• Copyright

  Page 3

• Contents at a Glance

  Page 6

• Table of Contents

  Page 8

• Introduction

  Page 24

• + Part I. Contemporary Security

  Page 30

  • + Chapter 1. The Need for Secure Systems

    Page 32

    • Applications on the Wild Wild Web

      Page 34

    • The Need for Trustworthy Computing

      Page 36

    • Getting Everyone’s Head in the Game

      Page 36

    • Some Ideas for Instilling a Security Culture

      Page 42

    • The Attacker’s Advantage and the Defender’s Dilemma

      Page 48

    • Summary

      Page 50

  • + Chapter 2. The Proactive Security Development Process

    Page 52

    • Process Improvements

      Page 54

    • The Role of Education

      Page 55

    • Design Phase

      Page 61

    • Development Phase

      Page 72

    • Test Phase

      Page 76

    • Shipping and Maintenance Phases

      Page 76

    • Summary

      Page 78

  • + Chapter 3. Security Principles to Live By

    Page 80

    • SD3: Secure by Design, by Default, and in Deployment

      Page 80

    • Security Principles

      Page 83

    • Summary

      Page 97

  • + Chapter 4. Threat Modeling

    Page 98

    • Secure Design Through Threat Modeling

      Page 99

    • Security Techniques

      Page 137

    • Mitigating the Sample Payroll Application Threats

      Page 147

    • A Cornucopia of Threats and Solutions

      Page 149

    • Summary

      Page 153

• + Part II. Secure Coding Techniques

  Page 154

  • + Chapter 5. Public Enemy #1: The Buffer Overrun

    Page 156

    • Stack Overruns

      Page 158

    • Heap Overruns

      Page 167

    • Array Indexing Errors

      Page 173

    • Format String Bugs

      Page 176

    • Unicode and ANSI Buffer Size Mismatches

      Page 182

    • Preventing Buffer Overruns

      Page 184

    • The Visual C++ .NET /GS Option

      Page 196

    • Summary

      Page 199

  • + Chapter 6. Determining Appropriate Access Control

    Page 200

    • Why ACLs Are Important

      Page 200

    • What Makes Up an ACL?

      Page 204

    • A Method of Choosing Good ACLs

      Page 207

    • Creating ACLs

      Page 210

    • Getting the ACE Order Right

      Page 220

    • Be Wary of the Terminal Server and Remote Desktop SIDs

      Page 222

    • NULL DACLs and Other Dangerous ACE Types

      Page 224

    • Other Access Control Mechanisms

      Page 228

    • Summary

      Page 235

  • + Chapter 7. Running with Least Privilege

    Page 236

    • Least Privilege in the Real World

      Page 237

    • Brief Overview of Access Control

      Page 240

    • Brief Overview of Privileges

      Page 240

    • Brief Overview of Tokens

      Page 247

    • How Tokens, Privileges, SIDs, ACLs, and Processes Relate

      Page 247

    • Three Reasons Applications Require Elevated Privileges

      Page 249

    • Solving the Elevated Privileges Issue

      Page 251

    • A Process for Determining Appropriate Privilege

      Page 252

    • Low-Privilege Service Accounts in Windows XP and Windows.NET Server 2003

      Page 277

    • The Impersonate Privilege and Windows .NET Server 2003

      Page 279

    • Debugging Least-Privilege Issues

      Page 280

    • Summary

      Page 287

  • + Chapter 8. Cryptographic Foibles

    Page 288

    • Using Poor Random Numbers

      Page 288

    • Using Passwords to Derive Cryptographic Keys

      Page 298

    • Key Management Issues

      Page 301

    • Creating Your Own Cryptographic Functions

      Page 310

    • Using the Same Stream-Cipher Encryption Key

      Page 312

    • Bit-Flipping Attacks Against Stream Ciphers

      Page 318

    • Reusing a Buffer for Plaintext and Ciphertext

      Page 325

    • Using Crypto to Mitigate Threats

      Page 326

    • Document Your Use of Cryptography

      Page 327

  • + Chapter 9. Protecting Secret Data

    Page 328

    • Attacking Secret Data

      Page 329

    • Sometimes You Don’t Need to Store a Secret

      Page 330

    • Getting the Secret from the User

      Page 334

    • Protecting Secrets in Windows 2000 and Later

      Page 334

    • Protecting Secrets in Windows NT 4

      Page 340

    • Protecting Secrets in Windows 95, Windows 98, Windows Me,and Windows CE

      Page 344

    • Not Opting for a Least Common Denominator Solution

      Page 349

    • Managing Secrets in Memory

      Page 350

    • Locking Memory to Prevent Paging Sensitive Data

      Page 356

    • Protecting Secret Data in Managed Code

      Page 358

    • Raising the Security Bar

      Page 365

    • Trade-Offs When Protecting Secret Data

      Page 367

    • Summary

      Page 368

  • + Chapter 10. All Input Is Evil!

    Page 370

    • The Issue

      Page 371

    • Misplaced Trust

      Page 372

    • A Strategy for Defending Against Input Attacks

      Page 374

    • How to Check Validity

      Page 376

    • Tainted Variables in Perl

      Page 378

    • Using Regular Expressions for Checking Input

      Page 379

    • Regular Expressions and Unicode

      Page 382

    • A Regular Expression Rosetta Stone

      Page 387

    • A Best Practice That Does Not Use Regular Expressions

      Page 390

    • Summary

      Page 391

  • + Chapter 11. Canonical Representation Issues

    Page 392

    • What Does Canonical Mean, and Why Is It a Problem?

      Page 393

    • Canonical Filename Issues

      Page 393

    • Canonical Web-Based Issues

      Page 402

    • Visual Equivalence Attacks and the Homograph Attack

      Page 411

    • Preventing Canonicalization Mistakes

      Page 412

    • Web-Based Canonicalization Remedies

      Page 420

    • A Final Thought: Non-File-Based Canonicalization Issues

      Page 422

    • Summary

      Page 425

  • + Chapter 12. Database Input Issues

    Page 426

    • The Issue

      Page 427

    • Pseudoremedy #1: Quoting the Input

      Page 430

    • Pseudoremedy #2: Use Stored Procedures

      Page 431

    • Remedy #1: Never Ever Connect as sysadmin

      Page 432

    • Remedy #2: Building SQL Statements Securely

      Page 433

    • An In-Depth Defense in Depth Example

      Page 436

    • Summary

      Page 440

  • + Chapter 13. Web-Specific Input Issues

    Page 442

    • Cross-Site Scripting: When Output Turns Bad

      Page 442

    • Other XSS-Related Attacks

      Page 447

    • XSS Remedies

      Page 450

    • Don’t Look for Insecure Constructs

      Page 457

    • But I Want Users to Post HTML to My Web Site!

      Page 459

    • How to Review Code for XSS Bugs

      Page 460

    • Other Web-Based Security Topics

      Page 460

    • Summary

      Page 467

  • + Chapter 14. Internationalization Issues

    Page 468

    • The Golden I18N Security Rules

      Page 469

    • Use Unicode in Your Application

      Page 469

    • Prevent I18N Buffer Overruns

      Page 470

    • Validate I18N

      Page 472

    • Character Set Conversion Issues

      Page 473

    • Use MultiByteToWideChar with MB_PRECOMPOSED andMB_ERR_INVALID_CHARS

      Page 473

    • Use WideCharToMultiByte with WC_NO_BEST_FIT_CHARS

      Page 474

    • Comparison and Sorting

      Page 477

    • Unicode Character Properties

      Page 477

    • Normalization

      Page 479

    • Summary

      Page 480

• + Part III. Even More Secure Coding Techniques

  Page 482

  • + Chapter 15. Socket Security

    Page 484

    • Avoiding Server Hijacking

      Page 485

    • TCP Window Attacks

      Page 492

    • Choosing Server Interfaces

      Page 493

    • Accepting Connections

      Page 493

    • Writing Firewall-Friendly Applications

      Page 499

    • Spoofing and Host-Based and Port-Based Trust

      Page 502

    • IPv6 Is Coming!

      Page 503

    • Summary

      Page 505

  • + Chapter 16. Securing RPC, Active

    Page 506

    • An RPC Primer

      Page 507

    • Secure RPC Best Practices

      Page 511

    • Secure DCOM Best Practices

      Page 528

    • An ActiveX Primer

      Page 538

    • Secure ActiveX Best Practices

      Page 538

    • Summary

      Page 544

  • + Chapter 17. Protecting Against Denial of Service Attacks

    Page 546

    • Application Failure Attacks

      Page 546

    • CPU Starvation Attacks

      Page 550

    • Memory Starvation Attacks

      Page 558

    • Resource Starvation Attacks

      Page 559

    • Network Bandwidth Attacks

      Page 561

    • Summary

      Page 562

  • + Chapter 18. Writing Secure .NET Code

    Page 564

    • Code Access Security: In Pictures

      Page 566

    • FxCop: A “Must-Have” Tool

      Page 568

    • Assemblies Should Be Strong-Named

      Page 569

    • Specify Assembly Permission Requirements

      Page 571

    • Overzealous Use of Assert

      Page 574

    • Further Information Regarding Demand and Assert

      Page 576

    • Keep the Assertion Window Small

      Page 578

    • Demands and Link Demands

      Page 579

    • Use SuppressUnmanagedCodeSecurityAttribute with Caution

      Page 581

    • Remoting Demands

      Page 582

    • Limit Who Uses Your Code

      Page 583

    • No Sensitive Data in XML or Configuration Files

      Page 584

    • Review Assemblies That Allow Partial Trust

      Page 585

    • Check Managed Wrappers toUnmanaged Code for Correctness

      Page 586

    • Issues with Delegates

      Page 587

    • Issues with Serialization

      Page 587

    • The Role of Isolated Storage

      Page 588

    • Disable Tracing and DebuggingBefore Deploying ASP.NET Applications

      Page 590

    • Do Not Issue Verbose Error Information Remotely

      Page 590

    • Deserializing Data from Untrusted Sources

      Page 591

    • Don’t Tell the Attacker Too Much When You Fail

      Page 591

    • Summary

      Page 593

• + Part IV. Special Topics

  Page 594

  • + Chapter 19. Security Testing

    Page 596

    • The Role of the Security Tester

      Page 596

    • Security Testing Is Different

      Page 597

    • Building Security Test Plans from a Threat Model

      Page 598

    • Testing Clients with Rogue Servers

      Page 635

    • Should a User See or Modify That Data?

      Page 636

    • Testing with Security Templates

      Page 636

    • When You Find a Bug, You’re Not Done!

      Page 638

    • Test Code Should Be of Great Quality

      Page 639

    • Test the End-to-End Solution

      Page 640

    • Determining Attack Surface

      Page 640

    • Summary

      Page 642

  • + Chapter 20. Performing a Security Code Review

    Page 644

    • Dealing with Large Applications

      Page 646

    • A Multiple-Pass Approach

      Page 647

    • Low-Hanging Fruit

      Page 648

    • Integer Overflows

      Page 649

    • Checking Returns

      Page 653

    • Perform an Extra Review of Pointer Code

      Page 654

    • Never Trust the Data

      Page 654

    • Summary

      Page 655

  • + Chapter 21. Secure Software Installation

    Page 656

    • Principle of Least Privilege

      Page 657

    • Clean Up After Yourself!

      Page 659

    • Using the Security Configuration Editor

      Page 659

    • Low-Level Security APIs

      Page 667

    • Using the Windows Installer

      Page 667

    • Summary

      Page 669

  • + Chapter 22. Building Privacy into Your Application

    Page 670

    • Malicious vs. Annoying Invasions of Privacy

      Page 671

    • Major Privacy Legislation

      Page 672

    • Privacy vs. Security

      Page 675

    • Building a Privacy Infrastructure

      Page 676

    • Designing Privacy-Aware Applications

      Page 678

    • Summary

      Page 691

  • + Chapter 23. General Good Practices

    Page 692

    • Don’t Tell the Attacker Anything

      Page 692

    • Service Best Practices

      Page 692

    • Don’t Leak Information in Banner Strings

      Page 696

    • Be Careful Changing Error Messages in Fixes

      Page 697

    • Double-Check Your Error Paths

      Page 697

    • Keep It Turned Off!

      Page 697

    • Kernel-Mode Mistakes

      Page 697

    • Add Security Comments to Code

      Page 703

    • Leverage the Operating System

      Page 703

    • Don’t Rely on Users Making Good Decisions

      Page 704

    • Calling CreateProcess Securely

      Page 704

    • Don’t Create Shared/Writable Segments

      Page 706

    • Using Impersonation Functions Correctly

      Page 707

    • Don’t Write User Files to \Program Files

      Page 707

    • Don’t Write User Data to HKLM

      Page 708

    • Don’t Open Objects for FULL_CONTROL or ALL_ACCESS

      Page 708

    • Object Creation Mistakes

      Page 708

    • Care and Feeding of CreateFile

      Page 710

    • Creating Temporary Files Securely

      Page 711

    • Implications of Setup Programs and EFS

      Page 715

    • File System Reparse Point Issues

      Page 715

    • Client-Side Security Is an Oxymoron

      Page 716

    • Samples Are Templates

      Page 717

    • Dogfood Your Stuff!

      Page 717

    • You Owe It to Your Users If…

      Page 718

    • Determining Access Based on an Administrator SID

      Page 718

    • Allow Long Passwords

      Page 719

    • Be Careful with _alloca

      Page 720

    • Don’t Embed Corporate Names

      Page 721

    • Move Strings to a Resource DLL

      Page 722

    • Application Logging

      Page 722

    • Migrate Dangerous C/C++ to Managed Code

      Page 723

  • + Chapter 24. Writing Security Documentation and Error Messages

    Page 724

    • Security Issues in Documentation

      Page 724

    • Security Issues in Error Messages

      Page 729

    • A Typical Security Message

      Page 729

    • Information Disclosure Issues

      Page 730

    • A Note When Reviewing Product Specifications

      Page 737

    • Security Usability

      Page 737

    • Summary

      Page 738

• + Part V. Appendixes

  Page 740

  • Appendix A. Dangerous APIs

    Page 742

  • Appendix B. Ridiculous Excuses We’ve Heard

    Page 752

  • Appendix C. A Designer’s Security Checklist

    Page 758

  • Appendix D. A Developer’s Security Checklist

    Page 760

  • Appendix E. A Tester’s Security Checklist

    Page 766

  • A Final Thought

    Page 768

• Annotated Bibliography

  Page 770

• Index

  Page 776

Keep black-hat hackers at bay with the tips and techniques in this entertaining, eye-opening book! Developers will learn how to padlock their applications throughout the entire development process--from designing secure applications to writing robust code that can withstand repeated attacks to testing applications for security flaws. Easily digested chapters reveal proven principles, strategies, and coding techniques. The authors--two battle- scarred veterans who have solved some of the industry's toughest security problems--provide sample code in several languages. This edition includes updated information about threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. It also includes enhanced coverage of buffer overruns, Microsoft® .NET security, and Microsoft ActiveX® development, plus practical checklists for developers, testers, and program managers.