What the bad guys will try and what ASP.NET 2.0 does to protect you! Rui Quintino DevScope [email protected] http://weblogs.pontonetpt.com/rquintino Agenda • Segurança Aplicacional • Ataques Comuns • Soluções • Novas Funcionalidades ASP.NET 2.0 Network Threats against the Network Spoofed packets, etc Threats against the Host Buffer overflows, illicit paths, etc Threats against the Application SQL Injection, XSS, input tampering, etc. Host Application Segurança Aplicacional • Tão importante como a segurança de servidores e de rede • Foco na equipa de desenvolvimento • SSL, Firewalls, Anti Vírus & HotFixes são imprescindíveis, mas não garantem a segurança aplicacional • “75% dos ataques informáticos exploram falhas aplicacionais” – Gartner Group Ataques e Soluções • Demonstrações Conclusão • Validar! Validar! Validar! • Não confiar em dados com origem externa à nossa aplicação • Defesa em profundidade Recursos • Improving Web Application Security: Threats and Countermeasures • • Building Secure ASP.NET Applications • • http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/dnnetsec/html/secnetlpMSDN.asp P&P ASP.NET 2.0 Security Guidance • • http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/dnnetsec/html/ThreatCounter.asp http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/dnpag2/html/ASPNET2SecurityGuidanceIndex.asp Writing Secure Code (Michael Howard, David LeBlanc ) Recursos • Patterns & practices Security Training Modules Pilot • http://channel9.msdn.com/wiki/default.aspx/Security Wiki.SecurityTrainingModules • OWASP (.NET) • http://owasp.net/default.aspx • FoundStone Whitepapers • http://www.foundstone.com/resources/whitepapers.h tm Perguntas/Feedback • Mail • [email protected] • Blog • http://weblogs.pontonetpt.com/rquintino