TLDR: open eclipse and install the plugin from: http://eclipse-plugin-builder.azurewebsites.net
I just updated the TeamMentor_Eclipse_Plugin repo with the latest version of this plugin (take a look at the develop branch which is in sync with the develop branch in my dev fork).
This code is now Open Source (see SI Open Sources the Eclipse Plugin-development toolkit that I developed for TeamMentor) so fell free to take a look, fork it and figure out how to use it.
Wednesday, 27 November 2013
Executing two H2 scripts after compiling them
Sometimes you want to reuse a script that already exists, for example to have multiple copies of it running at the same time (great for Fuzzing of load testing).
Here is a simple example (from the TeamMentor UnitTest/Tools collection) that does exactly that:
Here is a simple example (from the TeamMentor UnitTest/Tools collection) that does exactly that:
Util - Browse TeamMentor Libraries.h2
Here is another simple tool that allows for a quick browse of TeamMentor Articles (download exe from: Util - Browse TeamMentor Libraries v1.0.exe )
The objective of this tool is to show how to mass consume TeamMentor Articles (if you look at the code you will notice that all metadata will be downloaded locally so that after an initial delay, all navigation happens in real time (with the articles being downloaded on demand).
Note that that there is a more advanced version of this tool (called Library Manager), but for local access and quick views of TeamMentor Libraries, this is quite a nice tool:
The objective of this tool is to show how to mass consume TeamMentor Articles (if you look at the code you will notice that all metadata will be downloaded locally so that after an initial delay, all navigation happens in real time (with the articles being downloaded on demand).
Note that that there is a more advanced version of this tool (called Library Manager), but for local access and quick views of TeamMentor Libraries, this is quite a nice tool:
No OWASP app on the OSX AppStore (Nov 2013)
Definitely a missed opportunity here :)
What types of App should exist?
At least we should have a couple that expose OWASP materials (books, wiki pages) , projects and events.
I will be a happy guy when this page doesn't look like this:
What types of App should exist?
At least we should have a couple that expose OWASP materials (books, wiki pages) , projects and events.
I will be a happy guy when this page doesn't look like this:
Monday, 25 November 2013
Script to create stats from TeamMentor Libraries
While creating a better tool to manage the new 'TeamMentor Researcher Programme' (more details later today), I am updating the https://github.com/TeamMentor/UnitTests/ scripts to the latest version of TeamMentor (3.4) and FluentSharp Apis (5.3).
Amongst the scripts/apis I'm fixing there is the Calculate TM article totals.h2 which I created a while back when we needed to know the size of TeamMentor articles for translation (btw, if you speak Japanese, there is a version of TM in your language almost done).
Here are the stats of the current version of TM:
Amongst the scripts/apis I'm fixing there is the Calculate TM article totals.h2 which I created a while back when we needed to know the size of TeamMentor articles for translation (btw, if you speak Japanese, there is a version of TM in your language almost done).
Here are the stats of the current version of TM:
Sunday, 24 November 2013
SI Open Sources the Eclipse Plugin-development toolkit that I developed for TeamMentor
For the past couple months I have been working on a Eclipse plug-in for TeamMentor (see Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in) , Opening up a native Chrome Browser window inside Eclipse (raw version) , Injecting HP Fortify Eclipse Plug-in Views into HP’s WebInspect UI and Two Videos showing TeamMentor Eclipse Plugin integration with Fortify Eclipse Plugin (as shown in HP Protect 2013 conference) ).
I had a number of culture chocks coming from a C#/VisualStudio/O2Platform/REPL world into a Java/Eclipse one. The biggest one by far was the loss of 'semi-real-time' code execution that I have in Windows/C#. I used the O2 Platform REPL (and Resharper+Ncrunch VS plugins) to have a proper TDD development mode (i.e. high effectiveness and productivity), and in the Eclipse world (specially in plugin development) I had a 10 to 30 sec delay before seeing the result of any code or UnitTests execution! (which is 95% slower than what I was used to)
So, as I guess it is typical of me, I didn't just create an Eclipse Plugin. I created an 'Eclipse Plugin to create/develop Eclipse Plugins' (think of it as a 'Groovy based Eclipse Plugin where the Groovy scripts have access to the Eclipse Objects of the Eclipse instance running those Groovy scripts' :)
I had a number of culture chocks coming from a C#/VisualStudio/O2Platform/REPL world into a Java/Eclipse one. The biggest one by far was the loss of 'semi-real-time' code execution that I have in Windows/C#. I used the O2 Platform REPL (and Resharper+Ncrunch VS plugins) to have a proper TDD development mode (i.e. high effectiveness and productivity), and in the Eclipse world (specially in plugin development) I had a 10 to 30 sec delay before seeing the result of any code or UnitTests execution! (which is 95% slower than what I was used to)
So, as I guess it is typical of me, I didn't just create an Eclipse Plugin. I created an 'Eclipse Plugin to create/develop Eclipse Plugins' (think of it as a 'Groovy based Eclipse Plugin where the Groovy scripts have access to the Eclipse Objects of the Eclipse instance running those Groovy scripts' :)
4 Million USD to build a secure Operating System to run Secure websites?
Is that too expensive or a great investment?
Well ... I meet a great friend at AppSec USA that already built a secure OS (based on Open Source technology) years ago in a company that failed (i.e. went bust at great personal cost). He is one of the most cleaver guys I know, and he and his team built (at the time) an OS that powered a very high-profile and targeted website that was NOT compromised.
The only catch is that their previous efforts was done under a 'closed software' platform, and my view is that such creation needs to be done under an Open Source model. This would allow the code to be peer reviewed and checked. Just like crypo, a secure OS needs to have the highest degree of assurance.
And since we can't really have a 'Secure Website' without a 'Secure OS' , I'm sure we will see multiple 'Secure OSes' in the future. My only doubt is if my friends' creation will be one of them.
So how do I got to the 4 Million USD value?
Well ... I meet a great friend at AppSec USA that already built a secure OS (based on Open Source technology) years ago in a company that failed (i.e. went bust at great personal cost). He is one of the most cleaver guys I know, and he and his team built (at the time) an OS that powered a very high-profile and targeted website that was NOT compromised.
The only catch is that their previous efforts was done under a 'closed software' platform, and my view is that such creation needs to be done under an Open Source model. This would allow the code to be peer reviewed and checked. Just like crypo, a secure OS needs to have the highest degree of assurance.
And since we can't really have a 'Secure Website' without a 'Secure OS' , I'm sure we will see multiple 'Secure OSes' in the future. My only doubt is if my friends' creation will be one of them.
So how do I got to the 4 Million USD value?
Friday, 22 November 2013
Just disabled AdSense for this blog
I was curious on how it was going work out, but never really liked the idea of exposing readers to adds.
And since I want to move into a static based blog as soon as possible (maybe something like docpad), it was just a matter of time.
And since I want to move into a static based blog as soon as possible (maybe something like docpad), it was just a matter of time.
Friday, 15 November 2013
I'm doing the 'Survival of the Fittest' (please sponsor if you can)
Sarah and I have been offered last minute places to take part in race called 'Survival of the Fittest', to raise money for the Philippines.
We have decided to go for it with very little preparation because we are raising money for a really important Philippines charity and the disaster relief fund. Splitting the funds 50/50.
If you haven't already made a donation to the disaster appeal then please consider sponsoring us.
The charity already sponsors some of the poorest children in the Manilla, and they are now suffering from the recent typhoon.
We have decided to go for it with very little preparation because we are raising money for a really important Philippines charity and the disaster relief fund. Splitting the funds 50/50.
If you haven't already made a donation to the disaster appeal then please consider sponsoring us.
The charity already sponsors some of the poorest children in the Manilla, and they are now suffering from the recent typhoon.
Friday, 8 November 2013
Presenting at OWASP Turkey Chapter on Sat 10th of November (on Secure Continuous Delivery)
If you happen to be in Turkey this weekend, there is a great OWASP event happening tomorrow, where I'm also presenting on "Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating".
This is basically going to be a review of the O2 Platform and development work I have been doing for the past years (namely in trying to automate application security knowledge).
This is basically going to be a review of the O2 Platform and development work I have been doing for the past years (namely in trying to automate application security knowledge).
Wednesday, 6 November 2013
Video for: "Using the O2 Platform to Automate Application Security Knowledge and Workflows"
As per a request from Samantha and Kate, I did an OWASP webcast on Nov 6th about the O2 Platform, and here is its video:
Tuesday, 5 November 2013
Updating my bio description (as of Nov 2013), now more 'developer focused'
My current bio is quite a bit out of data and it looked like this:
- Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project.
Thursday, 3 October 2013
Syncing all releases to the same commit and Tag (for TeamMentor v3.4)
This is a bit of house keeping, as you can see by the Fixing the Merge conflict caused by one extra commit on TeamMentor master and Git Flow - Moving patches from one Commit into another Commit posts, not doing this has already cause us some pain in the past.
So after some pushes and pulls (of both commits and tags) I now have the main TeamMentor repos all synchronised at the 72ca4b5d3322901266ca294678cbe15aa343a4b3 commit:
So after some pushes and pulls (of both commits and tags) I now have the main TeamMentor repos all synchronised at the 72ca4b5d3322901266ca294678cbe15aa343a4b3 commit:
Enabling GitHub Two Factor Authentication
Inspired by Google’s Two Factor Authentication workflow, last month GitHub did the same thing.
I just enabled it, and I strongly recommend that you do it to.
As per the instructions in GitHub’s Two-factor Authentication post, the first step is to go to https://github.com/settings/admin and click on the Set up two-factor authentication’ button:
I just enabled it, and I strongly recommend that you do it to.
As per the instructions in GitHub’s Two-factor Authentication post, the first step is to go to https://github.com/settings/admin and click on the Set up two-factor authentication’ button:
Wednesday, 2 October 2013
The Projects Summit 2013 is happening: GET INVOLVED!!!!
Here is the announcement email from Samantha Groves sent to the OWASP Leaders list:
Fixing the Merge conflict caused by one extra commit on TeamMentor master
On the 3.4 Release of TeamMentor (which was the first release we really used Git Flow on development (see this great presentation on Git Branching Model) we ended up with a situation where the commit that was the parent of all feature/fix branches was off-by-one the master of the TeamMentor/Master repository (we also had to do a bunch of back-porting of fixes into that commit, see Git Flow - Moving patches from one Commit into another Commit post)
In practice this means that the TeamMentor/Master graph currently looks like this:
In practice this means that the TeamMentor/Master graph currently looks like this:
Monday, 30 September 2013
Java Tainted Strings
At AppSec EU Steven van der Baan approached me with the great idea of seeing if we could do an open source implementation of Java Tainted Strings.
The idea is to (somehow) add metadata to the java.lang.String object and allow an App (or APIs) to taint a string (i.e. mark it as 'potentially malicious') and to modify that App/API's behaviour based on tainted information (for example "don't execute an SQL statement if its sql command string is tainted")
There is still a lot of thinking that needs to happen on this idea, and we are currently in the 'pre PoC' stage.
The idea is to (somehow) add metadata to the java.lang.String object and allow an App (or APIs) to taint a string (i.e. mark it as 'potentially malicious') and to modify that App/API's behaviour based on tainted information (for example "don't execute an SQL statement if its sql command string is tainted")
There is still a lot of thinking that needs to happen on this idea, and we are currently in the 'pre PoC' stage.
Physical Books are the best technology for reading, and bookstores should 'give' an eBook with every physical book published
I just bought 5 books at a really nice book store in central London and it is amazing how:
- these bookstores are still afraid of the digital world
- don't have the confidence to say:
-
"... If you buy a physical copy, we will give you (or sell for 10%) the eBook version.
... the reason we 'give' you the eBook, is because the 'real' book is much better, but there are places were you might want to use the eBook.."
Saturday, 28 September 2013
Script to Git Clone 13 repositories in order to have all TeamMentor Libraries in one folder
Part of the push for the 3.4 release of TeamMentor, I wanted to have a copy of all TeamMentor libraries locally (there are 13 libraries on the 3.4 release).
Since O2 Platform’s FluentSharp has native Git support, I was able to do create the clones using this script (note how simple it is to create a clone from a GitHub repo):
Since O2 Platform’s FluentSharp has native Git support, I was able to do create the clones using this script (note how simple it is to create a clone from a GitHub repo):
Friday, 27 September 2013
Using TeamMentor Checkmarx proxy to scan a vulnerable PHP application inside Eclipse
Michael Hidalgo has posted a really nice article which shows:
Check it out at : http://blog.michaelhidalgo.info/2013/09/using-teammentor-checkmarx-proxy-to.html
- an PHP app,
- inside Eclipse,
- scanned by Checkmark's SAST,
- with security guidance provided by TeamMentor
Check it out at : http://blog.michaelhidalgo.info/2013/09/using-teammentor-checkmarx-proxy-to.html
The Open Web Interface for .NET (OWIN) and Katana
Definitely need to take a look at this: http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana (anybody used it?)
Here is its hello world example:
A quick skim of that article showed that they were inspired by Rack and Node.Js , which can't be a bad thing :)
Here is its hello world example:
A quick skim of that article showed that they were inspired by Rack and Node.Js , which can't be a bad thing :)
Wednesday, 25 September 2013
Should developers code naked once a week? (or in a mankini?)
That way developers (or managers) would have more 'empathy' with the 'naked' state of the applications they are developing and publishing :)
I got this idea, following from this comment/suggestion on Guidelines of OWASP:
I got this idea, following from this comment/suggestion on Guidelines of OWASP:
Tuesday, 24 September 2013
Reaching out to Developers, Aspect is doing it right with Contrast
UPDATE: I got the dates wrong when I posted this. The Contrast blog post and presentation are from 2012, it is the award that is from 2013:
In case you missed it OWASP's long time contributor Aspect Security were at Java One conference in presenting their (commercial) product Contrast.
I was not there, but from the noises I'm hearing it was quite a successull event, with lots of developers reached.
Here is a cool picture from their Contrast @ JavaOne post (which contains a link to their presentation (also embedded below));
In case you missed it OWASP's long time contributor Aspect Security were at Java One conference in presenting their (commercial) product Contrast.
I was not there, but from the noises I'm hearing it was quite a successull event, with lots of developers reached.
Here is a cool picture from their Contrast @ JavaOne post (which contains a link to their presentation (also embedded below));
Monday, 23 September 2013
Chaos Computer Club breaks Apple TouchID (the bad idea that is fingerprint biometrics and 'its cool to hack Apple now')
Well it didn't took long: Chaos Computer Club breaks Apple TouchID
For me the key statement of that post is: "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token"
I have to say that I have never been involved in designing or testing fingerprint biometrics, but I always had this voice in the back on my head saying "...humm... it really doesn't sound good the idea that the security ID cannot be changed, and once that ID is stored in digital format, there is nothing that can be done to prevent its reuse...."
For me the key statement of that post is: "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token"
I have to say that I have never been involved in designing or testing fingerprint biometrics, but I always had this voice in the back on my head saying "...humm... it really doesn't sound good the idea that the security ID cannot be changed, and once that ID is stored in digital format, there is nothing that can be done to prevent its reuse...."
OWASP Flight Booking using Amex and Project's Mini-Summit at OWASP AppSec USA 2013
I just booked my flight using the new OWASP 'Amex travel' partnership and it was a great experience
Subscribe to:
Posts (Atom)