The more time I spent with CI (namely with TeamCity) the more my instinct is saying ‘this is how we should be delivering and automating security knowledge!'.
A personal blog about: transforming Web Application Security into an 'Application Visibility' engine, the OWASP O2 Platform, Application/Data interoperability and a lot more
Friday, 14 December 2012
OWASP project reboot spent funds (not a lot spent so far)
From Alison here are the latest numbers from the OWASP Project Reboot 2012 initiative:
Humm, from the numbers in there, it looks like only the CISO Guide spent some funds
- Project reboot funds/expenses in a Google Spreadsheet
Humm, from the numbers in there, it looks like only the CISO Guide spent some funds
Labels:
OWASP
TeamMentor global search, duplicate articles and a new ‘Any’ Library
In the 3.2 version of TeamMentor
there is a Library per technology (.Net, Android, C++, iOS, Java, PHP) and type (CWE, PCI DSS Compliance):
there is a Library per technology (.Net, Android, C++, iOS, Java, PHP) and type (CWE, PCI DSS Compliance):
Labels:
TeamMentor
Wednesday, 12 December 2012
Rewiting Git History (locally and at GitHub)
When fixing the ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor,
I ended up with a number of Git Commits: locally
I ended up with a number of Git Commits: locally
ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor
Here is an weird one....
Just did an TeamMentor auto-deploy (via a GitHub push that triggered AppHarbor via a webhook) and the published site is running OK (on the deployed AppHarbor server) ....
Just did an TeamMentor auto-deploy (via a GitHub push that triggered AppHarbor via a webhook) and the published site is running OK (on the deployed AppHarbor server) ....
Labels:
TeamMentor
Problem with Environment.SpecialFolder.ApplicationData in Azure
While I was testing the TeamCity auto deployment from Git to Azure, I hit on an weird bug where TeamMentor's website would look (and load) OK in AppHarbor, but would fail in Azure.
Stylizer - Real-time CSS Editing
The Stylizer looks really powerful for CSS editing and customization. I really liked it’s video page which provided a great overview (and learning environment) for Stylizer multiple features (it is a great way to quickly and effective present a product)
Labels:
Tools
Monday, 10 December 2012
Testing an WCF Rest Service directly and via a local instance created by WebServiceHost
Here is an example of a simple REST based WebService which is tested using 3 techniques:
- IIS
- Direct object creation
- Locally hosted instance of the WCF service (using .Net's WebServiceHost class)
Labels:
TeamMentor,
Testing
Windows Azure is what IIS 7.5 should be
The more I look at Windows Azure (while dealing with IIS deployment automation issues in TeamMentor) the more I fell that Windows Azure is what IIS 7.5 (or 8) should be.
What is really good about Windows Azure is its deployment and versioning capabilities (you can even deploy via git pushes these days). And apart from the webserver bit, most of IIS' Gui is focused on website deployment (which is what Azure does really well).
What is really good about Windows Azure is its deployment and versioning capabilities (you can even deploy via git pushes these days). And apart from the webserver bit, most of IIS' Gui is focused on website deployment (which is what Azure does really well).
Labels:
Azure,
Half-baked Idea
JustCode is following VisualStudio 2012 bad Design decisions
I’m trying to avoid using VisualStudio 2012 because not only I haven’t seen any feature that I need, its ‘lets remove all the color Design’ is just horrible.
And what is really annoying, is that VisualStudio 2012 (very bad) Design decision are then followed by VisualStudio extension vendors (like JustCode) who create a Gui that looks like this (in VS 2010):
And what is really annoying, is that VisualStudio 2012 (very bad) Design decision are then followed by VisualStudio extension vendors (like JustCode) who create a Gui that looks like this (in VS 2010):
Minimum required files to run git.exe on windows (for clone, push and pull)
I want to add native Git support to TeamMentor (and O2) and don't want to ship the entire git folder structure that is installed with msysgit
Labels:
Git
Some JustCode compilation issues (on .NET 4.0 dynamic keyword and method default parameters)
I’m giving JustCode another go and it doesn’t seem to like some .Net 4.0 features (which btw compile ok in VisualStudio):
Labels:
JustCode
Sunday, 9 December 2012
Two great posts on Gamification
From TechCrunch’s Tadhg Kell here are two great articles that explain the Gamification concept really well:
- Everything You’ll Ever Need To Know About Gamification
- Real Gamification Mechanics Require Simplicity And, Yes, Game Designers Can Do It
Labels:
Gamification,
Philosophy
Adding a C# REPL Script to Windows Live Writer
Let’s give Windows Live Writer 'Copy and Paste of images' feature a test-drive by documenting how to inject a C# REPL script into it
Labels:
Live Writer,
O2 Platform,
REPL
Software Labels – Jeff’s OWASP AppSecDC 2010 presentation (another dropped good idea)
An old idea from Jeff Williams (which is spot on) is the need to apply Labels to Software and Web Applications.
The concept is simple, but its implementation is really hard, because of the lack of quality standards/metrics in our industry
The concept is simple, but its implementation is really hard, because of the lack of quality standards/metrics in our industry
Signs of a well Designed Feature
A well Designed Feature (i.e. that works) is one that, for a particular task (like coping and pasting images on this blog) gives its user the feeling that:
- initially the new workflow just seems simpler and a little bit faster (when compared with the preview one)
- after a while, how it worked before goes kinda misty
- but, if the previous one has to be used again, it will seem REAAALLLLY slow and cumbersome!
Of course that in reality, the change is never that big, but once the user feels/understands the new version, using the old one is just painful.
Labels:
Design,
Live Writer
Why does trying some Windows Live Writer Plug-ins expose me the total system compromise
As you can see on the Trying a couple more Windows Live Code Formatters post, I tried a number of Live Writer Plug-ins before I found one that I liked.
But if you notice (just to try a couple plug-ins!) I had to install a bunch of MSIs and give them full access to my box! And after installing those plug-ins run with Full Trust (again being able to do whatever they want to any of my windows processes)
This is crazy, this is faith-based security.
But if you notice (just to try a couple plug-ins!) I had to install a bunch of MSIs and give them full access to my box! And after installing those plug-ins run with Full Trust (again being able to do whatever they want to any of my windows processes)
This is crazy, this is faith-based security.
Labels:
Live Writer,
Rant
Trying a couple more Windows Live Code Formatters
As you can see at the end of the Failing to use Windows Live Writer 2011 (and going back to 2009) the highest ranking (and recommended by default) code formatting plug-in didn’t work. So let’s try a couple more:
Labels:
Live Writer
Failing to use Windows Live Writer 2011 (and going back to 2009)
As you can see at the end of Using Window Live Writer to write Blogger posts I originally started using the 2009 version, so I tried use the 2011 and it failed miserably because, Copy and Paste doesn’t work anymore!!!! This is crazy!! Why???
Labels:
Live Writer,
Rant
Using Window Live Writer to write Blogger posts
As per this @shanselman reply https://twitter.com/shanselman/status/277514388376784896 (following a question I asked @troyhunt) I’m giving Windows Live Writer 2009 a try, and it seems to support Blogger, and (more importantly copy and past of images (with auto upload to Picassa) which is exactly what I wanted (see The 'Sync Design Problem' of adding images to this blog for a description of the problem I had)
Labels:
Live Writer,
Tools
Saturday, 8 December 2012
Just Uninstalled ReSharper
The performance hit was just too much, and since I got a reply from JustCode I will give it another try
Labels:
JustCode,
VisualStudio
Friday, 7 December 2012
TeamCity reference Links
Here are a number of links collected during my first use of TeamCity for CI:
Labels:
TeamCity
Thursday, 6 December 2012
Just tried JustCode and its a shame they don't support ExtensionMethods
I just gave JustCode VisualStudio Extension a test drive (which amazingly still hasn't entered the SAST market) and although I really liked what I saw (and felt much better/faster than resharper) it had a critical problem, where it failed to recognise the FluentSharp's Extension Methods in TeamMentor:
Labels:
JustCode,
VisualStudio
What a 'salad of DLLs' are the ASP.NET MVC 4.0 template projects
I was taking a look at ASP.NET MVC 4.0 to see how easy it would be to use its routing engine for TeamMentor REST API, and its just ridiculous the sheer amount amount of dependencies that it required (as per the the test/template projects).
Labels:
Rant,
TeamMentor
ASP.NET Support in SAST and IBM F4F
At the moment (Dec 2012) my understanding is that all SAST tools struggle to scan/understand ASP.NET MVC apps.
The only way to really support/understand/scan ASP.NET MVC is to map how that framework works/behaves (I don't think any SAST vendor/tool does that), and as with any Framework, there is a lot to map:
- The controllers (equivalent to WebService's methods, which need to be marked as Tainted-Sources/Callbacks)
- The controller's authorization/authentication mappings (done using Attributes)
- The Autobinded Models
- The Views mappings (i..e what views are connected to what controllers)
- The MVC Execution life cycle
- The auto-encoding (or not) of view controls (and new display engines like razor)
Labels:
IBM,
MVC,
O2 Platform
How to use TeamMentor for training?
Another area that I really would like to see pushed is the idea/concept to use TeamMentor (TM) materials for training.
And by training I don't just mean class-room or ICT. A key element of TeamMentor is the idea that it is a 'Mentor' And mentors are by definition teachers :)
So how can TM be used in short (and in bursts) training sessions? (or knowledge transfers)
And by training I don't just mean class-room or ICT. A key element of TeamMentor is the idea that it is a 'Mentor' And mentors are by definition teachers :)
So how can TM be used in short (and in bursts) training sessions? (or knowledge transfers)
Labels:
TeamMentor
Feedback on TeamMentor webcast (with Ideas to make TeamMentor better)
Danny Harris saw the 'Streamline the Fix' Webcast, liked what he saw, and sent us great feedback
Here is what he sent (unedited by me):
Here is what he sent (unedited by me):
Labels:
TeamMentor
Simple, Unique, Valuable - Lenovo Design Principles
Just saw on BBC the Rory in China: Lenovo's quest to be cool article which has an interesting 2m interview with Yao Yingjia (Lenovo's Jonathan Ive) where he talks about his views on design (and how it is 24/7 frame-of-mind)
In there Yao talks about what he calls Lenovo's Design Principles which are: Simple, Unique and Valuable
In there Yao talks about what he calls Lenovo's Design Principles which are: Simple, Unique and Valuable
These are pretty good concepts and I really liked the way Yao was talking about design.
I couldn't find a page about Lenovo's Design Principles (the top link was this post that links to a Fast Company article on 9 Principles For Great Branding By Design), so I guess Lenovo still has a bit to go in publishing their internal ideas and visions :)
That said, Lenovo's Design Blog seems like a good start
I couldn't find a page about Lenovo's Design Principles (the top link was this post that links to a Fast Company article on 9 Principles For Great Branding By Design), so I guess Lenovo still has a bit to go in publishing their internal ideas and visions :)
That said, Lenovo's Design Blog seems like a good start
Labels:
Design
Wednesday, 5 December 2012
O2 Light - Dual Scan and Code Fix Tag (2009)
Here is a PoC I wrote in 2009 (post OunceLabs IBM acquisition) of a mini tool (with drag-n-drop support) that:
- Fired up scans of Ounce 6 and AppScan Developer (the two SAST engines that IBM had at the time)
- Imported both set of scan Findings to O2
- Created consolidated list of Findings (i.e. findings that existed in both sets of results)
- Showed consolidated Findings to user (with ability to open them in Ounce 6)
As with the OunceLabs WebScan Module this O2 Light - Dual Scan and Code Fix Tag module (downloadable from here) doesn't build in VisualStudio anymore, but I was able to get a couple screenshots from VisualStudio's Control Designer.
OunceLabs WebScan Module (with 'Will It Scan' feature)
Back in the days (2008) I created a PoC for OunceLabs engine where it was possible to trigger scans via a website.
I found the files but there were a number of missing dependencies (like some JNBridge stuff which was shipped with last version of the OunceLabs product (pre IBM)).
So the best I can do is to open it in VisualStudio and show the aspx pages in design view.
I found the files but there were a number of missing dependencies (like some JNBridge stuff which was shipped with last version of the OunceLabs product (pre IBM)).
So the best I can do is to open it in VisualStudio and show the aspx pages in design view.
Labels:
OunceLabs
Notes on JSP TLD injection
Another oldie pdf I found on my archive which contains some interesting notes on xss injection on JSPs TLDs (this is probably the smallest pdf I've posted here for a while).
What is interesting about the JSP TLD is that there are two parsing stages (which affect the payloads/exploits/vulnerability state)
What is interesting about the JSP TLD is that there are two parsing stages (which affect the payloads/exploits/vulnerability state)
IIS permission problem on TM deployment ('race condition' like)
We're having an 'interesting' IIS deployment problem in one of TeamMentor live servers (running IIS 7.5)
After installing an TM library (using the technique show in the Installing New Libraries via control panel video) I was faced with this:
Labels:
Security as TAX,
TeamMentor
Unedited TeamMentor 3.2 Feedback
Here is some nice feedback I received today from a fellow security consultant whom I showed TeamMentor via a join.me session (which works great for this kind of 'quick remote desktop sharing' sessions)
"...So my initial thoughts were why does not every software organization has a copy of this, it seems like a no brainer to me. I haven't spent much time with the product but here is what I like from what I saw this morning:
"...So my initial thoughts were why does not every software organization has a copy of this, it seems like a no brainer to me. I haven't spent much time with the product but here is what I like from what I saw this morning:
Labels:
TeamMentor
Comparing two GitHub Issues List
Is there a way to compare two GitHub Issues lists?
What I need is a programatic way to compare the items that exist in two GitHub repositories (repo A and repo B), do a diff, and list the ones that don't exist in repo B (i.e. which ones were not copied from repo A to repo B)
What I need is a programatic way to compare the items that exist in two GitHub repositories (repo A and repo B), do a diff, and list the ones that don't exist in repo B (i.e. which ones were not copied from repo A to repo B)
Labels:
GitHub,
TeamMentor
Tuesday, 4 December 2012
Implementing S4 - Source-code Security Scanning Services - v0.5.pdf (2008)
From the OunceLabs archives here is a document I wrote back in 2008 that provides a roadmap (and template) for companies (or team) that want to implement a S4 (Source-code Security Scanning Services)
I never finished this document, but there are lots of good (and battle-proven) ideas in there :)
I never finished this document, but there are lots of good (and battle-proven) ideas in there :)
Interesting Encoding problem with TeamMentor Japanese translation
Here an interesting prob I had to deal today with the first pass of TeamMentor's translation into Japanese.
The translation phase was quite sweet. We sent the TeamMentor Xml files file to the translation company, which they were able to plug into their system, and once completed, they send us back a zip with the translated xml files :)
That zip was then uploaded (via drag and drop) into a TM test server (see video of that workflow here) and it all worked .... except for the metadata and filters:
The translation phase was quite sweet. We sent the TeamMentor Xml files file to the translation company, which they were able to plug into their system, and once completed, they send us back a zip with the translated xml files :)
That zip was then uploaded (via drag and drop) into a TM test server (see video of that workflow here) and it all worked .... except for the metadata and filters:
O2 Presentation - from Jan 2009
Here is a presentation I delivered about O2 to OunceLabs (before the acquisition).
It's pretty cool to see the position (for O2) I had back then, and how that is still very relevant today (it's a bit depressing that the industry has not moved much in the last 4 years)
It's pretty cool to see the position (for O2) I had back then, and how that is still very relevant today (it's a bit depressing that the industry has not moved much in the last 4 years)
Labels:
IBM,
O2 Platform,
OunceLabs
F1 How To - Scanning HacmeBank WebServices v0.6 (from 2008)
Another one from the O2 Archives, here is a pdf (shown below) that I wrote in June 2008 that showed how to use F1 (what the O2 Platform used to be called before it was Open Sourced) to scan HacmeBank Website and WebServices
Check out the consolidated graphs that I was able to create at the time. Pretty cool way to visualize multiple traces in one graph :)
The 2nd part of the document, shows how F1 was used to auto-create-callbacks (i.e. tainted sources) in the OunceLabs engine (this feature has since been added to the latest version of IBM AppScan Source)
Check out the consolidated graphs that I was able to create at the time. Pretty cool way to visualize multiple traces in one graph :)
The 2nd part of the document, shows how F1 was used to auto-create-callbacks (i.e. tainted sources) in the OunceLabs engine (this feature has since been added to the latest version of IBM AppScan Source)
ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)
Here is a old pdf that I wrote ages ago (Sep 2008) that documents a couple Spring MVC AutoBinding vulnerabilities (similar to the ones shown in Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform)
IBM AppScan Standard, Source and VisualStudio (in the same GUI/App)
Here are some cool screenshots sent to me by an O2 user, that used the technique shown in Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings) to create a GUI, where windows from AppScan Standard (.Net app), AppScan Source (Java app) and VisualStudio (C++/.NET/WPF app) are shown side by-by-side (fully functional) in an external process.
Bellow you can see the four Windows in action:
Bellow you can see the four Windows in action:
- Top Left: Findings TreeView from AppScan Standard (.Net)
- Top Right: Code Editor from VisualStudio (C++/WPF)
- Bottom Left: Trace View from AppScan Source (Java)
- Bottom Right: Guidance from AppScan Standard (WebBrowser)
Labels:
IBM,
VisualStudio,
WinAPI
OWASP Press and using LeanPub with GitHub and DropBox
As mentioned on my 934 page eBook/PDF with this blog from LeanPub.com post, Dennis Groves has found a way to use GitHub with DropBox to manage the workflow of creating eBooks using LeanPub
This is really great stuff, and you can read the details at his OWASP Press post.
This is really great stuff, and you can read the details at his OWASP Press post.
Labels:
OWASP
Slides for 'Streamline the Fix' Webcast
Just posted on SlideShare the slides we are going to present later today at the Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process Webcast (register here)
Labels:
TeamMentor
Monday, 3 December 2012
TeamMentor Webcast I'm doing Tomorrow (on how to use TM to help fixing vulnerabilities)
If you want to take a look at TeamMentor, I'm doing a Webcast tomorrow (4th Dec 2012) on the topic Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process
You can register here and let me know if there is a specific scenario you would like me to cover
You can register here and let me know if there is a specific scenario you would like me to cover
Labels:
TeamMentor
When is the next OWASP Summit!!!!!
Looking at the OWASP Summit pictures reminded me of the amazing experience that the OWASP Summit 2011 was. There was so much positive energy in the air and we got much done (see the final report and the session's outcomes).
We need another one!!!!
Surely we can have one in 2013!
We need another one!!!!
Surely we can have one in 2013!
Labels:
OWASP
It's nice to get a compliment, and please go and HUG an FOSS project today
The thing about Open Source development is that there is this weird 'coding to the fog' situation where the number of feedback that is received is SO small that it takes a lot of 'self-motivation' to keep going (specially at a high speed/energy level).
For example, I received today this really nice comment from Steven regarding the talk I did last week (where I presented a variation of Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings) ):
...I was amazed by your work on O2, in fact so baffled I forgot to give you a standing ovation at the end of your talk at the OWASP Benelux days...
And it's nice to hear this .... thanks Steven, it means a lot to me :)
For example, I received today this really nice comment from Steven regarding the talk I did last week (where I presented a variation of Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings) ):
...I was amazed by your work on O2, in fact so baffled I forgot to give you a standing ovation at the end of your talk at the OWASP Benelux days...
And it's nice to hear this .... thanks Steven, it means a lot to me :)
Labels:
O2 Platform,
Philosophy
OWASP Revenue Splits and the "Non-profits have a charter to be innovators"
Seth Godin recent post on Non-profits have a charter to be innovators is really spot-on, and very accurately describes the problem that (I believe) exits today at OWASP
When Seth mentions that non-profits usually say: '...We're doing important work. Our funders count on us to be reasonable and cautious and proven, because the work we're doing is too important to risk failure...', he could be speaking on behalf of a number of OWASP Leaders, since I have heard many variations of that phrase at OWASP before (in fact you will see such variation later on this post)
Contrary to what a lot of OWASP core leaders (the ones that care and spend time on 'OWASP the entity') believe, OWASP doesn't have a lack of funds problem!
OWASP has a 'how to spend money' problem
and a
'Not spending enough OWASP funds' problem!
When Seth mentions that non-profits usually say: '...We're doing important work. Our funders count on us to be reasonable and cautious and proven, because the work we're doing is too important to risk failure...', he could be speaking on behalf of a number of OWASP Leaders, since I have heard many variations of that phrase at OWASP before (in fact you will see such variation later on this post)
Contrary to what a lot of OWASP core leaders (the ones that care and spend time on 'OWASP the entity') believe, OWASP doesn't have a lack of funds problem!
OWASP has a 'how to spend money' problem
and a
'Not spending enough OWASP funds' problem!
Labels:
OWASP,
Philosophy
Sunday, 2 December 2012
I never liked the term 'Rugged Software', what about Robust/Resilient Software?
I still have not fully rationalised why I don't like (as security professional and as a developer) the term (and some parts of the concept) of the Rugged Software
Recently when talking about similar concepts (i.e. writing secure code/applications) I found myself talking about the need to create Robust/Resilient Applications.
Isn't Resilient Software a better term to describe applications/code that are able to correctly handle, mitigate and react to malicious behaviour/input?
Recently when talking about similar concepts (i.e. writing secure code/applications) I found myself talking about the need to create Robust/Resilient Applications.
Isn't Resilient Software a better term to describe applications/code that are able to correctly handle, mitigate and react to malicious behaviour/input?
Labels:
OWASP
Netflix “Resilience Engineering” FOSS Library and Security
Really powerful stuff (and to-read material):
- Netflix Open Sources “Resilience Engineering” Code Library - news article
- Reddit thread about the article linked above
- Fault Tolerance in a High Volume, Distributed System and Making the Netflix API More Resilient - detailed NetFlix blog posts
- Performance and Fault Tolerance for the Netflix API - August 2012 - speaker deck presentation
- Netflix / Hystrix - GitHub repo
Labels:
Security as TAX,
To Read
934 page eBook/PDF with this blog from LeanPub.com
[UPDATE Mar/2014]: following what started with the post below, I have now published a book created at Leanpub on AngularJS. See Published Beta version of "Practical AngularJS" Book (in both digital and print format) for all the details
Dennis Groves called my attention to the really interesting/powerful online publishing leanpub.com website/service (which he is trying for publishing OWASP books).
I just tried with the content from this blog, and as a first pass, I'm quite impressed with the results.
To get the 934 page pdf (or EPUB/MOBI file) for this blog:
Dennis Groves called my attention to the really interesting/powerful online publishing leanpub.com website/service (which he is trying for publishing OWASP books).
I just tried with the content from this blog, and as a first pass, I'm quite impressed with the results.
To get the 934 page pdf (or EPUB/MOBI file) for this blog:
Labels:
LeanPub
TeamMentor Pricing, Licensing and Partner program
Following questions received, here are the details about the current TeamMentor's pricing and partner program:
Labels:
TeamMentor
Mapping the relationships between: Principles, Guidelines, Checklists, How-Tos, etc...
From the (under construction) tm4tm site (TeamMentor for TeamMentor), here is a nice diagram (see below) that maps the relationships between the multiple types of TM articles/Guidances:
Labels:
TeamMentor
Would I recommend Checkmarx as a SAST engine?
I was asked this question twice in the last couple days, and my answer is YES!
Although CheckMarx is still not as open and easy to engage as I would like them to be, they are actually one of the best ones out there.
And there is one asset that CheckMarx SAST engine has that is REALLY GOOOOOOODDDDDDD!!!!
Their rules are written in C# and if you (like me) like to write custom rules, they have a nice REPL interface that can be used by power users (with access to a lot of the metadata and code-transformations created during the analysis phase)
I'm currently integrating TeamMentor with Checkmarx (for a joint customer) and I really like it. You can see our latest PoC at http://checkmarx.teammentor.net, which includes a view that shows a mapping between:
Although CheckMarx is still not as open and easy to engage as I would like them to be, they are actually one of the best ones out there.
And there is one asset that CheckMarx SAST engine has that is REALLY GOOOOOOODDDDDDD!!!!
Their rules are written in C# and if you (like me) like to write custom rules, they have a nice REPL interface that can be used by power users (with access to a lot of the metadata and code-transformations created during the analysis phase)
I'm currently integrating TeamMentor with Checkmarx (for a joint customer) and I really like it. You can see our latest PoC at http://checkmarx.teammentor.net, which includes a view that shows a mapping between:
- a security finding,
- it's CWE description
- the TeamMentor landing page (for that finding)
- the C# CheckMarx rule that triggered that finding
Saturday, 1 December 2012
To research further: BeanShell, EasyHook, C# Cookbook and PhantomJS/CasperJS
From the O2 training class I delivered last week (and the research on Windows Messages) here are a couple interesting APIs/Tools to research further, and see if it is easy to add O2 support for them:
- Java beanshell interpreter and Scripting Java: The BeanShell JSR
- EasyHook - API to hook unmanaged methods from C#
- C# in a nutshell book samples
- Code Audit (from Google's Java Developer tools)
- PhantomJS - Scriptable Headless WebKit
- CasperJS is a navigation scripting & testing utility for PhantomJS, written in Javascript
Labels:
To add to O2
Eric Lippert joining Coverity
This is VERY interesting, since Eric is one of the C# Microsoft Gurus.
You can read his announcement on is his last MSDN post A new fabulous adventure and on his new blog
Good on Coverity for catching such good talent, and I wonder if they are (finally) going to enter the SAST space for C#/.Net
You can read his announcement on is his last MSDN post A new fabulous adventure and on his new blog
Good on Coverity for catching such good talent, and I wonder if they are (finally) going to enter the SAST space for C#/.Net
Labels:
SAST
Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings)
UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process
Here is the video presented at OWASP BeNeLux conference, which shows how I used the O2 Platform to create a consolidated view of 3 different window's processes (one from .Net/CLR, one from Java/JM and one from C++ applications). Note that these windows are hosted by a 4th (.Net) process and are fully functional.
The objective of this 'consolidated multi-process window view', is to give developers a really strong 'vulnerability fixing environment'.
Here is the video presented at OWASP BeNeLux conference, which shows how I used the O2 Platform to create a consolidated view of 3 different window's processes (one from .Net/CLR, one from Java/JM and one from C++ applications). Note that these windows are hosted by a 4th (.Net) process and are fully functional.
The objective of this 'consolidated multi-process window view', is to give developers a really strong 'vulnerability fixing environment'.
Labels:
IBM,
O2 Platform,
TeamMentor,
WinAPI
Friday, 30 November 2012
Simple Unit Test to detect XSS using FuzzDB and IE automation
Here is an example of a simple Unit Test written in the Write and Execute Unit Tests v1.0.exe tool which will check for XSS on AltoroMutual website
The idea is that when the Red Boxes go Green, the vulnerability is fixed.
The idea is that when the Red Boxes go Green, the vulnerability is fixed.
Labels:
Fuzzing,
NUnit,
O2 Platform,
Testing
Write and Execute Unit Tests v1.0.exe
Here is a nice util to quickly write NUnit tests. This is designed for fast prototyping of UnitTests, which when stable can be moved into a wider set of tests (executed by NUnit)
You can download this tool from: Write and Execute Unit Tests v1.0.exe
You can download this tool from: Write and Execute Unit Tests v1.0.exe
Write technical content for SI's SME course development and TeamMentor
Just got this request from SI's Chris Williams (cwilliams@securityinnovation.com) which some of you might be interested in:
--------------------
As the SI course catalog and Team Mentor continue to grow, so does our need for SMEs to write outlines, create PowerPoint decks, review draft content, and write TM articles.
--------------------
As the SI course catalog and Team Mentor continue to grow, so does our need for SMEs to write outlines, create PowerPoint decks, review draft content, and write TM articles.
Labels:
Contract Work,
TeamMentor
Thursday, 29 November 2012
Showing Chrome, Eclipse, IBM AppScan Standard and VisualStudio in the same Process/Window
UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process
Using the control shown in Util - Win32 Window Handle Hijack (4x host panels) I was able to create a process that has windows from:
- Chrome (top left)
- Eclipse (top right)
- IBM AppScan Standard (bottom left)
- VisualStudio (bottom right)
Labels:
IBM,
O2 Platform Tool,
WinAPI
Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
Using the exact same control used in Util - Win32 Window Handle Hijack (simple) v1.0 here is a 4x Panel version of it (i.e. using 2 rows and 2 columns)
This allows for the hijack of a multiple Windows into a common (external) process/GUI
You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
This allows for the hijack of a multiple Windows into a common (external) process/GUI
You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
Labels:
O2 Platform Tool,
WinAPI
Util - Win32 Window Handle Hijack (simple) v1.0.exe
After Util - Windows Handles Viewer (with Child Windows), I created a tool that allows the easy hijacking (or borrowing) of any Window/Control (that is running in the same Logged-in user Window's Desktop )
This is possible due to Win32 SetParent's capability to allow a Win32 Window/Control to have a parent from a different process (see first examples of this technique in action in: IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI and in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
You can download the 1 Mb tool from: Util - Win32 Window Handle Hijack (simple) v1.0.exe
This is possible due to Win32 SetParent's capability to allow a Win32 Window/Control to have a parent from a different process (see first examples of this technique in action in: IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI and in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
You can download the 1 Mb tool from: Util - Win32 Window Handle Hijack (simple) v1.0.exe
Labels:
O2 Platform Tool,
WinAPI
Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Following from the tool shown in Util - Windows Handles - View Handle Screenshot v1.0, the next step was to create a tool that shows (for the selected Win32 Window) the handle's children structure (i.e. what 'child windows' exists for the selected window/control)
You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Here is what the tool looks like (with the 'target icon' used to select the control):
Here is the Pdf with the 'how the script was created' step-by-step guide:
You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Here is what the tool looks like (with the 'target icon' used to select the control):
Here is the Pdf with the 'how the script was created' step-by-step guide:
Labels:
O2 Platform Tool,
WinAPI
Disabling DWM.exe in Windows 7 (for performance reasons)
I noticed that I had a dwm.exe process running in my dev VM that had 230Mb which is not good.
After a quick search I found that it belonged to the Windows Desktop Manager service, which is responsible for the fancy animations in Windows 7 and can safely be disabled (using the Services):
After a quick search I found that it belonged to the Windows Desktop Manager service, which is responsible for the fancy animations in Windows 7 and can safely be disabled (using the Services):
Monday, 26 November 2012
Free one-day 'Advanced O2' Training at BeNeLux OWASP Day 2012 (29th November)
In case you missed this one (and are somewhere in Europe), I'm delivering an 1 day 'Advanced O2' training at BeNeLux OWASP Day 2012. So if you want to learn more about the O2 Platform, this is the place to come :)
The training is on Thursday 29th and you can register here
The training is on Thursday 29th and you can register here
Labels:
O2 Platform
Saturday, 24 November 2012
Why doesn't VisualStudio (or .NET) have StackOverflow Detection?
It's crazy the fact that one simple mistake in one thread (a recursive call to itself) will bring the entire .Net process down!!!
Labels:
Rant,
VisualStudio
Friday, 23 November 2012
Util - Windows Handles - View Handle Screenshot v1.0.exe
Following from Util - Windows Handles Viewer (Simple GUI with REPL) here is nice utility that takes a screenshot of the target handle's window (when the target process doesn't use the the Win32 Windows controls, you will get a screenshot of the main Window)
You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe
You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe
Labels:
O2 Platform Tool,
PDFs,
WinAPI
Including/Reusing an H2 script inside another H2 Script
Here is a cool technique that I use to include *.H2 scripts into other scripts, and the environment that I create during its development:
Labels:
Diagram,
O2 Platform,
REPL
Formatting code for readability
On the theme of making things better and caring about the parts that can't be seen, here is an example of how I like to format large groups of .Net methods (so that they are easier to read and to look at)
Here is what a .Net Class usually looks like (if you allow VisualStudio to format it)
Labels:
Design,
VisualStudio
Another VS 2010 crash
It should not be possible to crash apps like VisualStudio. That kind of mission critical app should have a number of anti-crash protections.
But VisualStudio is a massive salad of technologies (see images at the end), and amazingly (bad) it allows its extension's errors to crash the whole app (which again should not happen).
During my regular use of VisualStudio, I get all sorts of errors/crashes, for example here is the latest one (without any other extensions installed):
But VisualStudio is a massive salad of technologies (see images at the end), and amazingly (bad) it allows its extension's errors to crash the whole app (which again should not happen).
During my regular use of VisualStudio, I get all sorts of errors/crashes, for example here is the latest one (without any other extensions installed):
Labels:
Rant,
VisualStudio
11 O2 stand-alone tools (with a lot more created but not blogged about)
As part of the new design of this blog, I just cleaned up a bit the O2 Platform Tools Label/Page, and here are the 11 that have been published so far:
- Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
- Util - Windows Handles Viewer (Simple Gui) v1.0.exe
- Util - Java Decompiler (JAD based) v1.0.exe
- AppScan Source Findings in Ozasmt files (and O2 tools to View, Filter, Join, Stitch and Script them)
- O2 tools to view and script J2EE, Struts and Tiles xml config files
- TM - Library Manager (with REPL) v1.2.3.exe
- Util - Cir Viewer (with C# DLL converter) v1.0
- WinDbg, Cdb, Sun-Of-Strike and Util - Start SoSNet (O2 Version).exe
- Util - O2 Java Tools (IKVM Based) v1.0
- Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
- Util - View CheatSheets at devcheatsheet.com v1.0.exe
Labels:
O2 Platform Tool
The 'Sync Design Problem' of adding images to this blog
I still don't have a good solution to upload images to this blog.
Here is my current workflow (as just happened for the image I just on my last blog entry)
Here is my current workflow (as just happened for the image I just on my last blog entry)
Google Drive #Fail and DropBox #Win
For a company that is 'just a feature' DropBox keeps delivering the goods.
(for the past week or so) I tried to use Google Drive to backup about 7Gb of images I had from an older iPhone.
(for the past week or so) I tried to use Google Drive to backup about 7Gb of images I had from an older iPhone.
Labels:
Rant
New design for this blog
I just spent a little bit applying a new design to this blog and cleaning up the layout a bit (hopefully it will make it easier to use and to find the best bits)
Thursday, 22 November 2012
Tool to view (and unload) the AppDomains in the current .Net Process
As I was trying to execute an script/app in a separate AppDomain, I realized that there wasn't an easy way to look at the details of the currently loaded AppDomains
Labels:
O2 Platform
Wednesday, 21 November 2012
Use FluentSharp to create ToolStrips items (buttons, textbox, checkboxes) with icons
Based on the 215 Tango Library Icons added to FluentsSharp.BCL , here is how to use the FluentSharp.BCL APIs to easily create ToolStrips
Labels:
FluentSharp,
O2 Platform
Improved script to compile and show an modified UserControl inside VisualStudio
Here is an updated version of the example described in the Real-time Programming C# WinForms Controls in VisualStudio's IDE (i.e. without using F5) post.
Labels:
REPL,
VisualStudio
Windows Shatter attacks (research links)
Following on my research on Win32 Messaging and the O2's Util - Windows Handles Viewer tool, I just started the day by (re)reading about the Windows Shatter attacks (since it used Windows Messages)
Labels:
Security as TAX,
WinAPI
Tuesday, 20 November 2012
Two 6-months contract to work on TeamMentor (QA and Dev)
Here is a heads up for an official 'SI job hiring' post that should be published asap (i.e. when we get it done).
Labels:
Contract Work,
TeamMentor
Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
Based on the Util - Windows Handles Viewer (Simple Gui) v1.0.exe tool, here is a bigger version (5Mbs) which contains a C# REPL Script editor (with the detected handle provided as a parameter).
You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
Labels:
O2 Platform Tool,
WinAPI
Util - Windows Handles Viewer (Simple Gui) v1.0.exe
Following my research into Win32 Messaging APIs that allowed me to put both IBM AppScan Source and Standard working side by side and to connect TeamMentor with AppScan Source, here is a pretty sweet Windows Handles Viewer which allows the easy discovery (and in some cases modification) of the Window's Handle of a particular Win32's Button, TextBox, Menu, Window, etc...
You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe
You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe
Labels:
O2 Platform Tool,
WinAPI
Saturday, 17 November 2012
Good resources on User32.dll windows messaging
Here are a number of good resources I found went I was researching the solution that allowed me to Inject a .NET REPL into an Unmanaged/C++ Application
Labels:
WinAPI
Making Java, .Net and C++ apps work together
This past week I was in the 'zone' (coding 16h a day) and as you can see by the links below, I was able to (finally) find a way to make Java, .Net and C++ apps work together.
I've 'only' been trying to do this for the past 5 years.
There are two key technological concepts at play here (which can work together or isolation)
I've 'only' been trying to do this for the past 5 years.
There are two key technological concepts at play here (which can work together or isolation)
Labels:
Java,
Jni4Net,
O2Platform
IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI
Using the technique described in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad) I was able to create this PoC (below) where you can see both IBM AppScan Source (Java) and IBM AppScan Standard (.NET) TreeViews hosted inside a 3rd party C# based Form:
Labels:
IBM,
O2 Platform,
PDFs,
WinAPI
Using Jni4Net (Part 4) - Integrating AppScan with TeamMentor (first PoC)
Using the Jni4Net based Eclipse plugin shown in the Using Jni4Net (Part 3) - Writing and Invoking O2 Methods from Java and Eclipse post, I was able to create a PoC of showing TeamMentor Guidance when a particular security finding is selected (in AppScan Source):
Labels:
IBM,
Java,
Jni4Net,
O2 Platform,
PDFs
Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
Using Windows Messages (and some O2 Platform glue) I found a way to 'inject' a window (i.e. a windows control) from one process into another one.
Its is actually quite easy, the key is to use the user32.dll setParent API call to change the location (and rendering) of a particular control.
Here is an example of injecting an .NET TextBox into Notepad (on the left is the .NET Textbox and on the right is the Notepad's Textbox)
Its is actually quite easy, the key is to use the user32.dll setParent API call to change the location (and rendering) of a particular control.
Here is an example of injecting an .NET TextBox into Notepad (on the left is the .NET Textbox and on the right is the Notepad's Textbox)
Labels:
O2 Platform,
PDFs,
WinAPI
Using Jni4Net (Part 3) - Writing and Invoking O2 Methods from Java and Eclipse.pdf
After Using Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy) and Using Jni4Net (Part 2) - Controling OWASP ZAP remotely (via Java BeanShell REPL in .Net) the next step was to see if we could consume (and code) the .NET APIs from Java.
And again Jni4Net really worked!
Here is a .NET WinForms control, coded and executed from the (Eclipse written) Java code:
And again Jni4Net really worked!
Here is a .NET WinForms control, coded and executed from the (Eclipse written) Java code:
Labels:
Java,
Jni4Net,
O2 Platform,
PDFs
Using Jni4Net (Part 2) - Controling OWASP ZAP remotely (via Java BeanShell REPL in .Net)
Once I was able to Use Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy) I was able to use the ZAP BeanShell support to start controlling and manipulating ZAP's GUI from the .Net C# REPL.
Here is an example of adding a new 'Site' (i.e. a TreeNode) to the main ZAP 'Site's window (i.e. TreeView)
Here is an example of adding a new 'Site' (i.e. a TreeNode) to the main ZAP 'Site's window (i.e. TreeView)
Labels:
Java,
Jni4Net,
O2 Platform,
PDFs
Using Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy)
Last week I discovered the Jni4Net FOSS project which provides the foundation blocks to create a Java bridge to .Net (and vice-versa).
To try Jni4Net, and see if it was really possible to have .Net and Java code running on the same process (with the CLR and JVM being able to invoke each other's methods), I decided to see if I could connect the O2 Platform with the OWASP ZAP project (with both running on the same process)
My first step was to use the Injecting C# DLLs into Managed (C#) and Unmanaged (C++) processes O2 capabilities to inject an C# REPL into the ZAP process.
And here they are in action:
To try Jni4Net, and see if it was really possible to have .Net and Java code running on the same process (with the CLR and JVM being able to invoke each other's methods), I decided to see if I could connect the O2 Platform with the OWASP ZAP project (with both running on the same process)
My first step was to use the Injecting C# DLLs into Managed (C#) and Unmanaged (C++) processes O2 capabilities to inject an C# REPL into the ZAP process.
And here they are in action:
- the foreground window is the (CLR based) C# REPL
- the background window is the (JVM based) ZAP process.
Labels:
Java,
Jni4Net,
O2 Platform,
PDFs
Managing website's content via GitHub edits (which are auto-committed and push into AppHarbor)
Based on the test site created by TM Fork into stand-alone Sales and Marketing site , here is an example of how to can manage the content of that 'AppHarbor published site' using GitHub
Here is the workflow that is going to be shown below:
- Edit a file in a GitHub Repository (using GitHub's website edit interface)
- Save it (which GitHub will auto-create a Commit with the changes)
- The Commit will trigger a build request to AppHarbor
- AppHarbor will receive the request and do a Git Pull from GitHub
- Once the new code is pulled, AppHarbor will build it
- And if the build is successful, AppHarbor will deploy the built files into to a live server
Labels:
TeamMentor
Great O2 Platform Presentation from Michael (final draft)
Michael Hidalgo sent me a copy of his presentation called "The O2 Platform : Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities" that he is going to present on the 21st Nov 2012 at OWASP's Latam conference in Uruguay :)
Labels:
O2 Platform
TM Fork into stand-alone Sales and Marketing site
After Coming up with a name for TeamMentor's public site (which resulted in the getsecure name being chosen) it was time to create that site.
After spending some time refactoring TeamMentor's (TM) main code-based (to only use the needed bits) here is a stand-alone TM site which will hold the TM Sales and Marketing pages.
If you have a couple cycles, please take it for a test drive (and try not to break it too much since the SI guys are also looking at it at the moment (that said if you break it, I can fix it with a simple git push :) ))
This is what it looks like (with a design based on ThemeForest AirStream):
And here are the details:
After spending some time refactoring TeamMentor's (TM) main code-based (to only use the needed bits) here is a stand-alone TM site which will hold the TM Sales and Marketing pages.
If you have a couple cycles, please take it for a test drive (and try not to break it too much since the SI guys are also looking at it at the moment (that said if you break it, I can fix it with a simple git push :) ))
This is what it looks like (with a design based on ThemeForest AirStream):
And here are the details:
- The live QA site at: https://getsecure.apphb.com (hosted at AppHarbor)
- by default the / root will redirect to the https://getsecure.apphb.com/xml/Eval page
- also available is the https://getsecure.apphb.com/notepad/Customer page
- The git hub repository is: https://github.com/TMClients/Site_getsecure.teammentor.net
- You can edit the content online using:
- http://getsecure.apphb.com/notepad/Eval
- http://getsecure.apphb.com/notepad/Customer
- login with
- admin : !!tmbeta
- You can run this site locally by downloading the zip from here (or cloning) and
- unzipping the files to a local folder (which can be a USB stick)
- executing the _LocalWebServer/start TeamMentor.bat which will start Cassini locally on http://127.0.0.1/12150
- This is now an example of a real fork of TM's engine
- All content (apart from the youtube videos) is served from this site (I moved the Animation.html files that where coming from SI.com into getsecure.tm)
- The TM engine is consumed by its compiled dlls (which will retrieved from NuGet (once 3.2.4 is released), so the backend code is not there (i.e. this site uses the latest released version of TM)
- 90% of TM's website Html/Javascript/Images content is NOT there (I only added the required files so that it is possible to Login and Edit the pages (using the Notepad editor))
- Nice case-study on how to create stand-alone websites based on TM's engine and APIs
- The AppHarbor is synchronised with GitHub, which means that there will be a new deployment on every commit to the https://github.com/TMClients/Site_getsecure.teammentor.net repository
Important note: although the content changes will be shown on the site (the ones done via the 'notepad' editor) this data will be lost on every new publish.
There are two ways to make persistent changes:
- get a local clone of the Site_getsecure.teammentor.net, change the content locally, commit those changes locally, and do a push to GitHub (which will trigger a publish to AppHarbor)
- edit the desired file on GitHub's web edit interface (for example the Eval page or the Customer page), which when saved, GitHub will auto-create a Commit with the changes (which will trigger a publish to AppHarbor).
Let me know how it goes, and again, please don't break it too much :)
Labels:
TeamMentor
Friday, 16 November 2012
Lovely 'post help' email from Wikipedia
After 'helping' Wikipedia (see Improved Wikipedia funding page... for details) I received a really nice 'Thank you from the Wikimedia Foundation' email from Sue
And since she asked so nicely for me to share her words, here they are verbatim:
--------------------------------------------------------------------------------------------------
Dear dinis,
Thank you for donating to the Wikimedia Foundation. You are wonderful!
It's easy to ignore our fundraising banners, and I'm really glad you didn't. This is how Wikipedia pays its bills --- people like you giving us money, so we can keep the site freely available for everyone around the world.
People tell me they donate to Wikipedia because they find it useful, and they trust it because even though it's not perfect, they know it's written for them. Wikipedia isn’t meant to advance somebody's PR agenda or push a particular ideology, or to persuade you to believe something that's not true. We aim to tell the truth, and we can do that because of you. The fact that you fund the site keeps us independent and able to deliver what you need and want from Wikipedia. Exactly as it should be.
You should know: your donation isn’t just covering your own costs. The average donor is paying for his or her own use of Wikipedia, plus the costs of hundreds of other people. Your donation keeps Wikipedia available for an ambitious kid in Bangalore who’s teaching herself computer programming. A middle-aged homemaker in Vienna who’s just been diagnosed with Parkinson’s disease. A novelist researching 1850s Britain. A 10-year-old in San Salvador who’s just discovered Carl Sagan.
On behalf of those people, and the half-billion other readers of Wikipedia and its sister sites and projects, I thank you for joining us in our effort to make the sum of all human knowledge available for everyone. Your donation makes the world a better place. Thank you.
Most people don't know Wikipedia's run by a non-profit. Please consider sharing this e-mail with a few of your friends to encourage them to donate too. And if you're interested, you should try adding some new information to Wikipedia. If you see a typo or other small mistake, please fix it, and if you find something missing, please add it. There are resources here that can help you get started. Don't worry about making a mistake: that's normal when people first start editing and if it happens, other Wikipedians will be happy to fix it for you.
I appreciate your trust in us, and I promise you we'll use your money well.
Thanks, Sue
--------------------------------------------------------------------------------------------------
This is how to do it, well done Wikipedia
Notice the nice touch (in bold) to encourage participation in creating Wikipedia content.
And since she asked so nicely for me to share her words, here they are verbatim:
--------------------------------------------------------------------------------------------------
Dear dinis,
Thank you for donating to the Wikimedia Foundation. You are wonderful!
It's easy to ignore our fundraising banners, and I'm really glad you didn't. This is how Wikipedia pays its bills --- people like you giving us money, so we can keep the site freely available for everyone around the world.
People tell me they donate to Wikipedia because they find it useful, and they trust it because even though it's not perfect, they know it's written for them. Wikipedia isn’t meant to advance somebody's PR agenda or push a particular ideology, or to persuade you to believe something that's not true. We aim to tell the truth, and we can do that because of you. The fact that you fund the site keeps us independent and able to deliver what you need and want from Wikipedia. Exactly as it should be.
You should know: your donation isn’t just covering your own costs. The average donor is paying for his or her own use of Wikipedia, plus the costs of hundreds of other people. Your donation keeps Wikipedia available for an ambitious kid in Bangalore who’s teaching herself computer programming. A middle-aged homemaker in Vienna who’s just been diagnosed with Parkinson’s disease. A novelist researching 1850s Britain. A 10-year-old in San Salvador who’s just discovered Carl Sagan.
On behalf of those people, and the half-billion other readers of Wikipedia and its sister sites and projects, I thank you for joining us in our effort to make the sum of all human knowledge available for everyone. Your donation makes the world a better place. Thank you.
Most people don't know Wikipedia's run by a non-profit. Please consider sharing this e-mail with a few of your friends to encourage them to donate too. And if you're interested, you should try adding some new information to Wikipedia. If you see a typo or other small mistake, please fix it, and if you find something missing, please add it. There are resources here that can help you get started. Don't worry about making a mistake: that's normal when people first start editing and if it happens, other Wikipedians will be happy to fix it for you.
I appreciate your trust in us, and I promise you we'll use your money well.
Thanks, Sue
--------------------------------------------------------------------------------------------------
This is how to do it, well done Wikipedia
Notice the nice touch (in bold) to encourage participation in creating Wikipedia content.
Labels:
Philosophy
Improved Wikipedia funding page, why OWASP needs something similar, and who buys OWASP Corporate Memberships
Just went to Wikipedia and saw this:
Labels:
OWASP
Coming up with a name for TeamMentor's public site
I'm moving the current TM Eval and Customer pages into its own server, and I was struggling to come up with a name that worked (in the xxxxxx.teammentor.net DNS name format).
So I jumped on Skype and after a couple minutes bouncing some names with Roman (who I have no idea where in the world he is) and we come up with: novulns.teammentor.net
as in:
So I jumped on Skype and after a couple minutes bouncing some names with Roman (who I have no idea where in the world he is) and we come up with: novulns.teammentor.net
as in:
- http://novulns.teammentor.net/Eval
- http://novulns.teammentor.net/Customer
- http://novulns.teammentor.net/Buy
- http://novulns.teammentor.net/Support
What do you think? does it work?
For reference here are the other names we come up with (by order of appearance):
- sales.teammentor.net
- marketing.teamentor.net
- live.teammentor.net
- customerzone.teammentor.net
- get.teammentor.net
- clientportal.teammentor.net
- clietsite.teammentor.net
- xss.teammentor.net
- bazzar.teammentor.net
- sqli.teammentor.net
- stopxss.teammentor.net
- getsecure.teammentor.net
- novulns.teammentor.net
Note how looking at this list, it's possible to see the chain-of-ideas that lead us to the last one (which just clicked for us)
Labels:
TeamMentor
Monday, 12 November 2012
Util - Java Decompiler (JAD based) v1.0.exe
If you want to take a quick look at the Java code inside a Jar file, here is a simple Java/Jar Decompiler (based on the JAD tool)
You can download the tool from: Util - Java Decompiler (JAD based) v1.0.exe (stand-alone O2 Platform script)
You can download the tool from: Util - Java Decompiler (JAD based) v1.0.exe (stand-alone O2 Platform script)
Labels:
Java,
O2 Platform Tool
Friday, 9 November 2012
AppScan Source Findings in Ozasmt files (and O2 tools to View, Filter, Join, Stitch and Script them)
If you are using AppScan Source (previously called OunceLabs) you will find these O2 Tools really useful:
- Util - Simple Findings Viewer v1.1.exe (4.8Mb)
- Util - Simple Findings Viewer (with code viewer) v1.1.exe (4.8Mb)
- Util - Filter Findings by Source and Sink (RegEx) v1.1exe (4.8Mb)
- PoC - Join Traces (on Attributes) - very basic version v1.0.exe (4.8Mb)
Labels:
IBM,
O2 Platform Tool,
OunceLabs
O2 tools to view and script J2EE, Struts and Tiles xml config files
If you are reviewing Java/J2EE applications, here are a number of mini O2 tools that will help you to understand what is going on:
- Util - View Struts Mappings v.1.0.exe (4.7Mb)
- Util - View struts-config.xml mappings v1.0.exe (817kb)
- Util - View tiles-def.xml mappings v1.0.exe (816kb)
- Util - View validation.xml mappings v1.0.exe (817kb)
- Util - View Web.Xml mappings v1.0.exe (817kb)
Labels:
Java,
O2 Platform Tool
Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer)
Now that we have the ability to Add 'Console Out' to VisualStudio IDE as a native Window the question is: "Where can we use Console.WriteLine inside VisualStudio?", in a way that the written lines/chars show in that Console Out window:
The key to understand the question is to visualize this:
And add that UserControl to the Form:
Write a Console.Write message and build the project (note the message shown in the Console Out window)
And the open it again:
Yet another option is to delete the UserControl1.cs from the Form1.cs:
And add it back again:
Basically, the UserControl1.cs constructor will be invoked every time that control is added (or shown), like in the image below, where another instance of UserControl1.cs was dragged into the Form1.cs:
The key to understand the question is to visualize this:
- The Console Out window is running inside VisualStudio (i.e. in the same process)
- The Console Out window script captured the VisualStudio process' Console Out (of which there is only one, and the reason why if you open multiple Console Out windows (as shown above) only the last one opened will capture the output
- To send a message to Console Out window the sender (i.e. the code executed) must be inside the same VisualStudio Process
- This means that (based on quick tests) VisualStudio scripting engines (like the Immediate Window or the F# interpreter) will not work (since they are running outside the VisualStudio process)
One easy way to trigger an Console.WriteLine is to write it in one of the C# REPL script GUIs (from the O2 VisualStudio Extension) :)
But what would be really useful would be to trigger Console.WriteLine debug messages during normal VisualStudio development, for example when programming WinForms Controls :)
To show how that is possible, lets start with an empty WinForms Application project:
Which comes with default WinForms Form:
Next add a UserControl with a Label:
And add that UserControl to the Form:
The interesting part of what just happened, is that VisualStudio invokes the constructor of the UserControl1.cs (in order to create a live instance of that Control) before adding it to the Form1.cs object.
And that (the UserControl1.cs constructor) is where we can trigger the Console.WriteLine calls.
Open the Code Behind file for the UserControl1.cs file:
Write a Console.Write message and build the project (note the message shown in the Console Out window)
The reason that happened, is because (after a successful build) VisualStudio needs to refresh the controls currently shown in the Form's Designer (for example to take into account any visual changes in those controls)
Here is another way to trigger the Console.WriteLine call (i.e. to trigger the UserControl.cs constructor).
Close Form1.cs from the Form Designer:
And the open it again:
Yet another option is to delete the UserControl1.cs from the Form1.cs:
And add it back again:
Basically, the UserControl1.cs constructor will be invoked every time that control is added (or shown), like in the image below, where another instance of UserControl1.cs was dragged into the Form1.cs:
Interestingly enough, this as a number of security implications, since a security payload/exploit can be triggered just by adding/viewing a UserControl inside the Form Designer. The problem is that the payload will run with the same privileges given to VisualStudio (not the privileges used to run the application)
Labels:
O2 Platform,
VisualStudio
Adding 'Console Out' to VisualStudio IDE as a native Window
Michael Hidalgo has posted two blog entries where he uses the O2's VisualStudio Extension to open an Console Out window inside VisualStudio, which is then used to help with a quick test on the DateTime object (and making his life easier)
Use the same add_ConsoleOut extension method on the Panel object (the one returned by the open_Panel extension method):
Next see the Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer) for a practical example of using this technique during development.
- How to use the Console output in the C# REPL (in the O2 blog)
- Making Software Developers life easier : Using O2 Platform as a fast development framework (in his blog)
Now this Form object is a WinForms control and is not a native VisualStudio Window, which means that we can't add it to the VisualStudio Panes.
A better option is to make this a native VisualStudio Window, which is quite easy to do.
Open the C# REPL - VisualStudio 2010 API (from the REPL menu)
And with the VisualStudio_2010 object:
Create a native VisualStudio window (with a WinForms Panel inside it):
Use the same add_ConsoleOut extension method on the Panel object (the one returned by the open_Panel extension method):
And now the Console Out is now inside a native VisualStudio window, which we can access and manipulate.
Here is an example of changing the base window's width, height, top and left values:
Which of course we can now put anywhere inside VisualStudio's GUI
Next see the Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer) for a practical example of using this technique during development.
Labels:
O2 Platform,
VisualStudio
Thursday, 8 November 2012
LucidChart.com looks like a pretty good Visio online replacement
Although this visualisation of TeamMentor's GitHub dev workflow is pretty good, it was created using Visio, and I really don't want to use Visio again (I'm done using large desktop apps with no web integration/publishing).
The good news is that :
So I went to LucidChart.com to try it out :)
I have done a LOT of Visio diagrams (in the past), and I have to say that I found Lucid Chart's web interface really easy to use (and learn).
As a test, I imported an image from this blog, and was able to quickly create this:
The good news is that :
- Roman found LucidChart.com,
- he was able to import that complex Visio diagram into it, and
- the end-result looked good enough (after a couple import fixes).
So I went to LucidChart.com to try it out :)
I have done a LOT of Visio diagrams (in the past), and I have to say that I found Lucid Chart's web interface really easy to use (and learn).
As a test, I imported an image from this blog, and was able to quickly create this:
(csharp-repl.apphb.com GUI)
Not bad for a couple minutes work :)
Labels:
Services
Is the TeamMentor's OWASP Library content released under an open License?
Following the FLOSSHack TeamMentor thread, Jerry Hoff asked "Is the content in http://owasp.teammentor.net/teamMentor creative commons? Can we use it to freely fill out more of the cheat sheets and use in tutorial videos and so forth?"
And the answer is: YES
And the answer is: YES
Here is the repository for the XML files: https://github.com/TeamMentor-OWASP/Library_OWASP
Labels:
OWASP,
TeamMentor
FLOSSHack TeamMentor and the 'sausage making process' that is software/application development
OWASP's FLOSSHack events are a really powerful initiative.
"...Free/Libre Open Source Software Hacking (FLOSSHack) events are designed to bring together individuals interested in learning more about application security with open source projects and organizations in need of low cost or pro bono security auditing. FLOSSHack provides a friendly, but mildly competitive, workshop environment in which participants learn about and search for vulnerabilities in selected software. In turn, selected open source projects and qualified non-profit organizations benefit from additional quality assurance and security guidance...."
See FLOSSHack_One for the details (and vulnerabilities discovered) of the first event.
OWASP's FLOSSHack is one of those 'magical' spaces where the OWASP's community and its projects can come together and add a lot of value.
"...Free/Libre Open Source Software Hacking (FLOSSHack) events are designed to bring together individuals interested in learning more about application security with open source projects and organizations in need of low cost or pro bono security auditing. FLOSSHack provides a friendly, but mildly competitive, workshop environment in which participants learn about and search for vulnerabilities in selected software. In turn, selected open source projects and qualified non-profit organizations benefit from additional quality assurance and security guidance...."
See FLOSSHack_One for the details (and vulnerabilities discovered) of the first event.
OWASP's FLOSSHack is one of those 'magical' spaces where the OWASP's community and its projects can come together and add a lot of value.
Labels:
OWASP,
TeamMentor Security
The difference between being 'Appointed' and being 'Accepted' as an OWASP Leader (of its Fork)
OWASP is a community that really embraces new ideas, new contributors and projects.
For somebody motivated (and with time/energy) there are very few ‘real’ barriers on entry. Even the cases where it ‘feels’ like there are barriers of entry or ‘bureaucracy’, those are mainly artificial and easy bypassed (with the right level of energy and commitment)
The problem is Empowerment
What I found (by observing lots of OWASP projects starting, blossoming and dying) is that what makes the difference is how Empowered is an individual on a particular project/tasks.
For somebody motivated (and with time/energy) there are very few ‘real’ barriers on entry. Even the cases where it ‘feels’ like there are barriers of entry or ‘bureaucracy’, those are mainly artificial and easy bypassed (with the right level of energy and commitment)
The problem is Empowerment
What I found (by observing lots of OWASP projects starting, blossoming and dying) is that what makes the difference is how Empowered is an individual on a particular project/tasks.
Labels:
OWASP,
Philosophy
Disabling PatchGuard V3 Pdf
Here is a good read (if you're into kernel dev or patching) from the guy who created EasyHook
I while back I did some kernel development where I used the Rasta Ring 0 Debugger to apply direct code patches to user-land dlls. One of the best PoCs was one where I was able to do MSIL patching on loaded .NET assemblies, which were completely invisible to user-land.
Patching the CLR was also very interresting :)
I while back I did some kernel development where I used the Rasta Ring 0 Debugger to apply direct code patches to user-land dlls. One of the best PoCs was one where I was able to do MSIL patching on loaded .NET assemblies, which were completely invisible to user-land.
Patching the CLR was also very interresting :)
Labels:
Kernel
Tuesday, 6 November 2012
Zim-Wiki - a desktop wiki
Serge is using Zim Wiki to document some of his development experiences, and it looks quite an useful tool.
Zim is written in Python and has a nice/clean Gui.
Zim is written in Python and has a nice/clean Gui.
Here is the Windows installer:
Another similar tool is http://keepnote.org/
An interesting and powerful idea is to add TeamMentor Import/Export features to these products so that we (i.e. TM Users) can use these tools as Article creators/editors.
Labels:
To add to O2
Subscribe to:
Posts (Atom)