Here is the second part of the presentation I delivered at the OWASP London Chapter event (29 Sep 2016)
Friday, 30 September 2016
Presentation "NodeJS security - still unsafe at most speeds - v1.0"
Here is the first part of the presentation I delivered at the OWASP London Chapter event (29 Sep 2016)
Sunday, 25 September 2016
Threat Model Community
(from Software Quality book)
There is currently (late 2016) space within the application security world to develop a community focused on Threat Modeling. Such community would allow the many parties working on Threat Modeling to share information and provide a voice to all different stakeholders.
Friday, 23 September 2016
The business model of selling a fork
(from Software Security Book)
An open source based business model that I really like, is the idea that the company (or team) behind a particular open source project, sells a fork of the master repository, that is customised and/or maintained for a particular customer.
What that means is the customer buys access to a fork, from the authors of that particular code/repo/project.
That way the company developing the application has a direct connection with the client, and a regular revenue stream.
An open source based business model that I really like, is the idea that the company (or team) behind a particular open source project, sells a fork of the master repository, that is customised and/or maintained for a particular customer.
What that means is the customer buys access to a fork, from the authors of that particular code/repo/project.
That way the company developing the application has a direct connection with the client, and a regular revenue stream.
AppSec should buy tools for developers
(from Software Quality book)
This is a great opportunity to generate goodwill and positive working relationships with developers. If the AppSec team is able to actually find the budget for tools, it will help developers be more productive.
Two great examples are WallabyJS for javascript and NCrunch for .Net
Inside a large organization, you will find teams where for some reason or another, management hasn’t seen as a priority to invest in tools for developers.
This is a great opportunity to generate goodwill and positive working relationships with developers. If the AppSec team is able to actually find the budget for tools, it will help developers be more productive.
Two great examples are WallabyJS for javascript and NCrunch for .Net
Inside a large organization, you will find teams where for some reason or another, management hasn’t seen as a priority to invest in tools for developers.
Developers need data classification
(from Software Security Book)
Every type of data that exists in an organisation, especially the data that is consumed by applications, needs to have a Data Classification mapping.
Developers need to know if a particular piece of data is sensitive, and what value it holds for the business.
A good way to determine the expected level of confidentiality and integrity, is to ask what would happen 'If a particular set of data were to be fully disclosed?' (for example uploaded to PasteBin) or 'If some of the data was being maliciously modified over a period of months?'.
I Abuse the term ‘Unit Test’
(from Software Security Book)
For me a Unit Test is a test of an 'unit’. The only question is how big is that 'unit’.
If you go to Wikipedia page for List of Unit Testing Frameworks you will see a large list of ‘unit test’ frameworks which range from traditional ‘unit tests’ (on individual function or procedure) all the way to:
For me a Unit Test is a test of an 'unit’. The only question is how big is that 'unit’.
If you go to Wikipedia page for List of Unit Testing Frameworks you will see a large list of ‘unit test’ frameworks which range from traditional ‘unit tests’ (on individual function or procedure) all the way to:
- integration tests,
- production tests,
- e2e tests (end-to-end)
- performance tests
- smoke tests, etc…
- (i.e. every-type of automate-able test).
Putting Data in PasteBin
(from Software Quality book)
One of the best ways to make Developers, Architects and Managers understand confidentiality of data hosted by their application, is to ask the question, 'Can we put all of the data on your database on PasteBin?' [^PasteBin]
That question makes all parties involved really think about what that database contains.
Ideally, the correct answer is yes, there is no problem. All that data could go to pastebin because the data shouldn't mean anything by itself.
One of the best ways to make Developers, Architects and Managers understand confidentiality of data hosted by their application, is to ask the question, 'Can we put all of the data on your database on PasteBin?' [^PasteBin]
That question makes all parties involved really think about what that database contains.
Ideally, the correct answer is yes, there is no problem. All that data could go to pastebin because the data shouldn't mean anything by itself.
Graduates to manage JIRA
(from Software Quality Book)
One of the challenges of the JIRA RISK workflow is managing and maintaining the opened issues. This can be a considerable amount of work, especially when there are 200 or more issues.
Note that, in large organizations, the number of risks opened and managed should be above 500, which is not a lot, and in fact, is the level when visibility into existing risks really starts to happen.
The solution isn't to have less issues.
One of the challenges of the JIRA RISK workflow is managing and maintaining the opened issues. This can be a considerable amount of work, especially when there are 200 or more issues.
Note that, in large organizations, the number of risks opened and managed should be above 500, which is not a lot, and in fact, is the level when visibility into existing risks really starts to happen.
The solution isn't to have less issues.
Describe Risks as Features rather than as Wishes
(from Software Quality Book)
When opening up a risk JIRA ticket, it is key to describe the exact behavior of that issue as a feature, versus how you would like to see happening (i.e your wish list).
For example:
- instead of saying 'application should encode XYZ value', you should say that 'XYZ value is not encoded'
- don't say an 'application shouldn't be vulnerable to XSS or SQL injection', you say ' application is vulnerable to SQL injection'. In this case SQL Injection is a feature of the application, and while the application allows SQL Injection, the application is working as designed (whether that is intended or not, that is a different story :) )
Know what was not tested
(from Software Quality Book)
When you're reading an application security report (like a pentest), one of the most important questions that you should get an answer to is 'What tests did they run?'. This is especially important for the tests (i.e. exploits) they tried to run but were unsuccessful.
The report(s) will show what was successful, but that's only half (or potentially less than half) of what you want to know.
Broken Tests Aren't The Problem
(from Software Quality Book)
It is quite worrying how many times you hear complains about test's execution (for example their speed or how hard they are to maintain)
These complains can be so strong, that they can even question if the tests are 'worth it'? (i.e. the negative sides of maintaining the tests are higher than its benefits)
This is very dangerous because it is promoting the idea that it is OK not to test your code. And that is just crazy!
Thursday, 22 September 2016
"Turning TDD upside down - For bugs, always start with a passing test" - v0.5 Sep 2016
Here is the presentation I delivered at LSCC (London Software Craftsmanship Community) on the 22nd Sep 2016
Title: Turning TDD upside down - For bugs, always start with a passing test
Description: Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough'
Title: Turning TDD upside down - For bugs, always start with a passing test
Description: Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough'
Thursday, 30 June 2016
Using JIRA to manage RISKS - v1.0 - OWASP AppSec EU - June 2016
Here is the presentation I just delivered at OWASP's AppSec EU in Rome
Friday, 24 June 2016
Another 6 updates on Software Quality Book
Here are the Software Quality book sections recently updated
- Why this book
- Open Sourcing your Knowledge
- Data Integrity is much more dangerous than Data Confidentiality
- Measuring Software Quality Using Application Security
- Graduates to manage JIRA.
- Parking Ticket Karma and coding
Thursday, 23 June 2016
40 technologies used on the 'Maturity Models' nodeJS application
I've been working on an Maturity Model application to help me manage a project where I'm doing an large BSIMM mapping exercise.
The tech stack is based on NodeJS + Angular, and it looks like this:
The tech stack is based on NodeJS + Angular, and it looks like this:
Tuesday, 21 June 2016
OWASP Mobile Top 10 2016 (Release candidate)
When looking a mobile applications security a great place to start is the OWASP Mobile Top 10 2016 which is currently in its release candidate state (previous version can be found here)
When doing a Threat Model of an mobile application, in addition to the STRIDE questions, go through these 10 items and ask the questions:
When doing a Threat Model of an mobile application, in addition to the STRIDE questions, go through these 10 items and ask the questions:
Sunday, 19 June 2016
Working on major update of 'Practical Angular JS' book
(email I just sent to my Leanpub readers that chose to be contacted directly)
Thanks for being an reader of my Practical Angular JS book and allowing me to contact you directly with updates (you chose to share your email with me).
Thanks for being an reader of my Practical Angular JS book and allowing me to contact you directly with updates (you chose to share your email with me).
The first version of the book was mainly made of blog posts I published at blog.diniscruz.com, and it took me a while to figure out how to best complete the book.
Recently I started working on an project (creating Maturity Models mappings and visualisations for BSIMM) which I was able to open source. This project is a clean implementation of my ideas of how to code and test AngularJS, and once I had the first version of the app working, I realised that this was a perfect first for this Practical Angular JS book.
My current plan is to split the book in to two parts, where 'Part I' is the new content, and 'Part II' is the existing (published content).
Thursday, 9 June 2016
Link to join OWASP Slack
If you want to participate in one of the multiple great AppSec channels at https://owasp.slack.com and don't have an account, please use this link:
http://owasp.herokuapp.com
(posting this a blog so that it is easy to find on Google)
http://owasp.herokuapp.com
(posting this a blog so that it is easy to find on Google)
Some draft content on JIRA RISK workflows
On the Software Quality book that I'm writing, I've started to map out the JIRA RISK workflows (as described in this previous blog post)Here are some of the (very draft) chapters that I have written on this topic.
- JIRA issues
- Software Complexity
- Graduates to manage JIRA.
- DevOps
- Describe Risks as Features rather than as Wishes
- Legacy code
Let me know what you think of these concepts
Sunday, 5 June 2016
6 sections added to Software Quality Book (on AppSec and Testing)
I have been slowing working on my Software Quality book (with tons of notes captured on small Moleskine notebooks and new audio recordings).
Here are the sections I worked on this week:
Please let me know what you think of them, and if you spot any issues or have comments to make, feel free to open an Issue or send a Pull Request
Here are the sections I worked on this week:
- Describe Risks as Features rather than as Wishes
- Protecting Legal and Compliance Text on Websites
- Application security teams need developers
- Buying tools for developers
- Putting Data in PasteBin
- Creating Small Tests
Please let me know what you think of them, and if you spot any issues or have comments to make, feel free to open an Issue or send a Pull Request
Wednesday, 25 May 2016
Intro to O2 Plartform
(here is an intro to the O2 Platform email that I wrote, which was bouncing of the recipient email's server due to '554 rejected due to spam URL in content')
The O2 Platform is all about automating and scripting. It's a platform/framework which means that it helps to have a 'hard question' to start with.
Here are a good place to start with the O2 Platform:
The O2 Platform is all about automating and scripting. It's a platform/framework which means that it helps to have a 'hard question' to start with.
Here are a good place to start with the O2 Platform:
- Best version to download blog.diniscruz.com/2014/08/o2-platform-55-rc1-please-give-it-test.html (see links for documentation)
- Presentation www.slideshare.net/DinisCruz/owasp-o2-platform-november-2010
- Tons of videos: blog.diniscruz.com/2012/04/39-o2-platform-videos-with-12k-youtube.html
Wednesday, 18 May 2016
Threat Modeling Template and Concepts v0.6
Here is an updated version of Threat Model Template v0.5 and a new Threat Model Concepts page.
You can download the pdfs and draw.io files from this GitHub repo
You can download the pdfs and draw.io files from this GitHub repo
Tuesday, 17 May 2016
The BBC should open source most (if not all) of its developed technology
Following on the Recipe for disaster post on the topic of BBC to close recipes website as part of £15m savings, I wanted to put down this idea, which in my view, goes to the heart of the value that public entities (like the BBC, but also the NHS, public services, Non-profit orgs, charities, etc... ) should provide to society:
The BBC should open source most (if not all) of its developed technology
The BBC hires a large number of software/application teams (from Devs, to QA, to Designers, to Architects), which create a large body of code, that is in most cases behind closed doors and not available to the general public (namely other public or private organisations that would benefit from that code)
The BBC should open source most (if not all) of its developed technology
The BBC hires a large number of software/application teams (from Devs, to QA, to Designers, to Architects), which create a large body of code, that is in most cases behind closed doors and not available to the general public (namely other public or private organisations that would benefit from that code)
Subscribe to:
Posts (Atom)