Satisfy Your Technical Curiosity Satisfy Your Technical Satisfy Your Technical Curiosity Curiosity 27, 28 & 29 March 2007 27, 28 & 29 March 2007 International Convention International Convention Center (ICC) Center (ICC) Ghent, Belgium Ghent, Belgium
70
Embed
Satisfy Your Technical Curiosity 27, 28 & 29 March 2007 International Convention Center (ICC) Ghent, Belgium.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Satisfy Your Technical Curiosity
Satisfy Your Technical CuriositySatisfy Your Technical Curiosity
27, 28 & 29 March 200727, 28 & 29 March 2007International Convention Center (ICC)International Convention Center (ICC)
Ghent, BelgiumGhent, Belgium
Satisfy Your Technical Curiosity
Essentials Abilities of the ArchitectEssentials Abilities of the ArchitectSecuritySecurity
Ron JacobsRon JacobsArchitect EvangelistArchitect Evangelist
http://www.ronjacobs.comhttp://www.ronjacobs.com
What does an architect need to know about security?
How can I systematically manage security at the architecture and design stage?
What security basics do I need to know?
What does an architect need to know about security?
How can I systematically manage security at the architecture and design stage?
What security basics do I need to know?
Security
Precautions taken to keep somebody or something safe from crime, attack, or danger
Protection against attack from without or subversion from within
Be able to define security requirements Be able to define security requirements
Understand security risks and countermeasuresUnderstand security risks and countermeasures
Be able to complete a threat modelBe able to complete a threat model
Be familiar with industry standards related to securityBe familiar with industry standards related to security
ThreatThreat
CountermeasureCountermeasure
Masada Israel, 73 AD Masada Israel, 73 AD Roman General Lucius Flavius SilvaRoman General Lucius Flavius SilvaDefeats a band of ZealotsDefeats a band of Zealots
What does an architect need to know about security?
How can I systematically manage security at the architecture and design stage?
What security basics do I need to know?
AssetsAssets are the things an are the things an attacker wants to take from attacker wants to take from youyou
ThreatsThreats are the ways in which are the ways in which the attacker will try to get at the attacker will try to get at your assetsyour assets
Mitigations Mitigations are the ways you are the ways you block the attacker from getting block the attacker from getting the assetsthe assets
Vulnerabilities Vulnerabilities are unmitigated are unmitigated threatsthreats
Threat Models Threat Models are an assessment of the are an assessment of the Assets, Threats, Mitigations and Assets, Threats, Mitigations and Vulnerabilities of the system you are Vulnerabilities of the system you are building or have builtbuilding or have built
AssetsAssets are more than money… are more than money…
• Describes something the bad guy wants to do (a threat)
• Short and to the point
• Written by the user in non-technical language
As an attackerI want to <attack>So that <crime>
By <method>
Security User Stories
• As an attacker
• I want to obtain credentials
• So that I can plunder bank accounts
• By tricking users into logging into my bogus site with a Phishing mail
Satisfy Your Technical Curiosity
Burglary exposes Burglary exposes millions of veterans millions of veterans to identity theftto identity theftThose affected by loss of Those affected by loss of Social Security numbers, Social Security numbers, other data should be on other data should be on guard, government warns.guard, government warns.By Christopher Lee, Steve VogelBy Christopher Lee, Steve VogelTHE WASHINGTON POSTTHE WASHINGTON POSTTuesday, May 23, 2006Tuesday, May 23, 2006
Burglary exposes Burglary exposes millions of veterans millions of veterans to identity theftto identity theftThose affected by loss of Those affected by loss of Social Security numbers, Social Security numbers, other data should be on other data should be on guard, government warns.guard, government warns.By Christopher Lee, Steve VogelBy Christopher Lee, Steve VogelTHE WASHINGTON POSTTHE WASHINGTON POSTTuesday, May 23, 2006Tuesday, May 23, 2006
“…“…According to a police report, someone pried According to a police report, someone pried open a window to the employee's home open a window to the employee's home between 10:30 a.m. and 4:45 p.m. The burglar between 10:30 a.m. and 4:45 p.m. The burglar took a laptop, external drive and some coins…took a laptop, external drive and some coins…A career data analyst, who was not A career data analyst, who was not authorized to take the information homeauthorized to take the information home, , has been put on administrative leavehas been put on administrative leave pending the outcome of investigations by the pending the outcome of investigations by the FBI, local police and the VA inspector general, FBI, local police and the VA inspector general, Nicholson said. He would not identify the Nicholson said. He would not identify the employee…“employee…“
“…“…According to a police report, someone pried According to a police report, someone pried open a window to the employee's home open a window to the employee's home between 10:30 a.m. and 4:45 p.m. The burglar between 10:30 a.m. and 4:45 p.m. The burglar took a laptop, external drive and some coins…took a laptop, external drive and some coins…A career data analyst, who was not A career data analyst, who was not authorized to take the information homeauthorized to take the information home, , has been put on administrative leavehas been put on administrative leave pending the outcome of investigations by the pending the outcome of investigations by the FBI, local police and the VA inspector general, FBI, local police and the VA inspector general, Nicholson said. He would not identify the Nicholson said. He would not identify the employee…“employee…“
What does an architect need to know about security?
How can I systematically manage security at the architecture and design stage?
What security basics do I need to know?
Basic Security ConceptsBasic Security Concepts
• Reduce Attack Surface
• Defense In Depth
• Least Privilege
• Fail to Secure Mode
Attack SurfaceAttack Surface
• The “Attack Surface” is the sum of the ways in which an attacker can get at you
• Smaller Attack Surface is better
Which one has the Smaller attack surface?
Understand Your Attack SurfaceUnderstand Your Attack Surface
• Networking protocols that are enabled by default
• Network Endpoints
• Code that auto-starts or will execute when accessed
• Examples: Services, daemons, ISAPI filters and applications, SOAP services, and Web roots
• Reusable components
• ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute)
• Don’t count on one line of defense for everything
• What if the attacker penetrates that defense?
• Contain the damage
• An example – Nuclear Plants
• “Multiple redundant safety systems. Nuclear plants are designed according to a "defense in depth" philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection. “
• - Nuclear Energy Institute
Defense in DepthDefense in Depth (MS03-007) (MS03-007)Windows Server 2003 UnaffectedWindows Server 2003 Unaffected
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled
Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun
EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun
Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’
EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough
Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)
Microsoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise
(815021)Originally posted: March 17, 2003
Impact of vulnerability: Run code of attacker's choice
Maximum Severity Rating: Critical
Affected Software: • Microsoft Windows NT 4.0 • Microsoft Windows 2000 • Microsoft Windows XP
Not Affected Software:• Microsoft Windows Server 2003
Microsoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise
(815021)Originally posted: March 17, 2003
Impact of vulnerability: Run code of attacker's choice
Maximum Severity Rating: Critical
Affected Software: • Microsoft Windows NT 4.0 • Microsoft Windows 2000 • Microsoft Windows XP
Not Affected Software:• Microsoft Windows Server 2003
Basic Security ConceptsBasic Security Concepts
• Reduce Attack Surface
• Defense In Depth
• Least Privilege
• Fail to Secure Mode
Least PrivilegeLeast Privilege
• A defense in depth measure
• Code should run with only the permissions it requires
• Attackers can only do whatever the code was already allowed to do
• Recommendations
• Use least privilege accounts
• Use code access security
• Write Apps that non-admins can actually use
Basic Security ConceptsBasic Security Concepts
• Reduce Attack Surface
• Defense In Depth
• Least Privilege
• Fail to Secure Mode
Fail To Secure ModeFail To Secure Mode
• Watch out for exceptions
• Never initialize variables to success resultsFunction Authenticate(UserID As String, Password As String) Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return AuthenticatedEnd Function
Danger!!Assumes Success
Authenticated flag may
still be true here
Authenticated As Boolean = TrueAuthenticated As Boolean = True
Catch ex As ExceptionCatch ex As Exception
Architects Must
• Understand security terminology and best practices
• Pay attention to what is happening in the industry
• Instill security thinking throughout the application lifecycle
• Ensure that the team has an up to date threat model
• Ensure that the team has operational procedures that will ensure ongoing security
Satisfy Your Technical Curiosity
Essentials of the Architect and Essentials of the Architect and ArchitectureArchitectureAvailabilityAvailability
Ron JacobsRon JacobsArchitect EvangelistArchitect Evangelist
http://www.ronjacobs.comhttp://www.ronjacobs.com
How do you define availability?
How do I define the availability requirements of the system?
How do I architect a system with the "right" level of availability?
How do you define availability?
How do I define the availability requirements of the system?
How do I architect a system with the "right" level of availability?
Security
Precautions taken to keep somebody or something safe from crime, attack, or danger
Protection against attack from without or subversion from within
Availability means the system is Availability means the system is open for businessopen for business
Business for a retail store means Business for a retail store means Customers are browsing and buyingCustomers are browsing and buying
Most retail stores have planned downtimeMost retail stores have planned downtimefor holidays, inventory or just close during for holidays, inventory or just close during off-peak hours like late night or early morningoff-peak hours like late night or early morning
• Availability can be expressed numerically as the percentage of the time that a service is available for use.
• Percentage of availability = (total elapsed time – sum of downtime)/total elapsed time
0 100 200 300 400 500 600
99.999%
99.99%
99.9%
5 minutes5 minutes
8 hours, 45 minutes8 hours, 45 minutes
53 minutes53 minutes
How do you define availability?
How do I define the availability requirements of the system?
How do I architect a system with the "right" level of availability?
Dimensions of Availability
FunctionalityFunctionality
PerformancePerformanceData AccuracyData Accuracy
Does the Does the system do what system do what it is supposed it is supposed to do?to do?
Is the data Is the data provided by provided by the system the system accurate and accurate and complete?complete?
Does the Does the system system function within function within the acceptable the acceptable performance performance criteria?criteria?
Service Level Agreements
• Define what you mean by available
• The system is available when
• The home page displays within 2 seconds when you navigate to the URL
• You can add items to the shopping cart in 1 second or less
• You can purchase items in your shopping cart using a credit card in 15 seconds or less
• Your definition should betestable with automatedtools or third party vendors
How do you define availability?
How do I define the availability requirements of the system?
How do I architect a system with the "right" level of availability?
Component RedundancyEliminates single point of failure
Active / Active configurationExample: Web Farm
Active / PassiveExample: Cluster of SQL Servers
Y1
Y3
Y2 ZX
Y1
Y3
Y2 Load Balancer
Y1
Y3
Y2 Load Balancer
Use High Availability PatternsUse High Availability Patterns
Sequential DependencySequential Dependency
• Components connected is a chain, relying on the previous component for availability
• The total availability is always lower than the availability of the weakest link
Server 1Server 1 Server 2Server 2 Server 3Server 3
• Total availability is higher than the availability of the individual links
98%98%
NetworkNetwork
97.5%97.5%
Web ServersWeb Servers
96%96%
DesktopDesktop
98%98%
Database ServersDatabase Servers
98%98%95%95%
Availability Requires PeopleAvailability Requires People
• People are the biggest cause of downtime
• Organization - ensure skills are available or on call when required
• Procedures - Operators need correctly documented, tested and maintained procedures
Availability Procedures
• Startup
• Shutdown
• Disable
• Restart
• Troubleshooting
• SLA Monitoring
• Patching / Updating
• Provision / De-Provision Users
Architects Must
• Define what “Available” means for the system and a means for measuring it
• Work with the stakeholders to craft an SLA
• Architect solutions for diagnoses and recovery of the system
Satisfy Your Technical Curiosity
Essentials of the Architect and Essentials of the Architect and ArchitectureArchitecturePerformancePerformance
Ron JacobsRon JacobsArchitect EvangelistArchitect Evangelist
http://www.ronjacobs.comhttp://www.ronjacobs.com
How is performance a risk for my solution?
What are the myths of performance?
How do I engineer for performance?
How is performance a risk for my solution?
What are the myths of performance?
How do I engineer for performance?
Every project has risksEvery project has risks
PeoplePeople
ScheduleSchedule
RequirementsRequirements
How are you How are you managing themanaging theperformanceperformanceand scalability and scalability risk of your risk of your solution?solution?
Failure to Manage Risk
• 1999 UK Passport agency builds system to automate passport issuance process
• Backlog of 500,000 passports builds up
• Cost of passport processing rose dramatically
• 2001 UK Public Records office puts census data online
• System designed for a peak of 1.2M users per day
• In first month, system had 1.2M users per hour
• System crashed and had to be redesigned in a 6 month effort to increase performance and scalability
• Average cost of failed project in a 2002 KPMG study – $12.6 million dollars
How is performance a risk for my solution?
What are the myths of performance?
How do I engineer for performance?
Code first, fix laterCode first, fix later
Gold PlatingGold Plating
Massive Massive HardwareHardware
How is performance a risk for my solution?
What are the myths of performance?
How do I engineer for performance?
Engineering For PerformanceEngineering For Performance
• Build performance and scalability thinking in the development lifecycle
• Define your objectives
• Measure against your objectives
When You measure what you are speaking about, and express it in numbers, you know something about it; but when You cannot
express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely in your thoughts advanced to the state of science.
• A structured and repeatable approach to modeling the performance of your software
• Similar to “Threat Modeling” in security
• Begins during the early phases of your application design
• Continues throughout the application lifecycle
• Consists of
• A document that captures your performance requirements
• A process to incrementally define and capture the information that helps the teams working on your solution to focus on using, capturing, and sharing the correct information.
Performance modeling ProcessPerformance modeling Process
Critical Scenarios
•Have specific performance expectations or requirements.
Significant Scenarios
•Do not have specific performance objectives
•May impact other critical scenarios.
• Look for scenarios which
•Run in parallel to a performance critical scenario
• Performance and scalability goals should be defined as non-functional or operational requirements
• Requirements should be based on expected use of the system
• Compare to previous versions or similar systems
Metric Definition Measured By Impacts
Throughput How Many? Requests per second
Number of servers
Response Time How Fast? Client latency Customer Satisfaction
Resource Util. How Much? % of resource Hardware/ Network
Define Your ObjectivesDefine Your Objectives
• Objectives must be SMART
• S – Specific
• M – Measurable
• A – Achievable
• R – Results Oriented
• T – Time Specific
"application must run fast" “Page should load quickly"
"3 second response time on home page with 100 concurrent users and < 70% CPU" "25 journal updates posted per second with 500 concurrent users and < 70% CPU"
"If You cannot measure it, You cannot improve
it.“-Lord Kelvin
Build an objectiveBuild an objective
Scenario Response Time
Throughput Workload Resource Utilization
Browse Home page
Client latency 3 seconds
50 requests per second
100 concurrent users
< 60% CPU Utilization
Search Catalog
Client latency 5 seconds
10 requests per second
100 concurrent users
< 60% CPU Utilization
Performance modeling ProcessPerformance modeling Process• Identify the steps that must take
place to complete a scenario
• Use cases, sequence diagrams, flowcharts etc. all provide useful input
• Helps you to know where to instrument your code later