What the bad guys will try and
what ASP.NET 2.0 does
to protect you!
Rui Quintino
DevScope
[email protected]
http://weblogs.pontonetpt.com/rquintino
Agenda
• Segurança Aplicacional
• Ataques Comuns
• Soluções
• Novas Funcionalidades ASP.NET 2.0
Network
Threats against
the Network
Spoofed packets, etc
Threats against the
Host
Buffer overflows, illicit paths, etc
Threats against the
Application
SQL Injection, XSS, input tampering, etc.
Host
Application
Segurança Aplicacional
• Tão importante como a segurança de servidores e
de rede
• Foco na equipa de desenvolvimento
• SSL, Firewalls, Anti Vírus & HotFixes são
imprescindíveis, mas não garantem a segurança
aplicacional
• “75% dos ataques informáticos exploram falhas
aplicacionais” – Gartner Group
Ataques e Soluções
• Demonstrações
Conclusão
• Validar! Validar! Validar!
• Não confiar em dados com origem externa à
nossa aplicação
• Defesa em profundidade
Recursos
•
Improving Web Application Security: Threats and
Countermeasures
•
•
Building Secure ASP.NET Applications
•
•
http://msdn.microsoft.com/library/default.asp?url=/library/e
n-us/dnnetsec/html/secnetlpMSDN.asp
P&P ASP.NET 2.0 Security Guidance
•
•
http://msdn.microsoft.com/library/default.asp?url=/library/e
n-us/dnnetsec/html/ThreatCounter.asp
http://msdn.microsoft.com/library/default.asp?url=/library/e
n-us/dnpag2/html/ASPNET2SecurityGuidanceIndex.asp
Writing Secure Code (Michael Howard, David LeBlanc )
Recursos
• Patterns & practices Security Training Modules
Pilot
• http://channel9.msdn.com/wiki/default.aspx/Security
Wiki.SecurityTrainingModules
• OWASP (.NET)
• http://owasp.net/default.aspx
• FoundStone Whitepapers
• http://www.foundstone.com/resources/whitepapers.h
tm
Perguntas/Feedback
• Mail
• [email protected]
• Blog
• http://weblogs.pontonetpt.com/rquintino