Monday 30 April 2012

Empowering users to create and manage content (using TeamMentor)

After our InfoSec adventure, Tom Bain (@tmbainjr1) from SI has started blogging about his experiences in actually using TeamMentor (vs finding a way to market it :) )

His first post I'm not a developer but I play one on TV... shows that the 'make it simple to use approach' that we tool with the latest version of TeamMentor is starting to work.

Tom is not a programmer, but he is a power-user, which means that once he gets how to do something, he is able to run with it.

So my approach was to create a couple XML files that :

  • were easy to update, 
  • had immediate feeedback on changes,  and 
  • looked good

Here is what these pages looks like:

If you look at the source code of those pages (view-source:http://docs.teammentor.net/xml/Customer) you will see the XML that Tom is editing (pretty clean right :)  )


Note the XSL reference at the top which points to this XSL content: view-source:http://docs.teammentor.net/xml/xslt_LandingPage%20Variation%202  (again managed by TeamMentor and online editable)

It is worth mentioning that I did try to get Tom to edit this page using a WYSIWYG client app that he installed on his local box, and it was a nightmare. The formatting started to go wrong, there was not easy way to preview the final solution, etc...

What is even more interesting is what happened after the first couple edits. Tom started to become comfortable with the user interface, and focused on the content + user experience.

We start talking about 'What should be user experience on this page? , 'What should the links and buttons do?' , 'How to we best communicate our ideas?'

And since he was able to quickly try things out, our productivity (me in London and he in Boston) was really high. Not to mention that Tom really enjoyed the experience (he was in control) and feels empowered to make more changes.

WebAppSec 4 day contract in Dublin, and Security Teams for Hire

Just got contacted by {somebody} who needs a resource asap for a 4 day project (WebAppSec assessment) in Dublin next week (starting on the 8th of May)

If this is something you can do (and have the skills + availability), please ping me and I'll put you in touch.

And if you are looking to hire a team or want the services provided by a company (vs a contactor) I will recommend that you talk with these guys below (just a quick list from the top of my head of when I think of WebApp Security companies):

If you not blowing up the database, you're not testing the whole app

One of the key signs that I expect to see when doing any type of automation test on a website, is the moment when a test (or request) destroys or heavily corrupts the database/content of the site being tested.

And this is exactly what just happened to Arvind (from A journey into testing WebServices in a developer friendly way ). He was testing TeamMentor (TM) WebServices and suddenly there was no content on his test server :)

Couple interesting points:

  • That happened because Arvind now has a better test setup which is able to invoke the TM webservice as reader and editor
  • His tests have better state (i.e. correct values for real data, like a Library GUID)
  • One of the WebServices he is now able to invoke correct is the 'DeleteLibrary'
  • You can guess what happened next :)
  • Test that were passing before the delete , started to fail
  • Arvind will need to take into account the fact that some WebServices methods have 'destructive behaviour' (and only invoke them selectively)
And here is the key point: Most apps that DO something, will have a sequence of events that either corrupt or delete key data required for its normal behaviour. And if the automation tests are working they will trigger that scenario.

Or in another words: if your spider is not blowing up the database, it is not spidering deep enough

Another nice thing of the test suite that Arvind is building is the fact that we will end up with a 'the app is working ok' monitor, which is very valuable to any developer and TM user (good example of Security Tests adding a lot of value to the target application)




Solution to copy and paste images into blogs

I still don't have a good solution to copy and paste images into blogs like this one (or my O2 Wordpress blog)

At the moment I have a mix of O2 scripts and some automation, but it is still not the workflow I want.

Basically I want to be able to have this workflow:
  • open up editor and screenshot tool (like the one from O2 or built-in into OSx)
  • write text
  • take screenshot
  • paste screenshot into article
  • write more text
  • take more screenshots and paste them
Basically I want to have the minimum disruption and pause between the moment I take the screenshot and the moment I use it in a blog.

Currently the workflow I have is:
  • take screenshot and save it locally
  • go into blog gui and click on the add image
  • select image from local disk
  • click on upload
  • select uploaded image
  • click on insert into article
That 6 steps for something that should be 1 step.

And this is what 'Design' is all about. Find a problem and make it simple (i.e. reduce the number of steps required to execute a particular action)

Happiness makes business sense

This TED talk by Shawn Achor "The happy secret to better work" makes the case that positive energy and 'happiness' make us more productive and effective.

Not only his presentation style is great, I think he is completely right.

Specially on the part that 'happiness' is a habit and needs to be constantly exercised.

From a business or organisational point of view, this means that it should be a 'corporate' objective to deliver happiness to its players (employees, members, clients, partners, etc...)

They should do this not because it is 'nice', but because it makes business sense.

Business case for investing in Application/Data security in the pharmaceutical 'Big Data' world

Lets say that company XYZ works on the pharmaceutical field and they provide the service of analysing large sets of data and creating reports with actionable information.

The data analysed (thing 'Big Data') is already confidential (for example a consumer usage of a particular trial/released product) and the report created is even more sensitive (since it might provide massive competitive advantage)

Today I don't believe most companies that deal in this space have very mature Application/Data Security programs and are able to protect this confidential data over the multiple places it is used (from its storage to the applications and entities that consume/expose it)

And if there, is please point me to real examples and published information.

Usually the reasons for lax of security are down to: low number of attacks, weak regulation, weak customer pressure, lack of 'secure metrics' and no-competitive-advantage-in-being-secure.

So how do we change this?

If you were going to meet a executive of one these companies tomorrow, how would you present a valid business case for the investment on Application/Data security?

Of course that we can use FUD, but our industry is so good at it, that these exec have probably already spend a bunch of money on FUD-driven products

My view is that the first step actually starts on the executive side. Basically, they (the company) must first decide that they want to make Application/Data security one of their competitive advantages and something they want to sell to their customers. Only then any initiative will be sustainable.

Of course, that if a company (or their direct competitors) is a victim of a successful attack then they will want to invest a bit.

Question: are there good example of companies that went bust, lost a lot of business or had big fines; due to the compromise of medical/pharmaceutical data they were handling/analysing?

Sunday 29 April 2012

JSIL : C# in the Browser - amazing IL to JS

Just found about http://jsil.org and looks pretty spectacular :)

This is project created by Kevin Gadd and here is his description of how it works:


JSIL is a compiler that transforms .NET applications and libraries from their native executable format - CIL bytecode - into standards-compliant, cross-browser JavaScript. You can take this JavaScript and run it in a web browser or any other modern JavaScript runtime. Unlike other cross-compiler tools targeting JavaScript, JSIL produces readable, easy-to-debug JavaScript that resembles the code a developer might write by hand, while still maintaining the behavior and structure of the original .NET code. Because JSIL transforms bytecode, it can support most .NET-based languages - C# to JavaScript and VB.NET to JavaScript work right out of the box.

Check out the the demos:
In addition to a really powerful combination of technologies, here is what I really like about this site:
  • Clearly explains what it does
  • Allows the user to Try it now (of course that running the code in the browser helps)
  • REPL environment on browser 
  • Very social with direct links into creating GISTs with the code created
  • First step to using it is a Git Pull and active encourage of Git Forking
  • Little mascot :)
I really want to see if I can integrate this with the O2 Platform since this could be the missing piece that I was missing to create jO2: the port of parts of O2 into Javascript :) 

A journey into testing WebServices in a developer friendly way

Following from the workflows that I described in First you create Tests for WebServices, then you add the abuse/security cases , Arvind has now started to blog about his efforts, challenges and solutions.

I asked him to start from the beginning since I think his history and evolution will be very relevant and interesting to others trying to implement similar solutions:

What is very interesting about this series of posts (with many more to come) is that Arvind is really capturing the thinking (and evolution) that needs to happen when doing Authorisation Security testing on an application like TeamMentor.

I also really like the honesty of Arvind's voice and some of his funny comments :)

I hope you enjoy reading his journey

Friday 27 April 2012

TeamMentor.net vulnerable to BEAST and SSL 2.0, now what?

Ok, so from https://www.ssllabs.com/ssltest/analyze.html?d=teammentor.net&source=tim we can see that https://teammentor.net gets a B rating because it is vulnerable to the 'BEAST Attack' (whoohh that sounds scary :) )

The link on that page points to Mitigating the BEAST attack on TLS which provides some background info on the problem, but it doesn't answer the questions I have at the moment, which are:

  • What is the risk impact of this vulnerability on a site like http://teammentor.net?
  • What are the exploit scenarios?
  • Is there any mitigation (or not) by the use of IIS 7.0?
  • How do I fix this in IIS 7.0?
  • Can anything been done at the Application Layer?
In a way this is where security fails. Instead of giving me a solution, SSL Labs (which rocks btw) is giving me a problem.

Another good example of 'Security as TAX' vs 'Security as Enabler'.

We are going to have to spend resources to understand, fix, test, validate this problem (i.e. pay a TAX) with very little return

The other issue to solve is to remove SSL 2.0 support is IIS7. As per this post How to Disable SSL 2.0 in IIS 7 , it looks like it needs to be done by changing the registry. Is that the only way to do this?

Also asked this question on:

Hack Yourself First: Jeremiah at TEDxMaui

Jeremiah was recently at TEDxMaui presenting Hack Yourself First which is an interesting development for WebAppSec and OWASP since I think it is the first time that a member of our community gets to present at TED (which is one of the best conference-series in the world)

Couple comments:

  • he was quite nervous, which shows the 'pressure to deliver' that TED has. 
  • I really like the concept of 'Hack yourself first' but I wished Jeremiah had given more examples on how to do it an a personal, corporate and organisational level
  • there was FAR too much FUD for my taste. I would had been better if he found a more positive way to deliver the message
  • It is also quite obvious by Jeremiah performance that he really cares about WebAppSec and wants to make the world more secure
    • Of course that he owns a company that helps companies to 'Hack themselves first' so there is a lot of vested interest in there too :)
  • I think that OWASP doesn't get one mention, which is not Jeremiah's fault. I just shows the weakness of the OWASP Brand
Here is the Video:

Academic Papers on Software Analysis and Visualization

Paulo Coimbra (of OWASP Project Management fame) just sent me this list about the HPI publications on Software Analysis and Visualization

I really think that Visualization is key for Application Security , and we really need to start using this research in the Application Security field (unfortunately, note how in the Software Analysis and Visualization page there is not one mention to 'Security' or 'Secure').

Some of them have PDFs/Videos online:


But some only have images (where is the article!!!!)




Trustworthy Internet Movement and SSL Pulse

Ivan's interesting work at Qualys continues with the launch of the Trustworthy Internet Movement (TIM) and SSL Pulse at RSA.

There are a number of interesting developments here:

  • Great presentation and message
  • Real nice project page for SSL-Pulse: https://www.trustworthyinternet.org/ssl-pulse/
  • Good funded project: Its looks like they started with 500k USD investment from Philippe Courtot
  • Some efforts at creating a community (with a Join the Movement) although it doesn't say what happens next
  • Reuse of  Ivan's SSL Labs great work gives this 'Movement' a good momentum 
  • Now look at they fundamentals ('Innovation, Collaborate, Individual Expertise'), principle ('TIM’s mission is to resolve major lingering security issues on the Internet, such as SSL governance and the spread of botnets and malware, by ensuring security is built into the very fabric of private and public clouds, rather than being an afterthought.') and Target Audience ('Experts, Innovators and Technical gurus, Stakeholders, Corporations, Academic institutions and non-profit organizations, Angel investors and VCs')
    • Quite a targeted audience 
    • Will be interesting to see who joins and provides financial backing
    • Its quite SSL focused, there is a lot more to cloud security than SSL :)
    • No reference to openness :)
    • It sounds a lot like the model Mark Curphey wishes OWASP would follow :)
So at the moment this is basically a good Qualy's branding exercise, and will help a bit to improve the WebApp security world, but the key question is if there will be community adoption/participation and if others will join the party.

There is nothing wrong with what Qualys is doing, and the fact that this investment (on Application Security) is happening outside of OWASP shows that OWASP doesn't currently have a model/structure that promotes this type of collaboration. And that is very unfortunate, since in terms of worldwide community and reach there is SO much OWASP could do to help this type of initiative.

Blogger in HTTP only? What happened to HTTPS?

UPDATE (2016): Blogger has limited support for https, see https://security.googleblog.com/2016/05/bringing-https-to-all-blogspot-domain.html

Now that I'm blogging more, I'm finding the need to blog from insecure locations (like a coffee shop or conference).

But unfortunately it doesn't seem to be possible to use SSL with Blogger? WTF! in 2012?

After this 2009 letter Google moved some of its web apps to SSL (see Google's answer at HTTPS security for web applications) but blogger seems to have been missed!

At the moment it doesn't seem to be a way to write a blog post (like this one) without risking my sessionID being compromised. Am I missing something obvious?

Here is are thread Can I use an HTTPS connection for editing and posting on Blogger? (which points to a non-existing thread) that implies that Google doesn't do this due to performance issues.

Also annoying is the fact that https://diniscruz.blogspot.co.uk/ doesn't work! So how can I know that this blog's content is read as it was written (ie. without its content being tampered with)

On the topic of OWASP, note how there is no mention to it on the letter. Yes this letter is from 2009 but if it was written today, would OWASP be there? (this is what I'm now calling OWASP MIA (Missing In Action))

On that topic, why don't we write another letter to Google asking for them to extend their security efforts into blogger!

Also, if Google doesn't care about this and give us no solution, what other options do we have? What about a 'cloud' service that gives me secure access to this blog?

Thursday 26 April 2012

A small step for AppSec, a large step for Knowledge sharing

Yesterday something ratter unique and rare happened!

A security consultant published technical details about the steps it took to make a tool work! And that security consultant talked about a real world app, didn't sugar-coated his comments, and wasn't working for the tool vendor!

The reason why this is newsworthy is because it doesn't happen very often!

I'm talking about Dan from Denim Group blog on 'AUTOMATED APPLICATION SCANNING: HANDLING COMPLICATED LOGINS WITH APPSCAN AND BURP SUITE'

This is a massive step for Denim, and I give them top marks for doing this! 

We really need to have many more posts like this, since only by publicly talking about what it really takes to make AppSec tools work, we can evolve and make them better.

To see the sad state of affairs today, if you do a google search for OZMAST (IBM AppScan Source xml file format) or search for FVDL (Fortify's file format), you will see that most of the search results are from me or the O2 Platform!

But the reason why posting blog entries like the one Dan posted (but written by William T) is SO important, is that it allows for a public debate on how each tool vendor (or service) can handle that exact scenario.

In this specific case, where it gets interesting is that after the post was published on Denim's blog, Jeremiah from WhiteHat tweeted "Handling Complicated Logins w/ AppScan & Burp Suite" http://bit.ly/IaITDR <omg, how utterly painful. must chain scans to just login.


And Rafal Los from HP joined in on the sniper fire by saying: "@jeremiahg Sweet merciful crap, just use Webinspect and call it done... wow that's horrible!"

Now this is GREAT!!!!!!

Finally a dialogue between the multiple tool vendors and security consultants that are trying to use these tools.

Since they were by now committed, I replied to both Jeremiah and Rafal with the invitation : "Ok, so why don't you show how you can do it in your products?"

In the multiple tweets that followed, this is where we are at the moment:

  • Dan has posted on GitHub a PoC of the Login page they wrote the article about:  https://github.com/denimgroup/authexamples
  • Rafal asked their internal WebInspect gurus if they could do it, and they said yes! (lets see if they show us how using Dan's PoC)
  • Rafal also confirmed that HP's forums are the only place to look for that type of content: "I don't have articles like that, but our forums are buzzing with lots of real users asking/solving real complex challenges"
  • Jeremiah also confirmed the lack of community posts on their engine, which of course is a bit harder since WhiteHat is the main (if not only) user of their scanner (I still think that is a big mistake they do, but that is the topic for another post). That said, Jeremiah did point us to a number of interesting technical posts on how they think/operate: 
  • So far, other scanner/tools have not joined that party, but it would be cool if they did (Netsparker, ZaP, Burp, MetaSploit,Qualys, Seeker, O2, etc...)
    • It would also be good to see an example from an IBM AppScan Standard Expert (showing us how to achieve the same results without using Burp)
    • And we really need  other security consulting companies to join the conversation and show us how they amazing internal skills/scripts can handle this type of situation
So what needs to happen next, is that we need to have similar reports/workflows (one per tool/service/security-teams) providing detailed technical details on how to perform the exact same test (in fact it will probably be better, if Dan (or William) redo they article using the PoC code provided in https://github.com/denimgroup/authexamples )

Any why we need this:
  • There are users out there today that have similar problems, have bought/downloaded one of these tools and need better clues on how to solve their problem (sometimes reading how another tool solved a problem can be very useful)
  • By comparing a tools' performance and capabilities side-by-side (same real-world scenario) we will have a much better understanding of what works and what doesn't work
  • The tool's developers (specially the ones who perform worse than others) will have a much better idea on what to do to improve their product.
Now the question is, will the tools/services/security-teams want to dance?

I hope so, since we really need this type of dialogue and debate in our industry, and, the real interesting discussion, will happen when we evolve from Login pages into specific Framework's scenarios :)

160k USD available to OWASP Chapters and Projects

This spreadsheet: https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&output=html contains the list of funds available to OWASP Chapters and Projects (actually mainly chapters)

The concept of allocating funds to Chapters was something that I help to implement a while back and the key concept of it was to allocate a certain % of OWASP membership funds to chapters (or projects) from either a local company 5k corporate membership or a locally executed profitable conference.

The objective was to empower the leaders to spent the funds available to OWASP since 'in principle' they owned it..

Wednesday 25 April 2012

OWASP Royal Holloway Next Chapter Meeting - Thurs 10 May 6:30-9pm

Dennis Groves just posted this to the OWASP London lists, and if you are around London/Royal Holloway, on the 10th, you are invited to this OWASP chapter meeting :)

Please join us at the next OWASP Royal Holloway chapter meeting, we have two great speakers and two very interesting topics!
(also if you are in the Central London chapter, this conflicts with the incredible OWASP Blecheley Park event organised by Justin Clarke)

Thurs 10 May 6:30-9pm

Why don't other vendors do this???? Email sent to new TeamMentor Partners

I'm currently working with Tom (from SI) in trying to make the process to join the TeamMentor Partner program as easy as possible.

I think we're getting there, since below you can see what he will send to the companies that want to join (if you want to join, ping me and I'll hook you up with Tom).

Btw, there is no NDA that needs to be signed or massive 'approval/vetting process'. As long as the recipient is from an AppSec company, were good :)

Now compare that with what the other AppSec tool vendors do :)

......
Here are the main links with information and downloads:
Next steps: Let us know your comments/feedback. We want to hear from you, how you are using TeamMentor, what you like, what you don’t, and what you would like to see. And if you have any issues don't hesitate in contacting myself or Dinis Cruz directly.
Best regards,

Details of TeamMentor Partner Program

Here are the details of the TeamMentor Partner Program aimed at Application Security Consultants (for example security companies providing PenTesting/Code-Review services just like the SI's team)


The terms of the Partner Program are:
  • Partner gets use of TeamMentor + SI Library for free in exchange for being a reference:
    • Partner gets use of TeamMentor for delivering their assessment results to customers 
    • Partner can hyperlink into TeamMentor's SI Library articles in their assessment results
    • The results and hyperlinked articles (both SI Library and internally created) can be accessed indefinitely 
    • SI Library must NOT be made publicly available (i.e. on an TM instance with anonymous reading enabled)
    • TeamMentor with OWASP library (and Partner created content) can be provided and linked publicly
  • When delivering results, partner can grant access to their customer to the TeamMentor + SI library for 14 days
  • If Partner’s customer buys TeamMentor, Partner gets 10% referral fee as incentive 
    • Partner can become a TeamMentor reseller if they desire, with standard reseller terms and conditions (40% commision) 
  • The Parter can change and customize TeamMentor's Interface/GUI, but not to the extent where TeamMentor/SI brand are no longer present
    • If white-labeling of content is desired, a full TeamMentor License needs to be purchased
  • TeamMentor will be provided via a GitHub repository (https://github.com/TMClients/TM-Partner) , but if a specific customizations are required (by a Partner), a dedicated fork will be created and maintained by SI
For clients TeamMentor pricing model is:
  • 40k USD  - Unlimited (per business unit) TM Server Installs + SI Library (with 4000 Articles) +  dedicated GitHub Fork (which we will maintain) , 
  • 10k USD  - 1x  TM  Server Licence + SI Library + dedicated GitHub Fork
  • 0k USD    - 1x  TM  Server License + OWASP Library + shared GitHub download (this is our 'evaluation' version and comes with a 'not for commercial use' license)

Tuesday 24 April 2012

Presenting tomorrow at 44Cafe on: O2 and TeamMentor

If you are around London (or at InfoSec) pop in to the Troubadour cafe at 3:30pm to see a presentation on O2 and TeamMentor.

I'm going to show O2 as you probably have never seem before!

I really got use O2  capabilities in TeamMentor, and contrary to what usually happens when I use O2 in a real world apps, I can actually talk about this and show the scripts created :)

As described by the 44Cafe team: here is the current agenda for this 'side-event'
  • We have free bacon butties and veggie sausage butties beween 12 and 2pm.
  • At 3:30we have dinis talking and demoing O2 and teammentor.
  • At 4:30 we have a talk on mifare by mike auty.
  • From 5:30 there's free drinks till 7:30 or IOActive's tab runs out 
  • Then it's dc4420 time.
Here are more details about 44Cafe and how to find the venue: http://44con.com/2012/04/11/44cafe-the-gory-details/

Monday 23 April 2012

What I have been working for the past year (with GitHub links)

Here is an email I wrote today, for a security group I belong here in the UK, which is made of amazing security guys, who most of the application tool vendors don't think exist. I have lost count how many times I have asked for a particular feature or API to a tool vendor just to be told '...you know, that is a great idea, but there is no market for it...' 

So here it is, for the market the doesn't exist (which I think most of you who read my blog fit that picture) a 'very politically incorrect' description of what I have been doing for the past 12 months:

<start-----------------------------------------------------------------------------------------------

Disclaimer, there is some commercial content in this email, so for the really allergic types, please stop reading now.

For the past year, I have been working on the TeamMentor product from Security Innovation (which some of you might remember from the amazing 'lets hook everything that moves and fuzz it' tool called Holodeck which is now available for download since SI's is not actively working on it)

TeamMentor is started its life as Microsoft's GuidanceExplorer (still available for download at codeplex) and SI took it, webified it and added a lot more content (the original version was very .Net focused). TeamMentor is basically a really nice security guidance creation and distribution engine, which comes with a 3000+ library of content covering a wide range of languages and content (you can try it at http://teammentor.net with the user ... and password .... )

For the past year I have actually been a 'real-world developer' and basically re-wrote that product (about 3 times) in order to make it very flexible, customizable and usable.

Now some of you have worked for product companies, and know how paranoid most execs are (for example where potential customers have to to sign NDAs to even try a product!). What has been very cool at Security Innovation (SI) is that since their center of gravity is very much into the eLearning/CBT and consulting services , they have been very relaxed about my ideas about how TeamMentor should be created, distributed and sold.

What this means, is that I can share with you guys what I have been doing, which hopefully some of you will be able to use it:
  • Starting with the good bits: you can download the full version of TeamMentor's engine with a test library from GitHub:  https://github.com/TeamMentor-OWASP/Master. You can also get my latest development branch from  https://github.com/DinisCruz/TeamMentor-3.0-Release  (while there check out this cool GitGub graph of commits  https://github.com/DinisCruz/TeamMentor-3.0-Release/network (man, git has changed my life!!! ))
    • Note that although that version is on GitHub, it is not Open Source. It is under a 'not for commercial use' license, which for you guys means, '... don't use it a way that google finds it...' :)
    • This is one of the coolest parts of SI, they really allowed this product (which they have been investing for a couple years now) to be released without ANY licensing restrictions :)
      • My logic as the one who would have to code them was: 'well the guys who will bypass the licence, will always be able to do it, so why make our and our customers life harder.'
    • If you want another version of TM to play with (to see for example how it can be customized) you can download it from https://github.com/TeamMentor/TeamMentor-Documentation which is the one used at the main documentation site (https://docs.teammentor.net), at the TeamMentor Technology pages ( http://docs.teammentor.net/xsl/Table_of_Contents) and the Customer Eval (http://docs.teammentor.net/xml/Eval - checkout the XML+XSL transformation on that one)
  • If you want to have a go and find vulnerabilities in it, I (as the main developer) actively encourage you to do so:
  • I also think that this is a great opportunity to talk about the security activities/issues of a real-world app, since the code is completely available and the SI guys are more than happy for these conversations to happen in public, for example
  • I'm also happy to say that SI is providing one of the most 'security consultant' friendly licenses and model that I have seen in our industry. Ok this is not on their website, but I have been leaking how it works on my blog :)
  • Btw, have I said how much I love Git and GitHub? I have been using it not-stop and its a massive game changer!!
    • For example GitHub is TeamMentor's native file system and content version control (TM articles are in XML files)
    • GitHub is TeamMentor's client distribution model (i.e. the customers get their own GitHub repository which we use to push new versions and (if they have pushed back their local changes) we do the merges for them. Now how cool is that :)
  • Oh yeah, and I also used O2's .NET Apis' under the hood, namely the FluentSharp API (https://github.com/o2platform/O2.FluentSharp) which really makes the .Net APIs SO MUCH more usable :)
  • Finally, since I am an active user of this product, there are a number of features in there that I'm sure only you guys (and girls) will appreciate: online editing of backend code, drag n' drop upload of files, web based Git support, javascript invocation of webservices, in-browser Firebug lite, QUnit tests, Fuzzing engines, etc...
So yeah, sorry about the 'commercial links' but I think there is something special going on here. 

Not only have I been able to released a commercial product under GitHub, I am able to blog about what I do everyday and I'm creating a tool that will help to distribute security knowledge to a much wider audience.

Please have a go and let me know what you think :)

Btw, if you are going to InfoSec tomorrow, let's catch up (I will pop in to 44cafe in the afternoon)


-----------------------------------------end>

Leak of TeamMentor Parter Program

After the Leaking TeamMentor's Pricing model here is where the thinking at SI is in terms of TeamMentor Partners (note that this is still work in progress but I think we already nailed the key concepts)

The idea is to create a Security Innovation TeamMentor Partner Program aimed at Application Security Consultants (for example security companies providing PenTesting/Code-Review services just like the SI's team)

The terms of the program are:
  • Partner gets use of TeamMentor + SI Library for free in exchange for being a reference
    • Partner gets use of TeamMentor for delivering their assessment results to customers 
    • Partner can hyperlink into TeamMentor's SI Library articles in their assessment results
    • The results and hyperlinked articles (both SI Library and internally created) can be accessed indefinitely 
    • SI Library must NOT be made publicly available (i.e. on an TM instance with anonymous reading enabled)
    • TeamMentor with OWASP library (and Partner created content) can be provided and linked publicly
  • When delivering results, partner can grant access to their customer to the TeamMentor + SI library for 14 days
  • If Partner’s customer buys TeamMentor, Partner gets 10% referral fee as incentive 
    • Partner can become a TeamMentor reseller if they desire, with standard reseller terms and conditions (40% commision) 
  • The Parter can change and customize TeamMentor's Interface/GUI, but not to the extent where TeamMentor/SI brand are no longer present
    • If white-labeling of content is desired, a full TeamMentor License needs to be purchased
So if you look at TeamMentor's Pricing model this is basically SI saying to its Partner: '...here is an 10k TeamMentor license, in exchange for your public use of it and exposure to your customers...' . Which sounds like a good win-win situation to me :)
 
For reference here is how TeamMentor is being sliced and sold
    0) Free. Get OWASP version for evaluation and non-commercial use (available at GitHub)
    1) Standard Sell. Pay for SI version
    2) Sell + Services. Pay for SI version + services to customize that version by selecting the exact content needed, whittling the library down to what's most relevant
    3) Sell + Extended Services. #3 + article creation/modification
So what do you think of this?

Does it make sense?

Anything that should be changed?

First you create Tests for WebServices, then you add the abuse/security cases

I'm currently working with Arvind (contracted by SI) on creating test cases for TeamMentor Webservices.

Since he is Linux/Python based, he can't reuse the C# test cases that I created a while back (see Testing TeamMentor 2.0 security using O2) which is not a problem since this will help to expand TeamMentor testability into the Linux/OSx world.

Why should a developer care about security training?

I was asked this question via SI (who has a bunch of application security focused CBT course) and since google was not able to find a good answer, here are my views on this.

Firstly I want to say that I have the utmost respect for developers who ship-code (even before I became one). I have done a lot of developer training, and always took the view that blaming the developers for security problems was making the developers a scape-goat, there are far too many moving parts in the development of Secure Coding, and the developer is just one of them.

And although I argue that Secure coding (and Application Security) must be invisible to developers, it doesn't mean that developers should not be aware of it and should not learn about it.

They absolutely should, since just like Quality and Testing, security is the responsibility of everybody that writes code (see Security evolution into Engineering Productivity).

So why why should a developer care about security training? Here are my top reasons:

  • Increase Knowledge
  • Learn new Tricks and Techniques
  • Improve Testing Skills
  • Improve Productivity
  • Improve Career
  • Have Fun
  • Learn the 'Application Security' language
  • Write more robust code
  • Write more secure code
Let's expand on these:

Increase Knowledge:  
The security field is filled with amazing techniques to break or protect an application's security.

I remember being massively impressed when I really figured out how Buffer Overflows, SQL Injection , XSS or CSP actually worked. There is so much to learn on this field and in a lot of cases we are really looking at pure knowledge.

Developers usually tend to have a focused approach on their learning paths, and security is more about the entire ecosystem, where the whole depends on the security of the parts (and how their interact).

Learn new Tricks and Techniques
This is something I can completely relate, since I am a much better .NET/Web developer due to my security research.

I feel I have a 3D view of the CLR and Browser/Http/Server world, and when I have a problem my bag of tricks (even before O2) is enormous

Improve Testing Skills
More and more Security is connected with Testing and UnitTests, and a lot of the code created by security analysis, can (and should) be reused in Testing.

One area that is often overlooked when talking about secure coding, is the need to have tests that validate the assurance made: ":....so this XYZ code is secure ??? ok prove it!  ok... what about in 6 months time, will it still be secure?"

Improve Productivity
The developers should pay very close attention to the tools and techniques used in the application security world, since they can help to solve a lot of problems and increase their productivity.

What I like the most about the Security evolution into Engineering Productivity concept, is that it uses Testing/Security as a was to push Engineering excellence into an application (and improve the developer's productivity).

Improve Career
There is a MASSIVE career opportunity for the developers that are able to pick up application security skills. Not only they will become much better developers, they can also become the 'internal security expert' which is role that needs to happen in all development teams.

They will also be able to join security teams or companies (who cannot find enough resources to hire), since it is much easer to teach a developer security, than it is to teach development to 'security professional'

Have Fun
Both exploiting and fixing code is a lot of fun. There is a kind of wild-wide-west/game environment, and when thing work, the feeling is just amazing 

Why do you think that the application security field is made of much passionate crowed, for example look at these 180 crazy ones from OWASP that went all the way to Portugal to work non-stop on Application Security issues

Learn the 'Application Security' language
The Application security field is really good at coming up with crazy names (XSS, CSRF/XSRF, Frame-jacking, SQLi, Off-by-One, AutoBinding/OverPosting, etc...), and its always good to have an idea of what the other side is talking about (same thing happens on the reverse, and I will be wary of a 'application security expert' that doesn't know what TDD, Git or MVC is)

Write more robust code
The end result, is that the new security techniques/knowledge will make the developers actually write more robust code, which will be tested much more thoroughly and harder to break

Write more secure code
And finally, what will also happen, is that we will end up with more secure code. A developer with Security Knowledge has a much better view of the side-effects of the code he/she is writing and is able to code in much stronger/safer paths.


... final comment: if it is mandated, make the most out of it....

Sometimes a developer will find itself in a position where there is a mandate to take 'Security Training' and there is no way out. I would say that those developers should remember that 'in life usually you cannot change your tasks, but you can always change your attitude in executing those tasks'. Security training should be seen as an opportunity, and it's on the developer's best interest to make the most out of the investment made in his/hers education



I want a search engine for me and you

One of the key reasons I blog and tweet is so that I can find that information at a later date.

I'm talking to my 'future me' :)

Now if you add to this pile of data (blogs + tweets), my questions on forums (like StackExchange), replies to other mailinglists/blogs, GitHub commits/issues/commits, edits on OWASP Wiki,  articles on TeamMentor, etc ....  there is a lot of information to process.

The problem is that although all this information is public (and on the interweb), I don't have a good way search it (in fact today, I don't even have a good way to find or visualize it).

So what I want is a way to search, index, massage, filter, complement this body of knowledge that I'm creating (in fact If I could do that, it would even make more sense to spent time curating and adding metadata to it).

What would also be very useful, would be to have similar access to other people I trust and follow, for example my twitter following list, or even you (who is reading my blog and care about my ideas)

Anybody working on a similar concept?

Creative Market and themeforest

http://creativemarket.com is another interesting new market-based-website for design

They have released a number of free-goods (as preview before they launch) and they look real good (most files at the moment seem to be PSD files (Photoshop)).

One thing I'm not sure is what type of license will these files be released under?

I have used ThemeForest a couple times in the past and this type of markets can really make a difference in the quality of an website's design.

Also interesting is they gamification and viral attempts at spreading their site/concept:



No more PDFs with Security Findings

Just playing around with the 53 IPad App (http://www.fiftythree.com/) and it really looks like a great way to scribble down some notes and ideas.

First PoC of IronPython REPL Scripting Environment

Based on http://www.ironpython.net/ 2.7, I just created a PoC where I was able to host the IronPython engine inside O2, which meant that I was able to run native Python instructions and create a simple REPL scripting environment

This is what it looks like (You can see the source code that created this environment at the O2 blog: PoC of IronPython REPL Scripting Environment)



I knew that once O2 was updated to .Net 4.0 I would be able to do this, but it's great to see it in action.

Next step is to use the Microsoft.Dynamic and Microsoft.Scripting namespaces to create security-focused DSLs (Domain Specific Languages)

Sunday 22 April 2012

Security evolution into Engineering Productivity

I just started reading the 'How Google Tests Software' book and Patrick Coperland Forward really hit me.

He basically describes how Testing inside Google went from being a separate discipline (Testing vs Coding) to a integral part of the development process and eventually evolved into what is now called 'Engineering Productivity'

And that is exactly what application security needs to do. We need to stop being a TAX and start delivering Engineering Productivity (which ironically is already happening today, since, when you find a good success stories on Application Security, you usually find a good Engineering Productivity story).

You can read it Patrick's Forward online at Safari and just replace Testing with Security.

Just like security is today, testing (at Google) was a separate discipline. With separate skill sets, objectives and focus.

A couple key issue were:

  • the lack of development skills that Testers had, 
  • how good developers (in the testing team) would be absorbed by development teams 
  • how the existing testers were ok with the status quo
  • how non-integrated the whole process was
To see how much Google has evolved,  read this job application for a Google 'Engineering Productivity Manager' and look at how much development skills they ask for.

Today we have the exact same issues in security. Most Security teams don't have strong development backgrounds and even when they do they have very little experience in actually writing real world applications (vs mini-tools and scripts).

Also today, a very large number of successful security teams are happy with being a 'badometer' and delivering PDF after PDF to their clients (vs delivering Tests and Automation of their knowledge/findings)

In a way that is why the O2 Platform doesn't have more traction. There are not enough players that have the type of problem that the O2 Platform was designed to solve (for example look at the latests http://googletesting.blogspot.co.uk entries and that is exactly the type of stuff that I do with O2 (I guess to get the Googlers interested I also need to make O2 run in Javascript and Python :) )

More and more I think that Application Security needs to align itself with Testing, since (as the 'How Google Tests Software' book shows) they are much more mature in figuring out how bake their practice into the development lifecycle.

What is interesting is that Application Security does have it very special place in this ecosystem, since usually everybody else cares that  'THE Application Works' , while the security camp is probably the only one that cares about 'HOW the Application works'


So the challenge is how do transform our current Security Practices into an Engineering Productivity world


Related Posts:

GTAC 2011 - Google Test Automation Conference

Just found GTAC (http://www.gtac.biz/home) and it looks like there are a good number of talks that are really interesting.

Here are the Talks page http://www.gtac.biz/talks which ironically page crashes Chrome since it tries to load up a very large number of video players :)

The agenda is quite impressive http://www.gtac.biz/agenda and although there is only one security focused presentation ('How Hackers See Bugs' by Hugh Thompson) I bet security is covered by other presentations.

Look for example how there is no OWASP references (including I believe) project leaders. If OWASP wants to change application security, this is the one of the places to be. That said, not all is lost, since I just noticed that Hugh Thompson  did a presentation at OWASP MSP in March (http://hughthompsonowaspmsp.eventbrite.com , videos not online)

Saturday 21 April 2012

Freelance Brief - Improve cross browser CSS of main TeamMentor GUI


This is a brief for a freelancer expert in Browser compatibility issues

Problem: Improve the cross browser CSS of the main TeamMentor GUI (as seen on https://owasp.teammentor.net/)
Deliverable: Patch for https://github.com/TeamMentor-OWASP/Master  repository
Budget: 100 USD
Apply athttps://www.elance.com/job/30027361/proposals


Technical details:


Currently there are subtle CSS differences between the multiple browsers and Operating System that need to be corrected.

The focus should be on the Font family and sizes.

Here is TeamMentor GUI showing https://owasp.teammentor.net/ on multiple Browsers and Operation Systems:

Chrome and Firefox on Windows:






IE on Windows:






Safari and Chrome on OSX:



The brief is to provide a number of CSS fixes as patches (first one to deliver gets the contract)

The source code is at https://github.com/TeamMentor-OWASP/Master  and the live server is at https://owasp.teammentor.net/)

Bonus Points: Figure out why the checkboxes of the Filters overflow in Chrome on OSx (see screenshot above) 

Freelance Brief - Fix IE layout issue in TeamMentor Eval Page

This is a brief for a freelancer expert in IE compatibility issues

Problem: Fix the IE 7,8,9 layout problem that happens in the http://docs.teammentor.net/xml/Eval and http://docs.teammentor.net/xml/Customer pages
Deliverable: Patch for https://github.com/TeamMentor/TeamMentor-Documentation repository
Budget: 100 USD
Apply at: https://www.elance.com/job/30027086/proposals


Technical details:


The 3.1 version of TeamMentor supports the creation and delivery of pure XML content. This technique is used to create an marketing page made of an xml file (http://docs.teammentor.net/xml/Eval) and an XSL file (http://docs.teammentor.net/xml/xslt_LandingPage_Variation_2). The http://docs.teammentor.net/xml/Customer xml page uses the same XSL.

The XML+XST transformation into HTML happens on the client (i.e. browser) and looks like this in Chrome/Firefox:


The problem is that it looks like this in IE (note how it is left justified)


The brief is to provide a IE specific patch for this problem (first one to deliver gets the contract)


Bonus Points: Figure out why the '&amp; included inside the HTML Object tags' encoding is lost, when editing the XSL via thisTeamMentor Notepad Interface: http://docs.teammentor.net/notepad/xslt_LandingPage_Variation_2

O2 REPL scripting video with Audio (consuming YouTube data)

This video shows the power of O2's REPL environment, for example to quickly create several GUIs to visualize the data received from YouTube.


As you noticed, this video contains Audio (99% of the O2 videos created so far are silent). In this case I'm providing a running commentary of the creation of the list you can see in the 39 O2 Platform videos with 12k YouTube views post


So here is a question to you: does the audio helps to understand what is going on better?


39 O2 Platform videos with 12k YouTube views

After uploading the O2 Installer video, I took at look at the O2 related videos stats and was amazed to see that there were 20 subscribers with about 12,000 views of O2 related videos :)

Looking at the list of those videos, there are some really good gems in there, so for reference here they are:



If you want to see how I created this list, take a look at the first video or at O2 Script to get YouTube videos list

Friday 20 April 2012

Video of O2 Platform v4 Installer and quick demo of its scripting tools

Here is a video of how to install the latest (v4) version of the OWASP O2 Platform and a quick demo of some of O2 scripting tools I bet most of you have never seen that O2's Graph scripting environment :) .


If you want to install O2 now, download or clone it from : https://github.com/o2platform/O2_Install 

Here are a couple more details: Installer for O2 Platform v4.0 (first release) 

Video of TeamMentor.net in action

Using with Camtasia today I created a video of how to use the main TeamMentor GUI.

I was quite happy with the annotations added (TextBoxes and Balloons) :)



What do you think, do those annotations help?

On using Hashes as passwords (from client to server)

Following from the How to enforce password complexity on a Hash? post, here are some more thoughts on the use of a hash as password.

The key issue is that without SSL, there is no way we can really protect the user against somebody who is listening in (remember that the session ID is as good as a password).

In terms of the hash being the password (as it is with TeamMentor), if the hash is discovered, then it is as good as a password (although not usable via the GUI).

I quite like fact that the server never knows the password (it only knows the hash, which is the password salted with the username). Also note that on the server-side the hashes are stored by default in an XML file, since in a normal install there is no server-side-secure-storage capabilities.

The only attack I can see we might be able to mitigate is the reuse of stolen hashes. I.e. we could hash the current hash with the current sessionID on login, which would make it a 'only valid during this session token' which in a way is probably as secure as we can get. Note that if the attacker is able to grab the hash via traffic sniffing, then he can also grab the session ID (which for that session is as good as a hash). 

If we go down this route (hash+sesssionId), there is still going to be one moment when the username+password hash will need to be sent to the server (the one with no sessionId salt). That moment is when an account is created (the server needs to have a 'clean hash' to compare with the hash+sessionID hash :) )

At the moment, TeamMentor's most secure login solution is the Windows/AD integration which TeamMentor fully supports since 3.1.

Another option, is adding OAuth support (it would be great to be able to use Twitter, Google or Facebook as an identity provider)

Note: On the topic of the multiple type of hashes, see this answer in the OWASP Security 101 list by Michael Coates

GMail new design sucks. Google please learn from Apple not Microsoft

So it looks like GMail finally pulled the plug on using the 'old' Gmail design and is now forcing the 'new' design into its users.

The reason I don't like the new design is because I like the 'old' one ,and don't want to learn the new UI concepts dreamed up by Google designers.

Everytime I tried to use the new design I didn't like it. It didn't feel confortable and the things that I wanted to do where not dramatically simpler (or even intuitive). I'm sure that if I spent time with it I might start using it better (or be able to racionalize better why it sucks), but I have other things to do with my life.

This is the mistake that Microsoft makes over and over. Why do I have to learn how to do the stuff I already knew how to do? And if you are going to change it, at least it make a massive difference (for the better), but in a lot of case the number of steps are similar, only the path changes.

And this is where Apple (in most cases) gets it right. They are experts in making incremental changes that just feel 'right'

More and more I feel that it is important to have evolutionary changes (whose timeline can be moved back and forward), which btw,  is a sign of good engineering practices.

And it looks like I'm not the only one that fells like this:

  • http://heresthethingblog.com/2011/11/02/gmail-reader-mail/
  • http://groups.google.com/a/googleproductforums.com/forum/#!topic/gmail/MY0kVJ9ACak
  • http://heresthethingblog.com/2012/04/19/gmail-heres-chance-google/ 
From the last link it looks like the only short term solution is to use the even older html-only version :(

Any ideas on how to get the GMail back to its previous state?

In fact, why doesn't Google provide a Git like history so we can revert back to the versions we like :)

30/Apr Update: Here are a couple solutions http://techably.com/make-gmail-older-look-permanent/4215/ (the bookmark one looks specially interesting)

Thursday 19 April 2012

Testing TeamMentor 2.0 security using O2

Here are a couple documents I created almost one year ago when I started looking at TeamMentor.

These are a great example of the type of testing and security analysis I can do with O2 and what I would call a 'first pass at an Authorization Security mapping'


Finally here is a very cool PoC that I did that allowed me to deploy (via new EC2 Image and remote O2 communications) a complete new server install of TeamMentor in a couple minutes (note that this was before I discovered Git)

OWASP Project Reboot 2012 - Here is a better model

In the last ROI on OWASP investment on Projects (ie paying leaders) post I mentioned that we need a better model to empower OWASP leaders with available funds (which seem to be at the moment about 100,000 USD)

My proposal / idea is to create a OWASP Project Sponsorship model based on these following simple rules:

  • OWASP makes available a budget for OWASP Projects (for example 100k)
  • OWASP leaders are free to use that money in anyway they want, with only the following restrictions:
    • They can't pay another OWASP leaders or a company that an OWASP leader is directly connected to
    • For amounts less than $500 they add its description to the respective OWASP WIKI page 24h before they commit to make the expense
    • For amounts less than $5000 they add its description to the respective OWASP WIKI 7 days  before they commit to make the expense
    • Each expense item is mapped to an individual OWASP leader and multiple OWASP Leaders can work together.
    • Payments will be made by Alison on Invoice submission (by paypal or direct bank transfer)
  • After the budget is spent (or in 6 months time), OWASP will review the outcomes and see if these rules need to be changed
And that's it!

This will allow the OWASP leaders (of any type) to just get on with it and find the best ways to take OWASP projects to the next level.

After you read this idea, take a look at the current Project Reboot Proposal at the OWASP Wiki.

From my point of view, there are a number of problems with that proposal:
  • It allows the payment of OWASP leaders (see Why OWASP can't pay OWASP Leaders for a list of reasons why this is a bad idea)
  • It doesn't learn from the past and all the hard work that went into the OWASP Season Of Code (SoC) concept - This proposal is basically OWASP SoC 2012, so at least least reuse what has been done before: https://www.owasp.org/index.php/Category:OWASP_Season_of_Code
  • It puts the barrier of entry as an OWASP Membership (which is a 50USD registration) - I would put this barrier of entry at OWASP Leader level, since those are individuals that have earned OWASP's trust and have delivered (note that the issue of  'does an OWASP leader deserve to be OWASP leader' is a separate thread)
  • There are a lot of pieces missing - If we are going down this path (which again is OWASP SoC 2012), then we will need to be as transparent and efficient as the last OWASP SoC. To get a better picture of what will need to be done, spend some time with the amazing pages that Paulo Coimbra (and the GPC) created on https://www.owasp.org/index.php/Category:OWASP_Season_of_Code (for example a lesson learned from past SoC is that all proposals must be submitted via the OWASP wiki)
  • There is no Project Manager - Investing in OWASP projects in this way is a full time job. The first step should be to hire a project manager to work on this (one of the beauties of the model I propose above is that is much lighter to implement (since there is a high degree of self control)
Finally, don't get me wrong! Investing on OWASP's projects is one of most important things that OWASP needs to do, and if the Project Reboot Proposal is approved, we will be better than we were before.

The reasons for this post, is that I just think there is a better and simpler way of doing it :)