Video on Creating stand-alone WinForms and H2 script

Michael asked me today how to create stand-alone WinForms via O2 scripts and what is an H2 file?

So, here is a video that provides the answers:

Basically to create an WinForms in an O2 Script all that is needed is to call the System.String 'popupWindow' extension method. For example:


The string is the form title, and the (optional parameters) are the Width and Height.

An H2 file is just an XML file with the serialization of an script (like the one above) which is registered to O2 so that when you double click on it, windows will invoke the O2 Platform with that file as a parameter.

When you do that, O2 will detect that there is an parameter and only execute that script, instead of loading up the main GUI (this is also how you can easily invoke O2 scripts from the command line)

Making Payments using Paypal at elance.com, why is it that hard!

So, I'm trying to set-up the payment workflow for the TeamMentor's elance.com contractors, and it is not going as smoothly as I would like.

• First Paypal doesn't seem to have a way to allow its own merchant accounts to make payments via Paypal  (I was set-up an account in SI's corporate account which only seems to give me access to take payments, not make them)
• Our solution was for me to create a personal paypal account, which is used to receive funds via paypal (who will change a commission!) from SI
• Ideally I should be able to use this account to make payments at elance, except that elance.com doesn't seem to allow making payments via paypal funds (only cards)

I sent this question to elance's support, so let's see what they say

How do I make a payment using Paypal's fund currently available in that Paypal account?

I don't want to use a Card, since this are funds from the company I'm working for and they have transferred funds to me (via paypal)

But when I go into paypal, I don't get the option to pay using available funds

I guess I might take a look at https://www.odesk.com/ to see if they can handle this problem. I like Elance, but this is a deal-breaker issue (also Elance's speed from the UK is a bit of an issue)

Why does DISQUS want to update my tweets?

So I was trying to add a comment into Stephen's blog, and to authenticate I chose twitter.

This is great since It gives me a way to prove my identity without creating yet another account .

But, when I am redirected to Twitter to authorize DISQUS, I get this:

WTF! Why do I need to give DISQUS access to update my profile and post tweets?

I don't want that , I just want to authenticate myself.

Now Google seems to do a much better job here, since it only asks for my email address to be validated:

Well at least that is what I hope that the OAuth permission shown above actually does! (I really don't want DISQUS to access my inbox and start writing emails for me)

This is a great example of empowering users to make security decisions. Which is this case Google gets a #pass and DISQUS a #fail

Using BDD-Security in TeamMentor

Following my discovery of BDD-Securty (see Using BDD-Security to test WebServices Authorization Rules? ) I was able to contract (via SI) some of Stephen's time to work on integrating his BDD-Security project with TeamMentor.

The brief (as you can see on Stephen's blog Brief: Testing TeamMentor with BDD Security) is to


... create a set of BDD-Security tests to test the Web Services behind TeamMentor.

The deliverables for the project will be:

1. An executable set of BDD-Security stories for a sample of 20 of TeamMentor’s web services
2. Integration of BDD-Security with the Jenkins CI server. The CI server should monitor github, and everytime a commit is made to TeamMentor- the security tests should be run and a report generated.
3. BDD-Security will run automated access control tests on the supported web services
4. BDD-Security will run automated security scanning using Burp on the supported web services.
5. A series of Blog posts describing the steps in the process.

This is a great step in creating a much more solid CI environment for TeamMentor

If you want to look/follow the code, the GitHub Repository is at:  https://github.com/stephendv/bdd-teammentor


This job is going to be managed via Elance, and you can see the proposal here: https://www.elance.com/j/testing-teammentor-bdd-security/30393016/ 

Two factor Identity protection at Elance.com

Elance.com (which I'm using for TeamMentor sub-contacting) has a couple interesting security features.

After login 

Note that the login has no apparent lockout, which is a good thing (i.e. it took me about 10 times to remember my pwd)

On new logins it asks for the answer to the favourite question:

Note that this 'extra step' doesn't show all the time. Here is their explanation for showing it:

The email and phone number need to be verified. 

For example this is what happens when I triggered the phone verification process:

SSL only experience

Even if login via http., the login is done over SSL which is preserved after login:

Its all about trust , threats and risk:

I really like their approach, since it is a good balance of security vs usability.

It also shows that security features are very closely connected with the trust level of the website, its threats and risk profile.

For example some of these would be over-the-top (in the current version) of TeamMentor 

Code Snippets in WordPress.com are driving me crazy (help and alternatives?)

I just created this RTF file to blog - adding OData to O2.rtf which provides a walk-through on adding OData support to O2.

My problem is that I don't have an easy way to convert the text and scripts from that RTF file into an Wordpress.com post, since the formatting/layout completely breaks! (even if coping and pasting from Notepad).

So here my question: what is the best place (blog engine) to write this type of articles (text + code snippets + images). I'm about to give up on Wordpress.com! 

Btw, if you know how to do this, then please help me in converting this RTF into a Wordpress.com post (that I could use in http://o2platform.wordpress.com). 

As you can see by the large number of posts with source-code samples (in http://o2platform.wordpress.com), I have done this conversion far to many times....and ... I'm really tempted to just add a couple features to TeamMentor and start doing this there :)

Documenting how to test WebServices using scripts - the story so far

Here is the chronological consolidation of the  efforts (by Arvind and me) to write a detailed story of the steps required to create a Security / QA test suite for TeamMentor

These are my posts with analysis of what is going on, key concepts, extra briefing notes, and links to relevant Arvind's posts:

• Testing TeamMentor 2.0 security using O2 
• First you create Tests for WebServices, then you add the abuse/security cases 
• A journey into testing WebServices in a developer friendly way
• If you not blowing up the database, you're not testing the whole app
• What is the formula for the WebServices Authentication mappings?
• Roadmap for Testing an WebService's Authorization Model 
• Creating a spreadsheet with WebService's Authorization Mappings
• Is there a spreadsheet/template for Mapping WebServices Authorization Rules?
• Using BDD-Security to test WebServices Authorization Rules?
• On Fuzzing WebServices
• ... to be continued...

These are Arvind's posts with his efforts, ideas, problems, solutions and scripts:

• Finding the WSDL and why should I automate?
• Finalizing my dev env – Python + Suds
• Authorization testing – the thought process…
• Why Unit tests?
• My first working..independent…unit tests :)
• Authorization testing…analysis logic added
• Unit Tests – Handling complex arguments with Suds
• Unit Tests – 38 methods done :)  
• ... to be continued...
  
  

I'm really happy with the way this is coming along, and I hope that it will help others when faced with the same challenges (i.e. adding security/qa tests to WebServices)

Using O2 with HacmeBank

Michael Hidalgo (from OWASP's Costa Rica Chapter) just wrote a great blog post on using O2 with Hacmebank: Starting with OWASP O2 Platform : a short step in a long journey

If you are trying to use O2, I strongly recommend that you read it since it shows nice step-by-step instructions on how to use O2 to login to HacmeBank.

What is even more interesting is that Michael, didn't actually use the HacmeBank scripts that already exist in O2 :)

And there is a LOT that can be done with O2 and Hacmebank:

TeamMentor Partner Program Update

Email Tom just sent to TeamMentor's Partners.

I really like the 'voice' of this email. Yes it is 'Marketing speak' (Tom is Director of Product Marketing), but as these type of messages go, I think its much more relaxed and low on the BS level :)

What do you think? am I to bias? is it OTT? is it OK?

Ping me with your views :)



-------------

Greetings Partners! As the TeamMentor Partner Program continues to grow rapidly, we want to provide you with a few resources to enhance your TeamMentor experience, get you comfortable using TeamMentor and get your customers to start using it. We've also tried to address questions we've heard from a few a few of you.

First off, TeamMentor V 3.1 is now generally available! The major improvements in V 3.1 focus on stability and usability for customers, with support for Active Directory and integration with additional Web Services API's. We've added a new content library featuring the CWE Top 25 Vulnerabilities consisting of 110 new articles and updated our PCI DSS Compliance library, both enhanced with prescriptive guidance for remediating software code. Full release notes are available here.

What does TeamMentor do?

TeamMentor helps bridge the gap between application security policies and secure development standards. By integrating prescriptive, technical security guidance with your security policies, TeamMentor is the perfect In-Practice companion to help reduce your application security risk profile.

Where can I find a TeamMentor use case?

Here, on the Security Innovation corporate site.

Or here, on the TeamMentor Evaluation Resource page, where you can also try the Web version or download and install to run locally from your machine. (contact us and we will set you up to run locally)

Or here, on our YouTube channel, where you can see a series of short features-focused and integration videos. (We'll be releasing new videos for you soon)

Where can I find comprehensive documentation?

Visit our TeamMentor documentation page.

Or take a look at our new series of 'How-It-Works' articles on TeamMentor, right in TeamMentor? Click here.

Are industry analysts talking about TeamMentor? (the answer is yes)

"Implementing an application security program requires identifying gaps in the organization — among security, operations, development and business units — and bridging them in a scalable way.  Sharing a knowledge base is a good way to keep the information flow going, even when the meetings are done." -- Wendy Nather, Research Director, Enterprise Security Practice, 451 Research

Where can I find blogs on TeamMentor?

Blog by Dinis Cruz (Dinis is the principal architect of TeamMentor)

The TeamMentor Development Blog

Tom Bain's blog (Interesting uses of TeamMentor for the non-technical user)

Follow TeamMentor on Twitter. @TeamMentor1

Where can I find marketing content?

Download our TeamMentor data sheet

Download our white paper to understand how mapping to the OWASP Top 10 and using TeamMentor to fix vulnerabilities help toward a comprehensive application security program.

Best regards,

Dinis Cruz, Principal Architect, Security Innovation

dcruz@securityinnovation.com

Tom Bain, Director, Product Marketing, Security Innovation

tbain@securityinnovation.com

What is TeamMentor Licensing model?

I got a couple questions recently on the licensing model of TeamMentor, so it's better if I answer it here.

TeamMentor has an 'interesting' license structure and deployment:

• The master version of TeamMentor's source code is published at GitHub, can be freely downloaded/cloned, AND is released under a soft 'not-for-commercial-use' license:
• this means that you can use TeamMentor as long as you don't sell it (the application) or use it commercially as a service
• note that any content created using TeamMentor is owned by the author (ie. you)
• just to be clear: THIS is the full application! Apart from specific customer customizations, this is the same code-base as the one used in the 'paid for version' (which is a Git Fork)
• There is no license restriction/controls, so we are trusting the community not to abuse it :)
  
• There is an 'TeamMentor+OWASP Library' version (see http://owasp.teammentor.net) ,which we call our 'evaluation version' and contains:
• a Git Fork of the full source code of TeamMentor (with the same soft 'not for commercial use' license)
• an TeamMentor Library (written by SI about the OWASP top 10) which is released under CreativeCommons
  
• There is paid version of 'TeamMentor + SI Library' which is the one with the 4000+ articles:
• the pricing model is here 
• you can see it in action here: http://teammentor.net
• most customers will get this version from a dedicated GitHub repository that we will create and maintain for them
  
• If you are security consultancy (providing security services to other companies), then you are what we call a 'Partner' and you can use TeamMentor for free internally and with your customers
• See TeamMentor for Security companies providing Application Security Services  and Details of TeamMentor Partner Program
  
• if you are a product company (and want to embed/consume TeamMentor's content), you are also what we call a 'Parter' and will be able to use its content for free in your product (we have agreed internally on similar rules-of-engagement as the one used for security consultants)
  

Bottom line, TeamMentor is NOT FOSS software, but its closer than most products out there.

Note that the center-of-gravity at SecurityInnovation (SI) is more aligned with Content than with Tools. For example see their 40+ elearning courses delivered under the TeamProfessor platform, which should explain why SI is comfortable with this model for TeamMentor.

TeamMentor Demo Script

Below is a document that Jason (from SecurityInnovation) wrote about how to present TeamMentor for potential customers.

It is a really nice overview of how TeamMentor works and how to present it.

Note that this was written from  SecurityInnovation's point of view. If you want to reuse this to present TeamMentor, you probably want you add your own magic sauce into it :). 

--------------------------------

Introduction


Start by explaining how TeamMentor fits into the three pillars of success:

1. Our goal is to help you reduce your application security risk
2. The best way to reduce application security risk is to use a secure software development lifecycle
3. The three pillars of success are:
• Standards. These are the architecture, coding and deployment standards that allow your teams to comply with your corporate security policies.
• Training. This is how you set the foundation of knowledge that your team needs in order to succeed.
• Assessment. Use assessments to check your teams compliance with your security policies. Based on the gaps you find you can update your standards and your training
4. TeamMentor is our solution of distributing secure development standards to your team and linking them to your security policies
5. TeamProfessor is our solution for education
6. We provide a set of assessment services to help you find and fix vulnerabilities in your code and gaps in your development processes.

Demo


Browse to http://teammentor.net

Log in:

• Username: Admin
• Password: ******

Explain what TeamMentor Is, and then flow the demo by the use cases first

• TeamMentor consist of a web application, back end and source content.
• The application allows you to use the content as is, customize it, or create your own.
• Customers use TeamMentor in several ways. The key use cases are
• A central place that allows easy access to the standards we talked about in a way that the information needed for a given task is easily accessible from the policy information to the technical information needed to implement the policy. Customer put their policies in TM and can link them to SI provided technical information, also customized for the environment.
• A reference for the technical information needed to remediate software vulnerabilities found by scanners and assessments. TM allows easy searching and filtering to find the specific information needed in the language being used
• A general reference for all SDLC secure application development best practices for all phases from design and architecture, through development, testing and deployment

Explain some TeamMentor facts:

• TeamMentor contains over 3000 articles covering a wide range of technologies and best practices
• We’ve broken them into a set of libraries based on technology areas such as .NET, Java, PHP, C++, etc.
• Show the libraries UI and expand the .NET 3.5 library:

• Explain how the libraries are organized into a library, folder, view structure
• Libraries contain folders to focus on various important areas
• Folders organize views
• Views organize articles
• Explain how the above structure makes it easy to organize policies and standards for easy access to what is needed at the time of use
• Show some examples
• Expand fundamentals of security and show how it collects articles for areas of security where mistakes are most often made
• Expand OWASP Top 10 and show how it organizes articles by the Top 10 most pervasive threats for web applications. Talk about how this includes best practice and remediation advice in detail
• Expand PCI DSS Compliance and show how it gives guidance on how to comply with each PCI requirement. Talk about how this can be integrated with corporate policies to ensure PCI compliance as part of practices OR can be used as is as the basis of a PCI app dev compliance.
• Expand Security Engineering and show how we have process guidance for each phase of the software development lifecycle
• Explain that we included top 5 vulnerabilities for thick client and web services to complement the more well known OWASP Top 10
• Security engineer should still be expanded so click on Test Activities and show the two guidance items in this view.

• Explain that guidelines represent prescriptive guidance, a standard you can use to guide you to do the right thing when trying to accomplish a task which can be linked to from policy or vulnerability reports
• Checklists are created for every guideline and they explain how to assess that the standard has been followed. We are strong believers in a checklist-based approach to assessments so we’ve created checklists in every area to help with   code review, pen test, process review, etc. Explain how checklists can be used to help ensure compliance to internal policies and external requirements
• Open the guideline and explain how the structure always shows What to do, why it matters, when to do it and then how to get it right.
• Explain that this is how we take policies to the next level. Policies explain only what to do, our guidance explain how to do it right for the specific technology and environment that is relevant for the developer
• Open the checklist item and explain how the structure always shows what to check for, why it matters, how to check and then if a problem is found, how to fix.
• Open the article in a new window by either double clicking the title in the list view or by clicking the expand icon in the preview panel
• Explain that articles can be edited by anyone with the proper permissions.
• Click the edit guidance item
  

• Show the editor and explain that you can modify the article title, attributes or content itself

• Close the window and return to the main UI.
• Mention that the entire library can be edited, click on the edit mode link to reveal this functionality
  

• Right click on the .net 3.5 library and show the menu that allows you to add views, folders, new items, or add and delete libraries themselves.

Frequently Asked Questions


Q: What are the install requirements?
A: TeamMentor is typically run on IIS, though you can run it locally on Cassinni as well. You don’t need a database server or any other services, IIS alone is enough. The articles are all stored on the file system in XML files. We did this not only for ease of deployment but also for performance reasons. SQL was used in TeamMentor v1 and v2 but it was overkill.

Q: What are the performance constraints of TeamMentor?
A: We’ve used TeamMentor with 5,000 articles in a library and it ran fine. We found that it works best, however, if you have 3,000 or less articles in a library this is one reason we broke our articles into multiple technology articles. All of our processing is done on the client, so that is why searching, filtering and viewing articles is so fast. On a slow connection you may see a delay when you first load TeamMentor. This is caused by the fact that we pre-fetch the TeamMentor libraries when you first open the application.

Q: How do we handle updates if we make changes to the libraries?
A: We will create a github fork for you and you can use that source control for all of your articles. When we have an update ready for you, we will perform a merge for you so that your changes are retained and you get the newest updates from us. If you cannot use github we will work with you on another solution.

Q: When will you have X technology covered in your libraries?
A: We base our roadmap on customer feedback such as yours. If you purchase and have a technology area that you want included in a future release, please let us know and we’ll make it a priority. We update TeamMentor every quarter with new content and application improvements.

Using BDD-Security to test WebServices Authorization Rules?

Stephen de Vries just pointed me to BDD-Security which looks pretty powerful (BDD is definitely something I want to get more into).

Here are a couple references for BDD-Security:

• Example of Matrices and BDD stories / scenarios - Access control should be enforced on the server side and should matche the authorisation model for this application
• Jenkins integration with BDD Security  
• Step 0: Running BDD Security before you build your web application 
• Tutorial  (checkout the Burp integration)
• Video of Example Run
• Two more videos ('Configuring BDD-Security to Login to an application', 'Scanning the application using Burp Suite')
• https://github.com/stephendv/bdd-security - el code

I'm in :)

... now let's make this work: what is the best way to integrate BDD-Security with a .NET app like TeamMentor? 

I see a couple things to figure out:

• Execute the BDD-Security tests outside Eclipse
• Write the stories in a .Net environment (like O2, VisualStudio, MonoDevelop, SharpDevelop, LinqPad, etc...)
• Find a way to convert the 'TeamMentor spreadsheet rules' into BDD security rules (in fact before we do that , we need to have working BDD tests for each of the WebServices (since most need state in order to even be executed))
• I wonder if I could use IKVM or Sharpen or other to be able to run BDD-Security natively in .NET? :)

The way I'm looking at this, we need:

• The official 'these are the business rules' mappings (in a consumable format like the spreadsheet below)
• The static analysis of the code that extracts the current behaviour from the code (which in TeamMentor are implemented as CAS Security Demands)
• The Dynamic invocation of the webservices methods (i.e. the attack surface)
• The analysis of all this data (with the blind spots being vulnerabilities)

Update: see Stephen's Response to using BDD Security to test WebServices

Related Posts:

• Documenting how to test WebServices using scripts - the story so far

Is there a spreadsheet/template for Mapping WebServices Authorization Rules?

What is the best way to map/document the Authorization Rules? (for example of WebServices)

I'm looking for a spreadsheet/template that allows the business-rules (i.e. 'who has access to what') to be mapped, visualized and analyzed.

I looked at owasp.org and this is what I found (did I missed something?)

• Guide to Authorization 
• Codereview-Authorization 
• Testing for Authorization 
• Reviewing Code for Authorization Issues 
• Cheat Sheets (no Authorization one)

Creating a spreadsheet with WebService's Authorization Mappings

As per the Roadmap for Testing an WebService's Authorization Model and What is the formula for the WebServices Authentication mappings?

One of the assets that we need is the official mapping of TeamMentor's WebServices Authorization Rules. This is the mapping according to the 'Business Logic', and must be independent from what actually is happening at the live website (and within the code).

Our current solution is to have a shared GoogleDoc spreadsheet which these mappings.

Here are two screenshots of what it looks like (see the spreadsheet is here)

These mappings represent what is expected to happen, so for example if one of the methods marked with NO (in light red) can be invoked by that type of user (like an Reader), then that is a vulnerability.

What is very powerful about this mapping, is that it allows us (on the security camp) to have a proper 'conversation' with the business owners and key developers/architects (and we will get a lot of kudos if we are the ones that created this (or enabled its creation))

Basically what we are asking them is: Tell me how you expect your app to behave, so that I can tell you what actually happens.

Although this is a great step forward, there is still a lot to do:

• Feed this data to a Dynamic or Static analysis script/tool (so that it takes into account the expected behaviour)
• Once we have results, create a diff view of this data
• Map this script with the actual WSDL so that any WSDL changes can be detected and fixed ASAP (for example when methods are added, edited or removed)
• Find a way to store and map this data over time

These mappings are the key to the discovery of security issues and (in their absence) to provide assurance to the business that the application is behaving the way it should.

The interesting question is: how is it possible to perform an Authorization security analysis without this information? :)

Roadmap for Testing an WebService's Authorization Model

Now that Arvind is asking THE real questions (see What is the formula for the WebServices Authentication mappings?) , it's time to define the roadmap.

Here is what I think needs to happen when testing and visualizing an application's Authorization Mode, in a WebServices driven application like TeamMentor:

• Create UnitTest that are able to invoke the WebServices methods with valid state: (i.e. be able to successfully invoke all methods)
• This is not just a case of having good enough data (which in a lot of cases is dynamic (i.e. Method B needs data retrieved via method A))
• ...one also needs to take into account the cases where the data will be destroyed or corrupted (remember that If you not blowing up the database, you're not testing the whole app )
• ..which means that the execution order is very important, since we will need to support a solid set-up,  tear-down and restore workflow 
• Invoke those methods with different users and roles:
• You will need at least two user accounts per different role, so that you can test what happens between user A and user B (of the same role) and user A and user C (with different roles)
• The data created needs to be exported into a format that can be consumed by a visualization script
• Analyse the Source-Code and extract the real formula: (using static analysis technology) 
• This should be in a format that can be cross-checked with the Web Method's tests
• There could also be a 'hard-coded' mapping file that defines what are the values that are currently accepted by the application's bussiness logic (think of this as a consumable version of the Application's technical-spec/architecture)
• Note that that sometimes we can already find Authorization vulnerabilities by reviewing these static mappings
• Cross-Check the Static Mappings with the Dynamically collected data
• First step is to make sure that the current code assumptions are actually happening in the real world (note that while the static analysis represents what the developers would like to happen, the dynamic analysis represents what actually happens!)
• Find blind spots and create ways to codify them
• Fuzz it!
• Using something like the FuzzDB, add abuse cases  (i.e. payloads on valid method's invocations) and check that the expected rules and mappings still apply (also keeping an eye for other weird behaviours and vulnerabilities)
• When vulnerabilities are found, integrate them with current bug tracking system
• In some cases each type of vuln will need to created (or updated) as an individual issue
• In other cases, we will need to consolidated them so that we don't create too many bugs
• We will also need go get a risk analysis from the application owner, since some vulnerabilities might be more dangerous than others
• Apply a fix and (quickly) confirm it via the created scripts
• Ensure the developer can invoke one (or all tests) from their IDE
• The scripts created must be able to reflect code fixes
• Integrate these tests into the build/release process
• So that they run whenever needed (every day, on git push, on release, etc...)
• Note that that the tests will need to be executed on the multiple development, QA and production environments (with an easy way to diff the results)
• Package visualization created and empower developers
• Make sure the developers can access the visualization/mappings created
• Hand-over and train developers in how to access, use and maintain those scripts, so that it is the developers (or QA's) responsibility to make sure they keep running and reflect code changes
• Create visualizations of data collected over time
• See this brilliant visualisation (circa 2008): Zoetrope: Interacting with the Ephemeral Web for an example of what we should be providing to management and developers :)

Now you might think that this is it and that we can stop here. The reality is that this workflow is still very inefficient, slow and hard to use by all relevant parties.

The way we should be creating these Authorization models, is by:

• Creating a DSL (Domain Specific Language) that represents the current Application Business Logic and its Authorization rules
• Getting the Application's business owner(s) to write the rules in the DSL language created (which they should understand and be comfortable with)
• Feed those rules to the Static and Dynamic analysis tools/scripts
• Analyse the data created and integrate the results into the SDL

Now THAT'S how Authorization models should be created, visualized, tested and enforced :)

Finally, for a great introduction to DSL and how to use it in C#, please take a look at this book: DSLs in Boo: Domain-Specific Languages in .NET (specially the chapter where the author talks about a Security-focused DSL)

Related Posts:

• Creating a spreadsheet with WebService's Authorization Mappings

Brilliant visualisation (circa 2008): Zoetrope: Interacting with the Ephemeral Web

This video (from 2008) is probably one of the most amazing visualizations of data that I've ever seen.

The toolkit that these guys have is out of this planet and it's crazy that this research project from Adobe seems to have been dropped (there are no other references to this project or technology since 2008)

What is the formula for the WebServices Authentication mappings?

ahh... that's THE Question :)

Arvind's journey stared with the need to First you create Tests for WebServices, then you add the abuse/security cases . He then started coding  Python scripts and Unit tests on his journey into testing WebServices in a developer friendly way with some interesting side effects: If you not blowing up the database, you're not testing the whole app.

After that he wrote:

• My first working..independent…unit tests :)
• Authorization testing…analysis logic added 
• Unit Tests – Handling complex arguments with Suds 

and then asked me the "...humm, where can I get the Authorization mappings? (so that I can check my results against them)"

I was waiting for this question because that is one of the signs that a security test is going on the right direction (btw, if you have commissioned a security assessment and did not get that question you should be worried! ).

Basically what he wants is a mapping of TeamMentor's Authorization Rules, namely which functions should be accessed by the multiple security roles (Anonymous, Reader, Editor and Admin).

And this 'simple question' just happens to be one that very few applications and developers have!  (tip: if you find the answer and share it with the developers, you will move from being a TAX into being a 'visualization engine')

Usually when we (the security guys) ask this question, we get some old document that explained what they where trying to do, or some guy with pen+whiteboard doing a big diagram :)

My view is that it is impossible to have any type of decent assurance that an application doesn't have authorization blind spots without these mappings. One important factor is that they (the mappings) need to be created in a consumable way, so that they can be verified via automated scripts like the ones Arvind is writing (or by 3rd party scanning tools/services)

So where are this mappings?

Well ...  they exist in the application's source code code and (sometimes) in its data (like config-files or database tables).

Here is another example of why automated tools will never be able to have good coverage until they are customized.

In the case of TeamMentor the formula is exclusively in the code, since it uses .NET CAS (CodeAccessSecurity) permissions to issue a Security Demand before security sensitive actions are performed.

What is going to happen next, is that I'm going to use O2's Static Analysis engine to parse the code and extract the current formula into a format that Arvind can consume it.

Related Posts:

• Roadmap for Testing an WebService's Authorization Model - detailed description of what needs to be done
• Testing TeamMentor 2.0 security using O2  - how I did this in the  2.0 version of TeamMentor

I'm looking for a C# Script that will find an open file handle in Windows

It's kinda crazy that in Windows 7, when I try to rename a folder I'm not told what process currently has an open handle to that folder (and is preventing the rename)

My current solution is to open SysInternals ProcessExplorer and do a search for that Handle via the folder anme (which is far to many steps and slow).

Now I know that this can be done in C# (via Com Interop) since I did it for Hackmebank (I bet nobody has found the vulnerability that that hack created :)  ).

But before I dig that code and reimplement it in O2, I was wondering if there is already a better solution out there :)

We're all mortals, so lets make the most of it

Just heard today that a very good friend lost her husband to a 5 year cancer battle :(

I can't image what she has been through and it does show how the lottery of live can sometimes be quite harsh.

It's in times like this that one really must think about what we are doing with our time and make sure that we are having a positive impact.

In a way that is what I like so much about OWASP. It is a great community, made of amazing people, and each one of us, can be proud of our contributions, since we are having a positive impact on the solution of a big problem.

I fell very fortunate that I am able to spend my time doing what I am really passionate about, so if you are currently  stuck in a job just because it 'pays well', or it is the 'right thing to do', get out of there.

Life's too short to spend it on things we don't believe and are not passionate about.

Lets make sure that we have a positive impact while we are still around

Real nice way to visualize 10 years of an company evolution

In http://blog.realexpayments.com/2011/07/12/breaking-up-is-hard-to-do/ Realex's Gary Conroy walks us through 10 years his company's structure.

It's interesting to see how security evolved, sometimes as a stand alone unit and other times inside another function.

What would be even more interesting would be to get a zoom on the Security activities/teams, namely:

• how it evolved over time
• what was the impact of 'external factors', like for example security incidents (with them or their competitors)
• what where its roles and responsibilities
• major success stories
• influence on the product and SDL 

Here is the presentation:

If information exists in the forest but it is not linkable, is it real?

I always had a 'just make it open' instinct but more and more I'm realizing that making information open and hyper-linkable is critical to help removing information-exchange speed-bumps and to promote collaboration.

This is also why I'm blogging so much, I'm trying to find a good way to capture the ideas, threads, deliverables, actions, etc.. that I do every day.

I'm also starting to think about where should the 'closed' lines be placed? Basically, what should be public and what should be private/protected. Isn't this what Privacy is all about?

On the topic of openness, Question: why shouldn't our emails be publicly.available, linkable and indexable?

Today, Google, most Governments and some other 'organizations' already have access to those emails, so why don't we just make it much more efficient and make 'most' of it public?

I said 'most' since there will be a couple emails that should be private. But those should be a minority. And by reducing the amount of 'closed' data, it would be much easier to protect it.

TeamMentor for Security companies providing Application Security Services

After the launch of the TeamMentor Partner Program, one of the common questions I'm receiving is 'Ok.. that sounds interesting..but how does it work?'

So if you are working for a company currently providing application security services (PenTesting, CodeReview, Threat Modelling, Architecture review, etc...) this post is for you.

From your point of view,  TeamMentor will provide:

1. Security-Focused Knowledge Base - to hyper-link your current reports
2. Customized Reporting - ability to deliver your reports via a web interface (with your brand and custom content)
3. New revenue streams - by selling TeamMentor and additional services to your clients

Lets take these in turn:

Security-Focused Knowledge Base

TeamMentor's Library is made of 4000+ articles with expert security guidance covering a wide range of Tecnologies, Phases, Types and Categories.

The key concept is that you shouldn't have to write detailed explanations about a particular security finding, how to fix it, or how it fits within the multiple SDL phases. TeamMentor should have those articles so you can just hyper-link to them from your reports.

Note that if the content that you want is not currently available in an TeamMentor Library, you can easily add it via the web interface (which provides full editing capabilities)

Customized Reporting

Once you are comfortable with TeamMentor's content and have a solid internal workflow, the next step is to start thinking about creating custom versions with your own branding and customer specific content (for example an TeamMentor How-to article with the code samples modified to reflect the application under test best-practices).

The TeamMentor interface is very flexible and all the content is exposed via a WebServices layer, so you can either use TeamMentor's main GUI, create your own, or just consume its data from an existing customer portal.

Note that you can also use TeamMentor to host your own (private) content which you will only share with some of your customers (for example a series of articles on Oracle security)

New Revenue Stream
Finally, for the cases where your customers want to start using TeamMentor internally, in addition to a commission that you will receive for each sale, there are additional services that you could provide (for example converting/mapping your customer's internal security policies or coding standards into an TeamMentor Library).

Submitting a request to the OWASP Platform

Here is a message from Sarah Baso on how to ask a question to them :)

The original question was about how to get OWASP support for participating in local events.

Don't copy and paste from Google, copy and paste from TeamMentor!

This is a simple concept that I find myself using when explaining what TeamMentor is and how it can be used.

Here is a very common web activity for developers: Do a google (or StackOverflow) search on a particular problem, find a solution that looks good, copy and paste the code sample into the current application and fiddle-with-it until it works.

The problem with this approach is that the code pasted might not be the most secure solution for the problem at hand (and the changes made, might make an secure code sample, into an insecure one).

So what we want is for the developers to copy and paste from TeamMentor (vs from Google)

The idea is that once the content has been customised to the target application, the developers can use it as their 'copy and paste' repository (since those code samples are basically an application's or company's coding guidelines)

Yes, the 'out-of-the-box' articles are good and will add a lot of value, but without customisation their are just a faster way of finding similar content in Google.

But once those articles reflect the target application's reality, its value dramatically increases, and finally will have a location where we can point developers for: focused, prescriptive, relevant and accurate security guidance.

Releasing a tool open source: how-to and what license?

I get this question quite a lot, so here is my view on this.

In terms of releasing a tool or code under an Free or Open Source license, once you have decided on the licence (see below), its best to just publish the code and go from there. Since I wouldn't expect a huge amount of traffic from day one, you will have time to get all the pieces working before any major announcement.

In terms of infrastructure I would put it on GitHub since it gives you most components you need (note that GitHub doesn't have mailing lists, so you can create one at Google Groups). Btw, if the project becomes really popular, your users will start using StackOverflow.

In term of license, I guess you need to decide if you want Control or Mass Adoption.

• The GPL will give you more control (with its viral behaviour forcing code disclosure, but preventing other cases from occurring)
  
• The Apache 2.0 license will give you more adoption since there are less limitations on its use (yes it might be used by a 'closed product' but if that grows market share, is that really a bad thing?)

My preferred license is the Apache 2.0 (which is what I use) since it is simple and allows for maximum use + distribution.

The key factor to understand is that the most powerful brand in an open source world belongs to the key driving forces and the developers of an project. 

So if you continue to be the most knowledgeable part of your ecosystem, then the bigger the usage, the bigger the opportunities.