CI is the Key for Application Security SDL integration

The more time I spent with CI (namely with TeamCity) the more my instinct is saying ‘this is how we should be delivering and automating security knowledge!'.

OWASP project reboot spent funds (not a lot spent so far)

From Alison here are the latest numbers from the OWASP Project Reboot 2012 initiative:

• Project reboot funds/expenses in a Google Spreadsheet

Humm, from the numbers in there, it looks like only the CISO Guide spent some funds

TeamMentor global search, duplicate articles and a new ‘Any’ Library

In the 3.2 version of TeamMentor 
there is a Library per technology (.Net, Android, C++, iOS, Java, PHP) and type (CWE, PCI DSS Compliance):

Rewiting Git History (locally and at GitHub)

When fixing the ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor, 

I ended up with a number of Git Commits: locally  

ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor

Here is an weird one....

Just did an TeamMentor auto-deploy (via a GitHub push that triggered AppHarbor via a webhook) and the published site is running OK (on the deployed AppHarbor server) ....

Problem with Environment.SpecialFolder.ApplicationData in Azure

While I was testing the TeamCity auto deployment from Git to Azure, I hit on an weird bug where TeamMentor's website would look (and load) OK in AppHarbor, but would fail in Azure.

Stylizer - Real-time CSS Editing

The Stylizer looks really powerful for CSS editing and customization. I really liked it’s video page which provided a great overview (and learning environment) for Stylizer multiple features (it is a great way to quickly and effective present a product)

Testing an WCF Rest Service directly and via a local instance created by WebServiceHost

Here is an example of a simple REST based WebService which is tested using 3 techniques:

• IIS
• Direct object creation
• Locally hosted instance of the WCF service (using .Net's WebServiceHost class)

Windows Azure is what IIS 7.5 should be

The more I look at Windows Azure (while dealing with IIS deployment automation issues in TeamMentor) the more I fell that Windows Azure is what IIS 7.5 (or 8) should be.

What is really good about Windows Azure is its deployment and versioning capabilities (you can even deploy via git pushes these days). And apart from the webserver bit, most of IIS' Gui is focused on website deployment (which is what Azure does really well).

JustCode is following VisualStudio 2012 bad Design decisions

I’m trying to avoid using VisualStudio 2012 because not only I haven’t seen any feature that I need, its ‘lets remove all the color Design’ is just horrible.

And what is really annoying, is that VisualStudio 2012 (very bad) Design decision are then followed by VisualStudio extension vendors (like JustCode) who create a Gui that looks like this (in VS 2010):

Minimum required files to run git.exe on windows (for clone, push and pull)

I want to add native Git support to TeamMentor (and O2) and don't want to ship the entire git folder structure that is installed with msysgit

Some JustCode compilation issues (on .NET 4.0 dynamic keyword and method default parameters)

I’m giving JustCode another go and it doesn’t seem to like some .Net 4.0 features (which btw compile ok in VisualStudio):

Two great posts on Gamification

From TechCrunch’s Tadhg Kell here are two great articles that explain the Gamification concept really well:

• Everything You’ll Ever Need To Know About Gamification
• Real Gamification Mechanics Require Simplicity And, Yes, Game Designers Can Do It

His core idea is that Gamification boilds down one of to three things: validation, completion and prizes

Adding a C# REPL Script to Windows Live Writer

Let’s give Windows Live Writer 'Copy and Paste of images' feature a test-drive by documenting how to inject a C# REPL script into it

Software Labels – Jeff’s OWASP AppSecDC 2010 presentation (another dropped good idea)

An old idea from Jeff Williams (which is spot on) is the need to apply Labels to Software and Web Applications.

The concept is simple, but its implementation is really hard, because of the lack of quality standards/metrics in our industry

Signs of a well Designed Feature

A well Designed Feature (i.e. that works) is one that, for a particular task (like coping and pasting images on this blog) gives its user the feeling that:

• initially the new workflow just seems simpler and a little bit faster (when compared with the preview one)
• after a while, how it worked before goes kinda misty
• but, if the previous one has to be used again, it will seem REAAALLLLY slow and cumbersome!

Of course that in reality, the change is never that big, but once the user feels/understands the new version, using the old one is just painful.

Why does trying some Windows Live Writer Plug-ins expose me the total system compromise

As you can see on the Trying a couple more Windows Live Code Formatters post, I tried a number of Live Writer Plug-ins before I found one that I liked.
But if you notice (just to try a couple plug-ins!) I had to install a bunch of MSIs and give them full access to my box! And after installing those plug-ins run with Full Trust (again being able to do whatever they want to any of my windows processes)
This is crazy, this is faith-based security.

Trying a couple more Windows Live Code Formatters

As you can see at the end of the  Failing to use Windows Live Writer 2011 (and going back to 2009) the highest ranking (and recommended by default) code formatting plug-in didn’t work. So let’s try  a couple more:

Failing to use Windows Live Writer 2011 (and going back to 2009)

As you can see at the end of Using Window Live Writer to write Blogger posts I originally started using the 2009 version, so I tried use the 2011 and it failed miserably because, Copy and Paste doesn’t work anymore!!!! This is crazy!! Why???

Using Window Live Writer to write Blogger posts

As per this @shanselman reply https://twitter.com/shanselman/status/277514388376784896 (following a question I asked @troyhunt) I’m giving Windows Live Writer 2009 a try, and it seems to support Blogger, and (more importantly  copy and past of images (with auto upload to Picassa) which is exactly what I wanted (see The 'Sync Design Problem' of adding images to this blog for a description of the problem I had)

Just Uninstalled ReSharper

The performance hit was just too much, and since I got a reply from JustCode I will give it another try

TeamCity reference Links

Here are a number of links collected during my first use of TeamCity for CI:

Using TeamCity to build on Git Commit, deploy to AppHarbor and open browser

I just gave TeamCity a test drive and I really LIKED it :)

Just tried JustCode and its a shame they don't support ExtensionMethods

I just gave JustCode VisualStudio Extension a test drive (which amazingly still hasn't entered the SAST market) and although I really liked what I saw (and felt much better/faster than resharper) it had a critical problem, where it failed to recognise the FluentSharp's Extension Methods in TeamMentor:

What a 'salad of DLLs' are the ASP.NET MVC 4.0 template projects

I was taking a look at ASP.NET MVC 4.0 to see how easy it would be to use its routing engine for TeamMentor REST API, and its just ridiculous the sheer amount amount of dependencies that it required (as per the the test/template projects).