classic Buffer Overrun Example. The classic problem: a buffer is copied in to a bigger buffer and override the stack and with it the return address. 1. Compile the code 2. Run the code...
Application security 10 Commandments Many people ask "what should I do to implement Application Security?" Well, it is not so simple but if you want to make a long story short you should do the following: Create a threat modeling document. Make sure you take care of the following issues: · Input Validation o Map all your inputs and make sure all inputs coming from an untrusted source are properly validated. · Authentication o Users are properly authenticated, and the authentication ticket is properly...
The truth about Application Security There is a problem with Application Security today, It is really in bad shape. As a security consultant my customers are software companies that develops products for other companies to use. Those companies use those products to supply services for their final customers. If there are security issues those customer are the ones to actually suffer. Today The awareness for security is rising but still most people believes that security is somewhere between the OS...
נמל התעופה בן גוריון – דוגמא למחדל אבטחה. במאמרים קודמים ציינתי לא פעם כי Application Security מחייבת הסתכלות כוללת על המערכת. אם נאבטח במקום אחד אבל נשאיר פרצה במקום אחר כאילו לא עשינו דבר. דוגמא מעניינת לכך מצאתי בנמל התעופה בן גוריון. רבים מאיתנו רשומים לשירות "הרישום המהיר" . יש לנו כרטים מיוחד להפעלת זיהוי ביומטרי בעזרת כף היד. הזיהוי עצמו מבוצע בעזרת טכנולוגיה מתקדמת ובטוחה. אבל האם שמתם לב מה קורה מיד אחר-כך ? ובכן בסיום תהליך הזיהוי מייצרת המכונה Authenticator בדמות פתק קטן המודפס על ניר...
Application Security There is no doubt that today's applications must be secure. We are living in a world of data and communications, in which the most valuable asset is information. Everybody knows that valuable assets must be protected. Security Standards are created to insure products will implement security measures to protect their data. Security is an "all-inclusive" term, which means it must be implemented "everywhere", in all levels: Users : Train your users and build awareness to help them...