Dinis Cruz Blog

Wednesday, 11 April 2012

Leaking TeamMentor's Pricing model

Last week I was with Ed Adams (Security Innovation CEO) while he was in the UK to meet some TeamMentor customers, and I commented how it really sucks when a tool vendor doesn't give you a strait answer when you ask them the simple question: '...so... how much does your tool costs?'

And they usually reply '...well, that depends on this, ... and on that, ... and on how many users, .. blah ... blah... blah... and if it is yellow, .. and on how much support is needed , blah.. blah... blah .. and if it needs to sign in tune ... blah... blah...blah...and if it actually needs to work ... blah ... blah...blah...' (and after 5 minutes you still have no idea how much it costs)

I'm sure you have heard those lines before :)

It basically means that they trying to figure out before they give you a price: a) how big you are, and b) how much money you have to spend

This is just wrong!

Customers need to be treated with respect, and pricing must be clear, consistent and easy to understand.

So as Ed was agreeing with me, I gently noted that we didn't put our current pricing model for TeamMentor (TM) on the Security Innovation (SI) website :)

And please note, the SI team is really good ! The politics level is very low, and they are a pleasure to work with. But when everybody is doing it (not disclosing prices) it is hard to be the first one.

So let me see if I can help :)

And the end of our conversation, I said "... you know Ed ... I really want to leak TeamMentor pricing model ... and once it is out there ... it is out there ...." :)

And (actually not to my surprise, since Ed is really relax in these things), Ed just said "...ok, do it.."

So, here it is: (get ready for an anti-climax moment)

TeamMentor pricing model is:

40k USD - Unlimited (per business unit) TM Server Installs + SI Library (with 4000 Articles) + dedicated GitHub Fork (which we will maintain) ,
10k USD - 1x TM Server Licence + SI Library + dedicated GitHub Fork
0k USD - 1x TM Server License + OWASP Library + shared GitHub download (this is our 'evaluation' version and comes with a 'not for commercial use' license)

There are a couple TeamMentor related Services that we will be providing ( 'Policy document to TeamMentor Library' conversion, 'TeamMentor in the Cloud', TeamMentor customizations, etc...), and there is also a reseller agreement, with ~~a 20% to~~ 40% commission.

In a way, one of the value propositions of TeamMentor, is that it is more expensive to pay somebody to write 'specialized application security' content, than it is to buy TeamMentor's Library.

And that' it :)

Disclamer: I did forward this email internally at SI (as a sign of respect and to made sure that I didn't get any details massively wrong), and apart for the strike-through ~~'a 20% to'~~ (just above) there were no further changes. One comment that Adam (VP of sales) made was "... well I do wish that they contact me directly if they want to talk about pricing..", so to make Adam happy, here are his contact details: ahoffman@securityinnovation.com +1 (978)337-1810

Autonomy, Mastery and Purpose

These are the 3 factors that lead to better performance & personal satisfaction, according to this is great presentation from Daniel Pink (the animation on top of it is pure genius) :

Drive: The surprising truth about what motivates us:

This presentation provides a lot of clues of why OWASP leaders/contributors work so hard and in fact why they love OWASP.

Basically OWASP gives them these 3 things: Autonomy, Mastery and Purpose :)

Here is the original presentation from Daniel Pink (which is 40m long):

UK's Government Digital Service Design Principles

This is simply amazing: https://www.gov.uk/designprinciples

These guys from UK's Gov, just released a set of
10 Design Principles which are absolutely spot on:

This is a roadmap for a lot of things, in fact, the more I look at it, the more I feel that this is the kind of focus that OWASP should have.

And so should the O2 Platform and TeamMentor

My favorite is #4 : Do the hard work to make it Simple... Making something look simple is easy; making something simple to use is much harder — especially when the underlying systems are complex ..."

Why OWASP can't pay OWASP Leaders

Since I was the one that created and executed (initially alone and then with Paulo) the only Seasons of Code that OWASP did (AoC 2006 , SoC 2007 , SoC 2008) I know first hand what can be done, what works, what doesn't work and its side effects. In fact it was that experience that made me have such strong views on this topic.

There is a subtle but very key distinction that we need to have in this thread. And that is the issue of 'OWASP paying OWASP leaders'

Hiring interns or other professionals to work on specific projects/tasks is fine (specially if they are doing what our OWASP leaders and contributors don't want to do). The main problem happens when OWASP leaders can be part of the pool that can be paid by OWASP (again nothing wrong with them being paid by a 3rd party to work on an OWASP Project (like what already happens today)).

So why it is very wrong to pay OWASP leaders to work on OWASP projects?

Project Management at OWASP

What OWASP needs ASAP is Project Management (the type Paulo was doing).

In fact, we don't need 1, we need 4 or 5 project managers....

But I will settle for one in the short term,

There is a HUGE amount of work that needs to be done by the OWASP Operational machine, and THAT is where we (OWASP) needs to be putting our resources (i.e. creating the 'OWASP Platform') .

At the moment we (OWASP) can't even accept and guide projects that want to become OWASP projects!!! And let's not forget the 'huge' (i.e. none) support we give our current projects leaders (Hey !..I'm one of those OWASP Leaders that feels quite abandoned at a conner of the OWASP Project's landscape...)

Why large OWASP projects start to stale (and who should pay for the work)

A critical evolution-stage that is happening with a significant number of OWASP (and other FOSS) projects is the moment when the project grows so large that any key change requires a substantial amount of work.

Another problem is the fact that most successful projects are the result of only a small number of key contributors (also called the projects-leader) who after a significant personal time-commitment, move on into other projects/initiatives/ideas.

Most of our guides have that problem, so does WebGoat, WebScarab, ESAPI, O2, etc...

Want to work? I need resources ASAP for TeamMentor 3.1 release

With TeamMentor 3.1 entering its last push before general release I have budget to add a couple temporary resources to the team in order to make sure this release absolutely rocks!

Here are the current tasks I can hire you (or somebody you know) ASAP as a short term contractor:

QA and Testing - test TM and provide feedback on any bugs (on previous and new features). Ability to write UnitTests is VERY important (on NUnit and/or QUnit)
Security review, do a security review on the new 3.1 features (btw, I want any findings as Unit Tests). See ...O2 in Seattle..." and "...Please Hack TeamMentor (beta)... for more details
Library Creation and Content Review - go though the exercise of creating a bunch of new libraries (from existing TM content and from other sources), both using the previous and new editing modes. The objective is to make sure the workflow(s) are working 100%
TM Documentation - There is quite a lot to document, specially on the customization front (and I expect that who is involved in the tasks described above will also create TM Documentation articles)

In order to make this workable, I want to allocate these tasks in blocks of 500 USD a pop (i.e. brief).

So your brief is to write your brief based on the tasks you want to do :)

Then send it to me, and if it looks good, you can start strait away (note that we want to release 3.1 in the next week(s)).

One caveat, if you have problems working with Git and GitHub, you probably are not a good fit (sorry about that).

Tip: The best way for you to get this gig is for you to go to this GitHub repository or to this one , create a clone (or Fork) and send me a patch :)

Testing inserting GISTs into this blog

This is just a little O2 script I wrote to split files into their extensions (in this case a 'backup' from OWASP's wiki files)

PoC of integrating TeamMentor with Checkmarx

Last week I did a pretty cool PoC where I integrated TeamMentor's Knowledge base with Checkmarx's SAST engine.

I used O2 to export the CWE data from the Checkmarx VistaDB into Xml, and from XML into TeamMentor.

This is what the end result looked like (a pretty cool preview of what we will do next together)

Why ASP.NET MVC is 'insecure by design' , just like Spring MVC (and why SAST can help)

In the recent Secure coding (and Application Security) must be invisible to developers post Joshbw posted this great comment on the reasons why we end up with 'insecure by default Frameworks'

'...On top of that the frameworks are being developed with the same mindset of all of the other products out there - "What makes the customer happy first, and then maybe if security doesn't interfere with that". A great example is that MVCs really should employ declaritive binding rather than auto binding; it really is a marginal hit to development and ensures that the only fields that can be set are those explicitely exposed by the dev. Despite this problem being known for years even MS has taken the stance that devs should opt into declaritive binding despite the fact that MVCs are default allow....'

Microsoft needs to adopt GIT/DVCS for its code downloads (Mdbg upgrade)

One of the hidden gems of the O2 Platform is the O2 Debugger Mdbg (created years ago) which is a very powerful GUI on top of the Microsoft Managed .NET Debugger (Mdbg) Sample application.

The version I used was the one that can be downloaded from the CLR Managed Debugger (mdbg) Sample (2006) and includes the source code of a managed version of a CLR Debugger.

There really powerful features on this O2 module and if you struggling to debug an .NET app and need to gain programatically control over CLR/IIS/ASP.Net, this is a great tool (I used it to find some really juicy vulnerabilities and even to patch/fix them dynamically (i.e. real-time))

As part of my upgrade of the O2 Platform to v4.0 of the .NET Framework I recompiled ok the O2 Debugger Mdbg under 4.0 but at the moment it only works for 2.0 CLR assemblies.

Now the new version of CLR Managed Debugger (mdbg) Sample 4.0 works with the 4.0 CLR, so all we need is to upgrade the O2 Debugger Mdbg right?

Well, the problem is that I made a number of changes to the original mdbg sample, namely to introduce a number of hooks back to O2 and to make it work ok in O2's multi-thread GUI.

So how to I merge this updated version of Mdbg, when I don't have a common Git History between its two versions? (the one I used originally and the new one)

Microsoft would make this process SO MUCH easier if they distributed their code samples using Git (or other DVCS) .

So here is where things are (April 2012):

I downloaded the new version of CLR Managed Debugger (mdbg) Sample 4.0
I copied those files into the existing O2 Debugger Mdbg folder (this was not a merge, it was a copy with overwrite (which meant that I lost all changes made in the files overwritten)
tried to compile (didn't work)
created a new branch locally (and on GitHub) to hold the overwritten files called Merge_With_v4
wrote this blog post :)

I don't have time at the moment to debug this, but if you want to help, then see if you can get it to work :)

Security Tool's vendor "No need for Doctors" Analogy

I was trying to explain to friend (from another industry) why the Application Security tools don't really work (in 99% of cases) and I had to build the O2 Platform (to make them work).

After a while I finally hit on an analogy that make perfect sense (and was easily understood).

Definition: By 'Application Security Tools' I mean a vendor that is selling a tool (or SaaS hosted solution) designed to help with a particular problem-area in the Application Security lifecycle. For example Blackbox and Whitebox tools (Pentesting and Code Analysis)

A Medical Analogy

For this analogy:

Application Security Tool = Medical Tool
Vulnerable Code = Heart Attack

What is happening is that we have companies, creating/selling Medical Tools to detect Heart Attack problems, with the expectation that Specialized Doctors will NOT be needed to operate those products.

And here is they logic behind this:

The key problem is that 'Doctors don't scale'!
.... image if we have to build Hospitals in every city and put expensive Doctors inside of it to operate this products!
...that will never scale!
...what we need is a product with ONE button that is simple to use
... that is the only way it will scale
... then we will be able to detect/fix millions of hearts

Of course that in the real-world, the medical products created by these companies, don't really work (in 99% of cases) and since its customization capabilities are very low, the adoption rate of these products is very low.

There are four other facts that make it even worse:

The number of 'Heart Doctors' that work for the tool vendor is very low, and have very little power in deciding what features are added to the next versions
The developers and product managers for these 'heart' products have very little medical knowledge and don't even use their product to check their own hearts
Independent 'Specialized Heart-Consulting companies' are viewed as a market to sell to and are usually asked to pay full price (which is wrong, since these are the channel to the real-market, not the market)
The buying clients still have not realized what is going on, and started demanding (and paying) for tools that actually work (regardless of what is needed to get them to work)

Back to Application Security

I hope the analogy here is clear.

How many tools today are designed to be used by Application Security professionals? (just look at what the best security professionals use)

Yes we still need the 'One button' style tools, but first we need our tools/saas-services to work and to be customizable.

And it is this customizations that will create those 'one-button' solutions.

It's only you that wants this Dinis....

If there is one reply that really gets on my nerve when I talk about this to the Tool vendors, is when they say:

... well only you want to customize our engine/rules that way ...
... that market doesn't exist, there are not enough users out there for those customization features...

Yap, I'm sure Steve Jobs heard a lot of people saying that ... there is no market for a phone like the one you want to build... (even Ballmer Laugh at the iPhone )

We need Security-focused SAST/Static-Analysis rules

While making the case that we need to bake security into Frameworks (in Secure coding (and Application Security) must be invisible to developers) I mentioned that SAST rules are needed if we are to scale.

What I mean is that we need to codify (in a SAST rule) how a particular feature should be used in a secure and insecure way.

Spring and AutoBinding Vulnerabilities

It is all nice and good to say that Frameworks should be secure, but in the real-world , a very practical problem (Framework developers have) in baking security by default into their Frameworks, is the sheer number of user-scenarios that they need to cover.

Take for example the Spring MVC Autobinding vulnerability (also called 'Mass Assignment' or 'OverPosting').

Ultimately, the AutoBinding capabilities of Spring (and just about every other MVC Framework) is a feature! It is loved by developers and one of the reasons of its success.

So saying to developers to 'dont code using AutoBinding' is as stupid as telling an Internet user to 'not click on a link!'

On the other hand, this vulnerability can be devastating and I have found critical vulnerabilities caused by its misuse.

And here is the key concept. The problem is not in the AutoBinding capabilities, the problem is in its insecure use (like the examples in Spring's Framework sample applications JPetStore and JPetClinic who are vulnerable to the Spring MVC Autobinding vulnerability).

The same can be said for Html encoding, 'Secure Encoding' libraries (like AntiXSS, ESAPI), Authentication , etc..... (the key is how they are used)

Using SAST rules to handle the shades of grey

In most Frameworks, there is already a 'secure way' of using them, and an 'insecure way'.

The key is in identifying (via SAST rules) the code that created security vulnerabilities, and to allow developers/architects to customize those rules (or the engine that runs them) in order to take into account the target application's Architecture, Risks, Threats and Trust levels.

And some times, the difference can be minor.

A security vulnerability might be created (or mitigated) via a simple:

config file setting,
method's attribute,
variable assignment,
if statement,
etc...

Secure coding (and Application Security) must be invisible to developers

At OWASP a while back we come up with the idea that '...Our [OWASP] mission is to make application security visible...' and for a while I used to believe in the idea that if only everybody had full visibility into 'Application Security' then we would solve the problem.

But after a while I started to realize that what we need to create for developers, is for 'Application Security' / 'Secure Coding' to be INVISIBLE 99% of the time. It is only the decision makers (namely the buyers) that need visibility into an application secure state

We will never get secure applications at a large scale if we require ALL developers (or even most) to be experts at security domains like Crypo, Authentication, Authorization, Input validation/sanitation, etc...

We should teach our kids how to hack and give them passion for programming

(from my draft's folder) Here is a thread I had a while back on the topic of 'what to teach UK kids at school to get them motivated in development' (and ultimately on secure development)

My view is that we need to teach them 'how to hack' (in the true sense of the word and on the 'exploiting sites/vulnerabilities' point of view), since first we need to open their minds and get them passionate about programming.

My comments are the ones NOT in italic

> I think that if you want to inspire a new generation into AppSec we
> should teach them how to hack & exploit vulnerabilities.

This is decidedly A Bad Idea (TM). One must teach the correct way to do
things. One does not use bad examples to teach good behaviour.

since when learning how to hack and exploit security issues is bad examples?

It takes real skill, focus, determination, knowledge and passion to find and exploit those issues. It's much more like detective work.

The key problem is that it is very hard to visualize what you mean by 'good behaviour' until what you call 'bad behaviour' is understood.

We are discussing what to do with an ICT curriculum in schools, when youth
have little to no computer science or development background. They need to
learn the correct thing first.

NO, absolutely not.

They need to learn passion and love and craftsmanship first.

Programming is an Artistic endeavour, just like Maths (if you don't understand what I mean, I would point you to Paul Lockhart's "A Matematician's Lament" which is amazing and clearly explains what Math's should be all about: http://www.maa.org/devlin/devlin_03_08.html )

In fact, we should be careful not to make the same mistakes (for programming and secure programming) that the Math's crowd did when they set up the current Math's curricular

Only when they have a strong grounding in
best practices (which themselves are the subject of some debate) is a
comparison against broken software useful.

Skiping the fact that even professionals in the programming and appSec industry still have not come up with definitions and standards of 'best practices', you can't teach by showing solutions. You teach (and learn effectively) by providing a 'problem scenario' (where security is just a component), and then letting the students find multiple ways to tackle (with the teacher providing clues along the way)

Consider spelling. One does not teach spelling by providing a long list of
misspelled words to children who don't yet know how to spell.

sorry, but actually you do :)

I have a 6 and 8 year old and just saw this happening in front of me. In the beginning the teachers are much more focused on getting the kid interested in reading books, and they are not that bothered if the kid reads the wrong word. The key is that the kid learns to like reading.

Correct spelling actually comes after reading, where once the kid starts to learn how to sound things, he/she is thought the gramatical rules and eventually have speling tests on blocks of words. Even then, the teachers will reward kids that make good efforts and write down a spelling that phonetically is equivalent

For example, I have in front of me a drawing from my 6 years old where she has these words pointing to a picture:

iys
nows
grat
pursn

can you guess what they means? :)

One teaches
the correct spelling first. Once the foundations are well built, one might
introduce incorrect examples as a means of testing or reinforcing the
learning. But the most important thing to teach first is the right thing
to do.

Ironically, what you describe is how a lot of computing and programming actually is taught today, and it is clearly is not working.

Note that I had a LOT of teachers at university and college that used those techniques, and I learned more about computers trying to write C++ and Assembly to play tricks on my colleges, than I ever did via the 'building good foundations' way

Hacking and exploiting are cool in the way that graffiti and vandalism are
cool.

That is your pre-conceived ideas of hacking, and maybe this is where we have to part ways.

If you study history you will see that most computing advances where created by hacking activities, and reducing it to 'vandalism' is bringing down this conversation to a very low level.

You might as well say it is a 'terrorist activity' and remove any rationality from this thread

They are destructive activities that cannot, on their own, create
something.

I believe in science they call this 'experimentation' , 'validation' and 'peer-review'.

Again if you think that only destructive actions come from hacking and security exploitation, then there is not a lot I can say that will change your mind.

They certainly don't need to be taught to kids who don't yet
know how to do good development.

I happen to think the exact oposite, so maybe it is better if we just agree to disagree :)

How to enforce password complexity on a Hash?

Humm, I'm thinking of ways to add password complexity to TeamMentor, and one interesting dilemma is that current model is based on only hashes being used.

What happens is that we use Sha256 Javascript API to create a client side hash (using the username+password), which is then stored on the server side in the user's xml file.

Since when creating a new account, or changing the password, the real password is never sent to the server. there is no way to check (on the server) how strong that password is :) , right?

Maybe we could have a commonly-used-weak-passwords-mini-rainbow-table on the server to check those hashes against?

It looks like the only thing we can do, is to have client-side GUI checks (i.e. 'password too small', 'you must write it in Klingon', etc...) which can be bypassed by using the public WebServices APIs (also used by the GUI)

Adding a delay to prevent brute force user and password attacks

One of the OWASP projects I really like is AppSensor and I'm trying to find a way to integrate its concepts into TeamMentor.

So to kickstart this process, I just added a small delay to the login check (see this commit for the details)

I was playing around with the timings and I felt that 500ms was a good amount.

1000ms (1s) felt too much of a delay, and was affecting the user experience.

In principle, this simple 500ms should make a difference in an attacker's ability to brute force TM account details (username and password)

Saturday, 7 April 2012

"OWASP O2 Platform - Automating Security Knowledge through Unit Tests" presentation

Also just uploaded to SpeakerDeck is the O2 Platform presentation I created in Nov 2010, and have presented many times before:

Humm, I think I should create another Slide Deck for O2 :) since a lot has changed in the last 18 months (although the key concepts are still there)

Note:Presentation hosted at SpeakerDeck

"Making Security Invisible by Becoming the Developer's Best Friends" presentation

I just uploaded my "Making Security Invisible by Becoming the Developer's Best Friends" presentation (Oct 2011 at OWASP AppSec Brazil) to SpeakerDeck and it looks really good :)

http://speakerdeck.com/u/diniscruz/p/making-security-invisible-by-becoming-the-developers-best-friends

I'm really linking SpeakerDeck , it just fell right :)

Related Posts:

Traits of a great developers (by Justin Searls)

Justin Searls The Mythical Team-Month presentation is really spectacular, and inside it there a section on Observable traits of great developers.

Since I'm a developer (currently on the O2 Platform and TeamMentor), I wonder if I have these traits? and since I'm hiring, the question is how to identify them?

Empathetic: vigorously defends the interests of users by adopting their perspective
Analytical: breaks down large objectives, ideas, and problems into small manageable ones
Visionary: identifies a singular idea & fights for its simplicity, yet plans for growth
Scientific: methodically attacks problems, reducing paths of inquiry efficiently
Creative: dreams up new ideas & approaches, continuously and asynchronously
Professional: invests time in long-term effectiveness, maintainablility of their work
Entrepreneurial: willfully kills projects that don't success before over-investing on them
Hungry: relentlessly improves, thorough learning, practising and sharing

Well I'm not the one that should be evaluating my our performance (I think I do most of those :) ) , but if you're a developer, this is really want adds value when creating applications.

Giving TeamMentor 3.1 a test-drive

After many months of hard-core development, here are the first beta release of TeamMentor 3.1 , which I invite you all you give a test-drive.

You can get the latest version from https://github.com/TeamMentor/TeamMentor-Documentation (which is a clone of my main dev repository with a couple extra libraries). These libraries are the ones we use at http://docs.teammentor.net so you have with you the latest version of our documentation (which is not a lot I know)

You should be able to run it locally using the 'Start teamMentor.bat' file, which will open up the default documentation site at http://127.0.0.1:12115/_Customizations/TM_Documentation/index.htm and you will have the normal TeamMentor GUI at http://127.0.0.1:12115/html_pages/Gui/TeamMentor.html (which what you usually see when you go https://teammentor.net or https://owasp.teammentor.net )

Here is a marketing page that we created (using TeamMentor) that aims to explain the first steps in a simple way: http://docs.teammentor.net/xml/Customer_Landing_Page (checkout the xml to xsl transformation :) ). Here are a couple more variations of that page http://docs.teammentor.net/xml/Customer_Landing_Page_v2 and http://docs.teammentor.net/xml/Test_Landing_Page )

Update [16/Apr/2012]: the links above are not working any more, the latest versions of those are: http://docs.teammentor.net/xml/Eval and http://docs.teammentor.net/xml/Customer

I'm also working on documenting the more advanced features of TeamMentor here http://docs.teammentor.net/xsl/Table_of_Contents (which you will also be able to access this locally here: http://127.0.0.1:12115/xsl/Table_of_Contents (btw, in the links above you can replace docs.teammentor.net with 127.0.0.1:12115)

There are two users set-up:

admin : !!tmbeta
editor : 123qwe

Let me know if you have any questions or issues.

Btw, I'm really proud of what TeamMentor as become, and there are some pretty powerful features in there (for example checkout the wikitext content creation workflow).

And GIT + GitHub absolutely ROCKS!!!! It is not easy to get your head around it, BUT it is a massive game changer, and I have development workflows today that I never thought possible (check out this really cool graph of the commits and branches of my main dev clone: https://github.com/DinisCruz/TeamMentor-3.0-Release/network).

Great description of why OWASP Summits are special

Abe (on the owasp-leaders list) just posted the text below in response to my Summits must be part of OWASP's DNA reply and it provides one of the best descriptions of what makes Owasp Summit's special and worthwhile doing (please read it).

If you've never been to one of our Summits, this is why they are so important and necessary (Imagine what we could achieve with regular Summits)

Some proposed Visions for next OWASP Summit

Since Summits must be part of OWASP's DNA , and in case some of you are thinking of putting energy in creating the next OWASP Summit, I really think that the 'Summit Proposal' concept I detailed here is a good model.

The last OWASP Summit 2011 represents the best of what OWASP can do, and nothing we did that year come even close in generating so much work, energy, serendipity and connections (not projects, chapters or conferences)

What you had there was a week of massive collaboration, relationship creation, work , brainstorming and planning (just look at this amazing picture Ofer , Carlos, Vlatko (can you fell the energy!!! :) ).

I want to vote for a Summit Team+Vision , NOT for a venue

I wrote the text below in 11/Mar/12 and sent it originally to the OWASP Summit 2013 mailing list (you can see some comments to it there) and with the recent Cancelation of the OWASP Summit 2013 announcement, I wanted to write a number of blog posts about OWASP Summits (so here is the first one)