6. • A set of roslyn analyzers that aim to help security audits on .NET
applications
• Bug patterns
• Code fixes
• VS integration
• Taint analysis
• Continuous integration
• Open-source
• https://dotnet-security-guard.github.io/
Roslyn Security Guard
7. • Detects various security vulnerability patterns:
• SQL Injection, Cross-Site Scripting (XSS),
• Cross-Site Request Forgery (CSRF),
• XML external Entity Injection (XXE).
• Taint analysis to track user input data.
• One click refactoring for some vulnerabilities.
• Analyzes .NET and .NET Core projects in a background
(intelligence) or during a build.
• Continuous Integration (CI) through MSBuild.
• Open-source
• https://security-code-scan.github.io/
Security Code Scan
8. SQL Server - 弱點評量
• 僅支援 SQL Server Management Studio (SSMS) v17.4 或之後的版本.
• 支援 SQL Server 2008 - SQL Server 2017
• 支援 SQL Server 2000 與 SQL Server 2005, 但部分功能會失效
12. Microsoft Baseline Security Analyze
• 是一個簡單易用的工具,可協助中小型企業判斷其安全性狀態是否符合
Microsoft 的安全性建議,並會根據結果提供具體的矯正指示。使用
MBSA 偵測一般常犯的安全性設定錯誤和電腦系統所遺漏的安全性更新,
以增強您的安全性管理流程。
• 安全更新(security updates)
• 匯整服務包(rollups and service packs)
• 系統安全設定和組態
• Internet Information Server
• SQL Server
• Office
https://www.microsoft.com/en-us/download/details.aspx?id=7558
13. 其他資訊
• Microsoft Technical Security Notifications
• Security Update Email Alerts
• E-mail: Security Notification Service
• Security Advisories Alerts
• E-mail: Security Notification Service Comprehensive Edition
• RSS: Security Advisories
• Web Site: Security Advisories
• Microsoft Security Response Center Blog Alerts
• RSS: MSRC Blog
• Windows 的 Security 安全性更新 OS patch
• NET Framework 的 Security 安全性更新 Hotfix
• 升級 .NET Framework Version
- C# 網頁程式設計安全性
- Web Form 70% + Web MVC/API 30%
Windows, IIS, C# 等安全設定等級
IIS:7~10 (IIS 7 為主力)
.Net Framework:3.5 ~ 4.7.1
mssql:2005 ~ 2014
6-7小時(40% Demo 60% knowledge)
Beginning (10 mins, 10 pages)
Part I (1.5 hr, 60 pages)
Ch.1 - 網際網路安全概觀(30 mins)
Ch.2 - 常見安全漏洞與攻擊(60 mins)
Part II (3 hr, 100 pages)
Ch.3 - .NET 安全開發 - Data Validation(45 mins)
Ch.4 - .NET 安全開發 - Authentication & Session Management(45 mins)
Ch.5 - .NET 安全開發 - .NET Framework Security(45 mins)
Ch.6 - .NET 安全開發 - .NET Core and ASP.NET Core Framework Security(45 mins)
Part III (1 hr, 60 pages)
IIS & Security Web Development(30 mins)
SQL Server Configuration(15 mins)
Part IV (1 hr, 60 pages)
Security Development Flow(15 mins)
Tools(30 mins)
Recap (10 mins, 10 pages)
此可知資安在越前面的階段執行,損害代價越小:
Community Edition is free for personal use. It's features vs. the Professional Ediiton's features are here: https://www.preemptive.com/products/dotfuscator/compare-editions
Roslyn analyzers that aim to help security audits on .NET applications.https://dotnet-security-guard.github.io/
WebGoat.NET
<TargetFrameworkProfile />
<!-- Add the line below -->
<AdditionalFileItemNames>$(AdditionalFileItemNames);Content</AdditionalFileItemNames>
Nuget 安裝 SecurityCodeScan
https://dotnet-security-guard.github.io/SG0001.htm
Regex rgx = new Regex(@"^[a-zA-Z0-9]+$");
Additionally, SSMS 17.x can be installed side by side with SSMS 16.x or SQL Server 2014 SSMS and earlier.
https://sonarcloud.io
D:\2.Repo\webgoat-net-demo
SonarScanner.MSBuild.exe begin /k:"webgoat-net-demo" /d:sonar.organization="blackie1019-github" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.login="9d7e39a4560ef5da311a5693ec8169e4c6109f4e"
MsBuild.exe /t:Rebuild
SonarScanner.MSBuild.exe end /d:sonar.login="9d7e39a4560ef5da311a5693ec8169e4c6109f4e"
MBSA 2.3 release adds support for Windows 10&Windos Server 2016(need to config), Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012.
The Security Development Lifecycle (SDL)
軟體發展流程中必要的安全技術與工具
要讓該流程能夠有所落實, 還是必須回歸安全技術
單單依照流程執行還是不夠的, 到底這流程中有執行上有哪些問題與技術要考量?
後面會聊到關於一些安全培訓的方向
但與其說是培訓,不如說這部分更多的是溝通的過程, 安全的培訓內容包含哪些?
擊者導向(Attacker-centric)
攻擊者導向的威脅模型分析是以一位攻擊者為出發點,評估攻擊者的目的與他們如何達成目的。在這種分析下,攻擊者的動機最常列入考量,比如:某甲想讀某郵件、某乙想盜版某DVD。這種分析方式通常從侵入點或是目標的資產著手思考。
軟體導向(Software-centric)
這類分析方式又稱系統導向(system-centric)、設計導向(design-centric)或架構導向(architecture-centric)。思考點是系統的設計方式與系統的運作目的,並尋找對此系統或其內部模組相關類型的攻擊方式。微軟的SDL(Security Development Lifecycle)便是利用此方式。
資產導向(Asset-centric)
資產導向的分析方式是從系統所託管的資源著手分析。比如系統收集到的敏感性個人資訊。
应用软件开发安全的专业领域
https://www.qa-knowhow.com/?p=4732
软件开发安全流程 SDL (Secure Development LifeCycle)
https://www.qa-knowhow.com/?p=4707