Here is an email I wrote today, for a security group I belong here in the UK, which is made of amazing security guys, who most of the application tool vendors don't think exist. I have lost count how many times I have asked for a particular feature or API to a tool vendor just to be told '...you know, that is a great idea, but there is no market for it...'
So here it is, for the market the doesn't exist (which I think most of you who read my blog fit that picture) a 'very politically incorrect' description of what I have been doing for the past 12 months:
<start-----------------------------------------------------------------------------------------------
Disclaimer, there is some commercial content in this email, so for the really allergic types, please stop reading now.
So here it is, for the market the doesn't exist (which I think most of you who read my blog fit that picture) a 'very politically incorrect' description of what I have been doing for the past 12 months:
<start-----------------------------------------------------------------------------------------------
Disclaimer, there is some commercial content in this email, so for the really allergic types, please stop reading now.
For the past year, I have been working on the TeamMentor product from Security Innovation (which some of you might remember from the amazing 'lets hook everything that moves and fuzz it' tool called Holodeck which is now available for download since SI's is not actively working on it)
TeamMentor is started its life as Microsoft's GuidanceExplorer (still available for download at codeplex) and SI took it, webified it and added a lot more content (the original version was very .Net focused). TeamMentor is basically a really nice security guidance creation and distribution engine, which comes with a 3000+ library of content covering a wide range of languages and content (you can try it at http://teammentor.net with the user ... and password .... )
For the past year I have actually been a 'real-world developer' and basically re-wrote that product (about 3 times) in order to make it very flexible, customizable and usable.
Now some of you have worked for product companies, and know how paranoid most execs are (for example where potential customers have to to sign NDAs to even try a product!). What has been very cool at Security Innovation (SI) is that since their center of gravity is very much into the eLearning/CBT and consulting services , they have been very relaxed about my ideas about how TeamMentor should be created, distributed and sold.
What this means, is that I can share with you guys what I have been doing, which hopefully some of you will be able to use it:
- Starting with the good bits: you can download the full version of TeamMentor's engine with a test library from GitHub: https://github.com/TeamMentor-OWASP/Master. You can also get my latest development branch from https://github.com/DinisCruz/TeamMentor-3.0-Release (while there check out this cool GitGub graph of commits https://github.com/DinisCruz/TeamMentor-3.0-Release/network (man, git has changed my life!!! ))
- Note that although that version is on GitHub, it is not Open Source. It is under a 'not for commercial use' license, which for you guys means, '... don't use it a way that google finds it...' :)
- That said the OWASP Library XML articles are released under CreativeCommons (https://github.com/TeamMentor/OWASP_Library)
- This is one of the coolest parts of SI, they really allowed this product (which they have been investing for a couple years now) to be released without ANY licensing restrictions :)
- My logic as the one who would have to code them was: 'well the guys who will bypass the licence, will always be able to do it, so why make our and our customers life harder.'
- If you want another version of TM to play with (to see for example how it can be customized) you can download it from https://github.com/TeamMentor/TeamMentor-Documentation which is the one used at the main documentation site (https://docs.teammentor.net), at the TeamMentor Technology pages ( http://docs.teammentor.net/xsl/Table_of_Contents) and the Customer Eval (http://docs.teammentor.net/xml/Eval - checkout the XML+XSL transformation on that one)
- If you want to have a go and find vulnerabilities in it, I (as the main developer) actively encourage you to do so:
- "...O2 in Seattle..." and "...Please Hack TeamMentor (beta)..."
- Want to work? I need resources ASAP for TeamMentor 3.1 release (I cannot pay your 'stratospheric rates', but if you looking to make a couple squid on the side (or know a good developer who wants to get into AppSec) this is a good chance
- I also think that this is a great opportunity to talk about the security activities/issues of a real-world app, since the code is completely available and the SI guys are more than happy for these conversations to happen in public, for example
- For the python coders amongst you here is how we are creating a WebServices fuzz infrastructure: First you create Tests for WebServices, then you add the abuse/security cases
- Remember how I talked many times about codifying an application's security authorization model in O2? Well, take a look at these documents to see how I did that in my early days of coding TeamMentor: Testing TeamMentor 2.0 security using O2
- I'm also happy to say that SI is providing one of the most 'security consultant' friendly licenses and model that I have seen in our industry. Ok this is not on their website, but I have been leaking how it works on my blog :)
- Btw, have I said how much I love Git and GitHub? I have been using it not-stop and its a massive game changer!!
- For example GitHub is TeamMentor's native file system and content version control (TM articles are in XML files)
- GitHub is TeamMentor's client distribution model (i.e. the customers get their own GitHub repository which we use to push new versions and (if they have pushed back their local changes) we do the merges for them. Now how cool is that :)
- Oh yeah, and I also used O2's .NET Apis' under the hood, namely the FluentSharp API (https://github.com/o2platform/O2.FluentSharp) which really makes the .Net APIs SO MUCH more usable :)
- O2 also allows me to easily manipulate TM's content. For example here is are a couple videos of a static analysis engine integration: PoC of integrating TeamMentor with Checkmarx
- Finally, since I am an active user of this product, there are a number of features in there that I'm sure only you guys (and girls) will appreciate: online editing of backend code, drag n' drop upload of files, web based Git support, javascript invocation of webservices, in-browser Firebug lite, QUnit tests, Fuzzing engines, etc...
So yeah, sorry about the 'commercial links' but I think there is something special going on here.
Not only have I been able to released a commercial product under GitHub, I am able to blog about what I do everyday and I'm creating a tool that will help to distribute security knowledge to a much wider audience.
Please have a go and let me know what you think :)
Btw, if you are going to InfoSec tomorrow, let's catch up (I will pop in to 44cafe in the afternoon)
-----------------------------------------end>