Exam Reviews

70-330 and 70-340: Sweating over Security

These two new exams for developers really put your secure coding expertise to the challenge.

[This review also appears verbatim as the 70-330 Exam Spotlight. -- Editor]

Want to tackle a certification exam that will test your knowledge of .NET and development best practices to the utmost? One of the application security exams should be perfect for you then. You can choose from Visual Basic .NET or C# versions of the exam; the two are identical except for the language used in example code. This review applies equally to either one.

A warning, though: Don't take these exams lightly. I found them tougher than anything else on the MCSD .NET track, because they require knowledge of such a broad range of topics. You should have experience developing both Windows and Web-based .NET applications, as well as working with Web services, cryptography and managed components. I'd recommend passing 70-305, 70-306 and 70-310 (or the corresponding C# exams, 70-315, 70-316 and 70-320) before tackling this one.

If that's not enough, you also need to know the basics (and then some) of writing secure applications. If things like least privilege, canonicalization, SQL injection, or cross-site scripting are mysteries to you, then you've got some studying to do.

70-330 and 70-340: Application Security

Reviewer's Rating
These are Microsoft's first security exams for developers and they're as difficult as any developer exams the company has ever published. If you can pass the 70-310 or 70-320 (XML Web Services and Server Components) and 70-300 (Solution Architectures) exams, you may be ready to tackle this one.

Exam Titles
70-330, Implementing Security for Applications with Microsoft Visual Basic .NET
70-340, Implementing Security for Applications with Microsoft Visual C# .NET

Who Should Take Them
Elective credit for MCAD .NET or MCSD .NET.

Availability
Summer 2004 (reviewed here in beta format)

Courses
2300: Developing Security-Enhanced Web Applications; 3 days.
2350: Developing and Deploying Secure Microsoft .NET Framework Applications; 3 days.
2806: Microsoft Security Guidance Training for Developers; 1 day
2840: Developing Secure Applications (available July 2004); 5 days.

Exam Objectives
http://www.microsoft.com/learning/exams/70-330.asp
http://www.microsoft.com/learning/exams/70-340.asp

Get Your Own House in Order First
Writing secure code starts with implementing security best practices directly on your own development machine. You should understand the principle of "least privilege," and know that logging on as an Administrator of the local machine to do routine development is a bad idea. Given a choice of accounts on a network, you should know which ones would work for development and testing.

Tip: Review the groups that Visual Studio .NET creates when it's installed, and know which ones grant you rights for which actions.

While you're on the subject of least privilege, spend some time understanding how least privilege applies to the code you're going to write. The exam will check to make sure you know which permissions code needs to perform certain actions, as well as how you assign those permissions. Know what will happen if your code is run under a non-administrative account — and how to trap any errors if the account doesn't have sufficient privileges.

CAS is Your Friend
Setting least privilege for running code is the job of Code Access Security, or CAS for short. This is one of the most complex topics in .NET, but it's one that you'll need to be thoroughly conversant with for this exam. Start with the basic concepts of permissions, permission sets and code groups, as well as the variety of permissions that the .NET Framework supports.

Tip: Review the classes in the System.Security.Permissions namespace and make sure you know which permissions each one controls.

Tip: Use the .NET Framework Configuration Tool to review the standard permission sets that the .NET Framework creates on installation.

The exam will test your ability to properly apply the various permissions in a variety of scenarios. In addition to knowing what actions each permission controls, you need to understand the differences between the various permission requests:

  • RequestMinimum. The permissions that your application absolutely needs to function.
  • RequestOptional. The permissions that your application would like to have but can do without.
  • RequestRefuse. The permissions that your application should never be granted.
  • RequestDemand. The permissions that callers of your application must have.

Tip: Know both the declarative (attribute-based) and imperative (code-based) syntaxes for making permission requests.

You also need to understand the basic principles of granting, withholding and calculating permissions from an administrative point of view. You can get experience in this area through the graphical .NET Framework Configuration Tool, but you'll also need to know how to use the command-line caspol.exe utility. Make sure that you understand the concepts that go into computing permissions, including the hierarchy of code groups, the Exclusive flag, and the LevelFinal flag.

Tip: The permission set on a single level is the union of the permission sets of all relevant code groups. The permission set for the code is the intersection of the permission sets of all levels.

How's Your ASP.NET?
Even though you're a developer, you'll be tested on the portion of ASP.NET administration that interacts with security. That means you need to understand the various choices for authentication that IIS provides and the way that ASP.NET interacts with those choices. You also need to know what happens when you turn on ASP.NET impersonation in various scenarios.

Tip: If you're not using impersonation, ASP.NET runs under the ASPNET account.

Configuration extends beyond IIS and into the web.config file, of course. Here you'll be tested on setting up impersonation, authentication and authorization policies. Know the syntax for allowing and denying users and how multiple levels of configuration files interact. You should also be familiar with the implications of impersonation for accessing external resources such as SQL Server databases from your ASP.NET applications.

The distinction between authentication (determining who a user is) and authorization (determining what the user can do) is critical for ASP.NET applications and for this exam. Spend some time digging into the code for Windows Forms authentication, and know how to implement a custom authentication scheme. You'll need to be familiar with the IPrincipal and IIdentity components of the .NET Base Class Library.

Tip: Know how to place code in the global.asax file to help manage custom identities after a user is authenticated.

Web applications have been subject to several well-publicized attacks in recent years, and you're expected to know the most common of these: cross-site scripting and SQL injection. In particular, how would you test whether your application is vulnerable to such attacks? Expect to be given a choice of test scenarios and to know which ones would most likely expose any problems that are present.

Tip: Given code that is vulnerable to SQL injection, know how to prevent the attacks by not sending untrusted user input directly to your database.

Canonicalization (representing resources such as URLs in a preferred format) is another topic that gets an ASP.NET workover. You should be familiar with the basics of regular expressions in .NET, so that you can use a regex to test a string for attempts to evade security by avoiding the canonical form.

The Rest of the Story
One of the problems with reviewing for this exam is that there are just so many different places where security interacts with .NET. Each of these areas might only account for a handful of questions, but if you miss a few handfuls, you've failed the exam. So the wise candidate will study the entire gamut of security coding. Here are some areas that you should expect to be tested on.

Given a choice between different ways to split an application into components, you should be able to judge which choice is more secure. Know when it's safe to use a COM component, for example, and how best to interact with COM components for secure coding. You should also understand how "defense in depth" works, and be able to identify solutions that properly implement this concept.

.NET implements a full range of cryptography classes (see the System.Security.Cryptography namespace). That means you need to know how to use these classes. If you're presented with different code snippets that purport to encrypt data, you should be able to recognize the ones that actually work. In addition, you need to understand the difference between asymmetric and symmetric cryptography, and know how to use X.509 certificates to sign data. Other cryptographic concepts that will come up on the exam include hashing and salts.

Tip: A common pattern for secure communication is to use asymmetric encryption (public-key cryptography) to exchange keys for symmetric encryption.

Tip: Data encrypted with a public key can only be decrypted with the matching private key, and vice versa.

10 Things to Practice

1. Write code that uses declarative and imperative permission requests and then experiment to see exactly what the code does when the requested permissions are withheld.

2. Use the .NET Framework Configuration Tool to create code groups and permission sets and manage the permission set for individual assemblies.

3. Set up an ASP.NET application that retrieves data from SQL Server. Configure it to work with user accounts through impersonation, or with the ASPNET account and no impersonation.

4. Use the sn.exe tool to create a key pair file, to extract the public key and to implement delay signing of an assembly.

5. Write code that encrypts and decrypts data using symmetric encryption. Rewrite the code to use asymmetric encryption.

6. Use the makecert.exe tool to create a test X.509 certificate, and use that certificate to sign data in a test application.

7. Use the permview.exe tool to analyze the code access permissions of an assembly.

8. Use entries in the AssemblyInfo.vb or assemblyinfo.cs file to apply a strong name to an assembly. Open the assembly in a hex editor and change some data, then check to make sure that .NET won't run the altered assembly.

9. Modify a web.config file to prevent specified users from viewing a particular file.

10. Configure an ASP.NET site to use SSL security.

.NET, of course, supports several distributed architectures, including remoting and Web services. On the remoting side, you should understand how to construct credentials for a remoting client, as well as how to securely host a remoting server. Given a choice between several architectures for a remoting server, which is more secure? On the Web services side, you'll need to be broadly familiar with the WS-Security and WS-Interoperability standards, even though they're not a part of .NET itself.

Additional Information

"Securing Applications" book in the "Programming with the .NET Framework" section of the .NET Framework SDK.

Writing Secure Code, Second Edition, Michael Howard and David LeBlanc (Microsoft Press, 2004); be sure to pick up the second edition, because it has more .NET coverage than the first edition.

"Improving Web Application Security: Threats and Countermeasures" http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Finally, spend a while understanding security and serviced components. Serviced components, of course, are the .NET view of COM+ classes. If you've never looked into the declarative framework for securing serviced components by applying attributes, you need to do this before taking the exam.

Tip: You can add roles to an application by using the SecurityRoleAttribute.

If you're still with me at this point, you've probably come to appreciate how challenging this exam can be. So why should you take it? A few minutes with practically any technology news site will give you the answer. Despite years of effort, there are new security holes found in applications every day, and users are getting steadily more angry about this state of affairs. As software vendors are pressured into concentrating more resources on secure application development, developers who can prove their ability to work in this area will be in increased demand. Taking this exam is one way to show that you know what it takes.

comments powered by Disqus
Most   Popular