Tuesday 15 March 2011

Working with SI on Team Mentor and OWASP projects

In a model very similar to the contracts I had previously with Ounce Labs and ABN AMRO, I recently signed a professional services contract with Security Innovation

This is quite an exciting opportunity for me. Not only I'm going to be working with great people, the TeamMentor project has lots of potential and the SI guys seem very interested in O2.

Here are my areas of responsibilities (verbatim from my contract):
  • TeamMentor Product Development - Taking full responsibility for the TeamMentor product
  • TeamMentor Metrics - Understanding and visualizing how the product is currently used
  • SI Community outreach - Representing SI in the industry
    • Leadership of OWASP Projects: OWASP Exams, OWASP Certification, OWASP Academies, OWASP SDL Implementation project
    • Presentations at OWASP , developer’s Conferences (TBD) or WebCasts (TBD)
    • Blog and article creation
  • O2 Integration with SI Product and services - Introduce SI teams to O2 capabilities and features
An interesting note, is the fact that this is one of the first times that my OWASP involvement is directly mapped into one of my contracts.

My initial focus is going to be on the TeamMentor product, which should keep me busy for the first month(s).

What is also VERY interesting 'from the point of view of Application Security', is that I am now going to be directly involved and responsible for an application's security (so if you find a vulnerability in TeamMentor please email it to me ASAP :) ).

This relationship will also (occasionally) put me in a position where I am representing an 'vendor'. This is going to force me to be very disciplined in my OWASP relationships, and I will want to take this opportunity to clarify the 'OWASP-rules-of-engagement' between commercial parties and OWASP (something that today is a very fuzzy area)

Let me know what you think of this, and (since it will change quite a bit) keep an eye on TeamMentor :)

Monday 7 March 2011

O2 Script: DWR FunctionsViewer and Invoker

If you are using (or testing) DWR, you might find the O2 scripts I just published quite interesting and useful:
There are quite a number of powerful O2 techniques at play here. For example note the use of the HtmlAgilityPack to quickly fetch the details of a web page's links, or the use of Jint (Javascript Interpreter for .NET) to access the AST of the dynamically created DWR's Javascript pages (which contain the details of the java functions that can be involved on the server)

Note: DWR is a Java/Javascript AJAX-powerhouse Web Remoting technology (see http://directwebremoting.org for more details)