Sunday 30 September 2012

When I think of Trillions, I think of Source Code Blocks

The guys at MAYA when they talk/write about Trillions they are thinking of information package like a container , tagged with a U-Form UUID and with liquid properties

But for me, what I'm thinking of is Source Code Blocks (Methods, Classes, Modules, Assemblies) and what they do (parsers, filters, data transformation, data presentation, business-logic activities, workflows, user interfaces, etc....)

One of the problems with have with the 'software-driven applications' that we create every day is that after a while, there is nobody that really understands how the whole system actually behaves.

And the reason is simple: Too much Complexity.

Unless an application is built in Assembly, the code written by the programers is executed against a number of abstraction layers, each with its own behaviour, reality and side-effects.

And since we currently don't have a way to model that behaviour, we end up with the current situation where we 'Code and Execute it to see what happens (i.e. see if it does what the programmer/manager/architect/buyer is thinking that it will do)'.

SAST technology and run-time-analysis are the key since we need to be able to model an application's behaviour and create rules that describe the expected (or not expected) traces, activities, practices, etc...

But for that we need to approach application behaviour analysis (which is what SAST is doing) in a different way.

We need to apply the Trillions concepts and look at a piece of software that has trillions of nodes (i.e. code blocks).  And like the the MAYA guys like to say, this has already been done by nature , we just need to apply the same concepts :)

Btw, I really like the idea of applying UUIDs to bits of code. This is one of the key missing pieces of the current Sandboxing puzzle and one of the ways we can scale.

Security implications of Markdown transformations

For the next version of O2 and TeamMentor I really would like to move to a Markdown world, where the content is stored as markdown and we use a C# markdown transformer to create the HTML.

At the moment there seems to be two good C# markdown APIs:
My questions are:
  • What are the security implications of these engines?
  • How good are they at handling malicious input?
  • Has there been a Thread-Model / Security review done?
  • Is XSS possible?
  • What other vulnerabilities exists?
  • How can they be used securely?




U-Forms and Information Liquidity

Here is a great presentation from Maya's Mickey McManus on Information Liquidity:


At the end of the presentation the idea of U-Forms is presented as the 'container' for information (more info here and here)

It looks like an U-Form is made of an ID and set of value-pairs atributes, which is a nice a simple set of pointers.


Related posts:

Batch PDF creation from OpenXml file (by O2 user)

Bellow is  a certificate that I (and all attendees of OWASP AppSec in Greece earlier this year) received today.

What is cool about this PDF is that it was batch created by Sarah Baso using the O2 Platform and a variation of the O2 Script – Creating PDFs with OWASP AppSec Brazil Certificates

O2's C# REPL environment is a powerful scripting / automation engine, and Sarah is the one that maintains and customises her script :)

Saturday 29 September 2012

Providing licenses to security consultants

I still find amazing that companies who create security products don't easily provide licenses to security consultants.

It should be obvious that security consultants are one of the target markets since they are the ones who are able to make the most use of the product and can show the clients how to get value from those products.

What should happen is that we should be pushing away companies saying 'not now ... maybe later'. Instead we have to beg for licenses so we can create PoCs or test their products.

Some companies even ask you to sign NDAs to test/evaluate their products, its crazy.

The key concept is that it should be as easy as possible to access their technology and products , and of course, if the product is used in a commercial environment/engagement the correct license should be paid.

The problem is the most (Sales team) know that they will only get one sale! So they play the scarcity game and (almost) prevent full access to the technology.

What they should do is to play the Productivity/Empowerment game where the customer cannot live without it.

And a good example of the side effects of this strategy, is the 'Product Engine Rules'. Most vendors threat their rules as this as massive proprietary 'thing', that is not easy to share ,maintained, customised or published.

But what the customers really want, is what we did with TeamMentor: easy access to the application+content+source-code and an environment that is easy to install, deploy, duplicate and change

And I'm very happy to say that the feedback we're getting from customers on this level of openness is really good


Design for Fork and the liquididy of OpenSource/Git

If you are designing an application that you will share the code on GitHub (open source or not), the most important advise I can give you is to 'Design for Fork'

What I mean is that the idea of 'creating a fork (or clone) and starting a new instance of the app' should not be something that is left to the Open Source Gods, as in '...hey the code is available so you can go out and run your own instance...'.

If your app is not 'Fork/Clone Friendly' then it will always be a pain to deploy and use, and you will be missing a very key mechanism to keep complexity at bay. Deployments should be measured in seconds/minutes and with only a couple clicks required.

Maya talks about Information Liquidity in their Trillions concept where information is supposed to flow like a liquid and be able to move over rough , uneven or new surfaces by being liquid. Note that although there is a common carrier on any liquid (water/H2O) there are lots of different types of liquids (i.e. information) that can be carried, packaged, exchanged, consumed, etc...

This is liquidity is exactly what we should aim to get from Open Source or GitHub repositories. Its code AND content, must be easily consumed, exchanged, manipulated, modified, etc...

For me, this concept is not something theoretically, it is something that I put in real practice while developing TeamMentor and the O2 Platform

One of the areas of TeamMentor that I'm more proud of, is how the latest version is very light to install, deploy and set-up (the only requirement is .NET 4.0 and in some cases IIS ). There are no databases to install/configure, the source code is included with the deployment, the content/articles is all stored on XML files and we use Git/GitHub not only as version/control control , BUT as a distribution medium.

The idea of storing the content on the filesystem is very important since part of making your data liquid is to have NO database (as in MSSQL, MySql, NoDB, etc...).

My recommendation is to store the data on file system (as files) and use GIT (and GitHub) as your database. You will not create something more powerful and flexible than Git and it is a very scalable and robust solution for content control.

O2 FluentSharp APIs at NuGet

To make it easier to consume and integrate the O2 Platform APIs with other tools, all the major components are now available via NuGet:

  • FluentSharp - CoreLib - FluentSharp is an API that dramatically simplifies the use of .NET Framework APIs. As an example, the reflection wrapper is probably one of the most powerful .NET Reflection APIs, since it provides (via user-friendly methods) full access to all .NET classes, methods, properties, fields and enums (regardless of their public/private status).
  • FluentSharp - BCL - This is the FluentSharp BCL which provides support for System.Forms and Web
  • FluentSharp - C# REPL - This is the FluentSharp REPL which provides a C# REPL enviroment (REPL is Read Eval Print Loop) which allows for real-time execution of complex C# code (and GUI manipulation) 
  • FluentSharp - Roslyn  - This is the FluentSharp Roslyn which provides exposed Roslyn (a managed C# compiler engine from Microsoft) 
  •  FluentSharp - NGitThis is the FluentSharp NGit which provides exposed NGit (a managed Git API)
  • O2.Platform - Misc Microsoft MPL Libraries  - Misc MPL Libraries from CodePlex: HttpAgilityPack, InputSimulator, Irony Parser, WCF Rest Start Kit, XObjects
For example, with these packages it is now super fast (and easy) to add a C# REPL to any .NET 3.5+ project

Note that you can now download and execute the O2 Platform as one stand-alone file from http://tiny.cc/O2Platform

In fact the stand-alone 'O2 Platform application' is basically the O2's C# REPL with the O2.Platform.Scripts

Test and Hack TeamMentor server with 3.2 RC5 code and SI library

Here is test server with the lastest build and SI Library  http://teammentor32.apphb.com (on AppHarbor's cloud)

There are tons of changes on this new 3.2 version and I've been working solidly on this release for the past 3 months. Some of the new features are REALY cool and I will try to blog about them (specially the automation/backend features provided by using the latest version of O2 FluentSharp APIs)

Tuesday 25 September 2012

IE's efforts to break the internet

Everytime it takes me 5 minutes to install chrome on a new VM/EC2 it reminds me how much its UI and Security settings are a case study of what not to do (and this was on IE9, so a recent version of IE).

What I don't understand is why Google Chrome team doesn't give us couple direct download options (chrome.exe, chrome.exe.txt, chrome.exe.zip), so that it is even faster/easier to start using it.

It is amazing how IE went to be the best browser (and my preferred one) to the one I very rarely use. These days you run IE9 on a server and bing and google doesn't work, WTF!!!.  I understand the security issues, and I would be happy if it started some really low privilege process, but to break the internet!!! (I wonder how many websites work under IE Protected mode).

One the best quotes I heard recently was "why does IE goes out of its way to break the Internet?" :)

The only time I use IE these days is when I test TeamMentor against it, which is just another reminder of how much it sucks.

The way I look at it, every user has an emotional relationship with the tools/websites they use. The happier they are the more forgiving to little things they are. But they will only be happy with it if that tool/website does add value and helps with what the users is trying to do

Saturday 22 September 2012

Trillions from MAYA (see the video, buy the book)

The Trillions Video is one of the most important videos that I have seen over the last couple years and one that gave me a nice warm felling that I'm doing the right thing with my O2 Platform development strategy.

They have now released a book Trillions: Thriving in the Emerging Information Ecology which I have started to read (on IPad's Kindle) and if you want to understand what will happen next, you NEED to read it.

A key message in the video and book is that to deal with new paradigms and systems,  we need complete new strategies, approaches, tools and ideas.

And that is exactly what I'm doing with O2 Platform. Instead of doing what just about every other Security tools vendors is doing (i.e. 'trying to create a 'blackbox' solution with some customisation features on top'), I'm creating an environment/platform where Scripting and Customisation are first-class citizens. In fact most of the O2 Platform is already 'scripts' and the expectation is that when facing the target application/website, the question is not 'do we really need to customise our technology/tools/approach?' but 'how fast can we customise our technology/tools/approach so that it actually represents reality?'. 

It's the customisation-time-delta that matters, and of course that the faster that happens, the more we (Application Security Knowledge) will scale :)

Back to Trillions, I see Application Security (and its complexity) as they see Trillions. Each node (from source-code to app's behaviour) is something that needs to be analysed, modeled, managed, controlled and (sometimes) fixed.

In fact, a business model that still yet to take hold in our industry is 'Security Tools/Technologies/APIs Customisation Services' (with clients paying for it and service companies providing it)

Btw, MAYA company and research is simply amazing and their focus on Design is a great inspiration  (what a great place to work that must be). Checkout their other videos (http://vimeo.com/mayanmaya) and research (http://www.maya.com/practices/research).

Even their name is really powerful, since MAYA means Most Advanced Yet Acceptable.

Finally, if you want to explain what 'Is An API?' to a non-developer audience, point them to MAYA's latest video on Containerization (I would love to have videos like this to example how SAST, DAST and even O2 works :)  )

O2's Findings Viewer on OSx viewing AppScan Source file

After O2 in OSx - Running TextBased C# REPL tool I was wondering if the O2's Findings Viewer Tool would also work on OSx, and I was pleasantly surprised when it did :)

Here it this tool in action showing the scan results of the SuperSecureBank application created by IBM's AppScan Source (OunceLab's engine).



O2 in OSx - Running TextBased C# REPL tool

So here it is, the first O2 C# REPL environment running natively on OSX  :)


You can download this 568k .NET 4.0 executable from Util - Text Based C# REPL v1.0.exe and it should work on your PC and Mac :)

As you can see on the screenshot above, to run in on the mac ou will need to have Mono installed (download it from here) and execute the exe using mono Util\ -\ Text\ Based\ C#\ REPL.exe or  mono "Util - Text Based C# REPL.exe"   (mono doesn't seem to register the *.exe extension)

Although there is no code-complete (the idea of this REPL is to keep it as simple as possible), a good number of O2 FluentSharp API's seem to be working ok.

For example here is a script that downloads a new DLL (MarkdownSharp.dll) and consumes it


There is also access to .NET's Lamba and Extension Methods:



Wednesday 19 September 2012

Stand-alone executable for O2 Platform

There is a now a stand-alone executable for the O2 Platform (20Mbs) which has all the main dependencies and comes in 1 exe.

You can download it from: http://tiny.cc/O2Platform

Let me know if you have any issues running it

Note that this is not an installer, this exe file has all dependencies embedded and will extract them on first run.

You can put it on any folder (not the desktop since you will get a number of O2 folders in there :) ) or drive, and it should just run

Reply to 'I would like to help' request (with focus on SAST)

here is reply I sent today to an 'Hey how I can help/join/participate on the O2 Platform' question:

Hey .... , I would love you have you help (or join) the O2 Platform project , there are a lot of areas that you can help :)

To start I would ask you to focus on your C# skills and get your head around O2's REPL scripting environment, VisualStudio Plug-In and Cat.NET integration. We can move on to the Eclipse Plug-in later on.

I really think that we can change/improve the way developers consume Security Knowledge, and since you understand SAST and 'Static Analysis Technology', you can help me in the development of the next version of the Cat.NET VisualStudio Extension (for example: adding Guis for the Rules, adding support for MVC Frameworks, add support for 'offline/out-of-process' scans (on same box or in the cloud), etc...)

Btw, have you seen/tried the real-time scanner PoCs? It is a amazing learning tool for security vulnerabilities

All O2 source code is here: https://github.com/o2platform and there are tons of articles and blog posts at: http://o2platform.wordpress.com . Yes O2 needs a new website with a much better structure :) , I have the o2-platform.com domain for that purpose

There is a mailing list at https://lists.owasp.org/mailman/listinfo/owasp-o2-platform , and although , I'm thinking of moving it Google Groups, that is the best place to ask questions (and meet the other O2 developers, collaborators and users).

Let me know where you would like to start,