Sunday 28 February 2016

Thinking of writing a book called "Measuring Software Quality using Application Security"

This book will be based on the ideas I've been talking about in my "New Era of Software with modern Application Security" presentation.

The plan is to use my experience with Leanpub (where I have published 7 books), with the content being hosted on GitHub and published early and ofter.

Saturday 27 February 2016

Is Quality is a measure of how successful a product is in what it is SUPPOSED to do?

Here is a question I received on the concept "Application Security can be used to define and measure Quality" (slides here
Quality is a measure of how successful a product is in what it is SUPPOSED to do.

AppSec is a measure of how many and what things product does that it is NOT SUPPOSED to.

These two are not related. A startup may have a good quality product full of security holes, and a bank may have a highly secure product that is also of great quality.
I think that measuring Quality by only looking at the success rate of a product is a very narrow definition of Quality.

Friday 26 February 2016

Video for my LSCC presentation on: New Era of Software with modern Application Security

Skillsmatter has just published the video of the presentation I delivered last week at the LSSC (London Software Craftsmanship Community)

You can see it here:
https://skillsmatter.com/skillscasts/7582-new-era-of-software-with-modern-application-security

"New Era of Software with modern Application Security" updated presentation (v.0.6)

Here is the updated version of the talk I delivered last week at the LSCC (this time around delivered at the OWASP London Chapter)

There are a number of new slides, but it is still far from complete :)

Please take a look at the slides and let me know what you think of them? (and what can be improved for the next version)

Monday 22 February 2016

I'm delivering an Application Security Training in London on 3rd and 4th of March

This is an 100% customised course (to the participants) with as many practical examples as possible.

Here is the course description:

Friday 19 February 2016

V0.5 of "New Era of Software with modern Application Security" presentation

Here is my first pass at creating the "New Era of Software with modern Application Security" presentation, which I will deliver as a Keynote at the Codemotion Rome developer conference (March 19th)

This is the version that I presented yesterday at the London Software Craftsmanship Community event and its video is here

Interestingly, one of the concepts that I arrived at (when working on the slides) was that Application Security can be used to define and measure Quality.

This is something that I have been thinking about for a long time, and I'm starting to find a way to explain how I'm able to use Application Security to help developers to create better applications (with not only better security, but with better quality)

Please take a look at the slides and let me know what you think of them? (and what can be improved for the next version)

Friday 12 February 2016

Published update to my Practical Eclipse book

You can get the latest version from https://leanpub.com/Practical_Eclipse for FREE by choosing the $0 minimum price.

Here is the email I send to my readers:

Wednesday 10 February 2016

Speaking at LSCC (18th Feb) on "New Era of Software with modern Application Security"

In preparation to my CodeMotion keynote in March, next week I'm presenting a first version of it at LSCC (London Software Craftsmanship Community) which is also a developed focused audience.

You can register at https://skillsmatter.com/meetups/7845-lscc-talks-feb-2016

Here are the talk details:

Title: New Era of Software with modern Application Security

Description: This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.

Bio:Dinis is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

Saturday 6 February 2016

Is Google a geopolitical threat to the UK? (i.e. what would happen if it pulled the plug on UK's traffic)

During one of the recent Application Security training courses I delivered recently, one interesting example I gave during a section on "Our dependencies on Technologies and Frameworks that we don't fully understand" was the concept of how much of a threat to the UK economy is Google?

For example if Twitter or Facebook were not available from the UK, I don't think the impact would be significant.

But if Google and all its services (search, mail, calendar, maps, geolocation, docs, spreadsheets,  contacts, Google ID) was suddenly not available, I bet that there would be a significant disruption to a LOT of individuals, business and government agencies.

There is a lot of talk in the UK about the Geopolitical threat of Russia (and its control on natural resources used by the UK), but I'm pretty sure Google can do more damage.

Of course that it would be economical/business suicidal for Google to do such a thing, but that doesn't make it less real or dangerous.

Friday 5 February 2016

Speaking at Codemotion Rome on "New Era of Software with modern Application Security"

Next march I'm going to be delivering the "New Era of Software with modern Application Security" keynote at Rome's Codemotion (17-19 March),

This is very exciting, since Codemotion is a developer focused conference, which is exactly the audience that we (AppSec) need to be talking to (and learning from).

The speaker line up is also pretty impressive (see more details here), so if you are around, this is a good conference to go to this year.

I still have quite a bit of work to do on my presentation and slides, but the key idea is to cover how a new generation of application security thinking (using TDD, Docker, Test Automation, Static Analysis, Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, ELK) not only makes apps more secure/resilient but it allows them to be developed in a much more efficient and productive way

Thursday 4 February 2016

Job post on "Application Security Manager" for The Hut Group (in Northwich, UK)

Here is a real cool opportunity to work for a company that is focused on Application Security and developing innovative solutions to embed Application Security into the SDL (disclamer: I'm currently contracting for them as interim 'Head of Application Security')

You can see full details at https://www.linkedin.com/jobs2/view/102336625 and here is the main description
We are looking for an individual to who can take a hands-on approach to build and run an industry leading application security team. The Application Security Manager will develop, implement and run a secure application development program, with supporting standards and processes, and formal methodologies where relevant. 
Securing our applications and customer data is critical to the success of our business. The Application Security Manager will be a security evangelist who can translate security concepts to technical and non-technical audiences, and will approach application security from the perspective of business risk. This person will be the leading authority for Application Security within the group.
In addition to being an AppSec expert, the key for this role is to have significant development experience/knowledge.

A large part of the work is in supporting the existing network of Security Champions and working with devs/architects on figuring out how to secure the wide variety of apps they are developing (see here and here for more details on what these Security Champions do)

You can apply for the job at that LinkedIn page, and let them know that you saw this on my blog :)

Wednesday 3 February 2016

First-Party-Only Cookies - nice solution to mitigate CSRF

Just saw https://tools.ietf.org/html/draft-west-first-party-cookies-01 which proposes

   This document updates RFC6265 by defining a "First-Party-Only"
   attribute which allows servers to assert that a cookie ought to be
   sent only in a "first-party" context.  This assertion allows user
   agents to mitigate the risk of cross-site request forgery attacks,
   and other related paths to cross-origin information leakage.

It looks really good, and it seems that Chrome 50 is going to support it https://www.chromestatus.com/features/4672634709082112

The current solution seems to be inspired by the SameDomain Cookie attribute as described at http://people.mozilla.org/~mgoodwin/SameDomain/samedomain-latest.txt

I actually prefer the SameDomain name to First-Party-Cookies :)

Reverse engineering recently patched Wordpress

On the topic of the recent Wordpress update (see https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release) I was asked an interesting question which was ‘how to test/exploit’ the patched vulnerabilities? (namely the SSRF one)

Since this seems to be an scenario where Wordpress has not released the details, one way to do it is to diff the current release with the previous one

Depending on the technology, this can be really hard (C++ patches requiring IDA Pro foo) or doable (.NET, Java, PHP)

Assuming that Wordpress is not distributed in compiled PHP (http://stackoverflow.com/questions/1408417/can-you-compile-php-code) this could be as simple as doing a file diff (it will depend on how many changes where made in the current release)

And how to perform this diff?

Use Git :)

Just:

  1. install previous version
  2. commit all files
  3. install upgrade (which in Wordpress can be done via the web interface)
  4. review changed files (it might be useful to commit files that clearly are not related to the issue)

Monday 1 February 2016

Come on Amazon, its time for 100% TLS (aka https)

On a thread about moving a site to 100% TLS (ie. SSL), which btw, is the right thing to do in 2016 if one wants to protect users from Man-in-the-middle attacks, I was asked this question:
I notice Amazon is not secure until you authenticate, then all pages become secure. This is an interesting approach. What do you think Dinis?
This really sucks!

Lots of eCommerce companies look at Amazon as the benchmark on what to do (and what risks to accept), so the fact that they don't support 100% TLS (as can see by googling amazon) is not helpful at all.

Here was my reply:
Well shame on Amazon for not also not doing 100% SSL 
That said, amazon has an amazing application security team (with https://firebounty.com/bug-bounty-program/16/amazon) and they have quite a lot of visibility into what is going on in their platform (namely on fraud and account hijack/abuses) 
Also, Amazon is getting there, for example note how if you start your amazon journey on https:// (in most cases) you still stay in SSL if you do some actions and go to checkout
Yes there are users that don't support TLS and in some cases there are a couple performance tweaks that will need to be done. But we shouldn't be downgrading the security of 99% of users due to a couple user's locations or browsers.

The ones to follow on this topic are ETSY (see https://codeascraft.com/2012/10/09/scaling-user-security) who did this change in Oct 2012