Thursday 31 May 2012

Video: Injecting compiled C# script into a Managed Process (using Snoop API)

Following from O2 Script to Inject Snoop into process with WPF control here is the next step where I was able to inject an O2 compiled dll into another .net Process.

Here is the video showing this in action (the script is already on O2's GitHub repository)




Video: O2 Script to Inject Snoop into process with WPF control

Here is a example of using the O2 Platform to consume other tools capabilities.

In this case we are going to use the powerful Snoop API to visualize and manipulate the WPF controls hosted on another process.

Snoop is very powerful and it uses a pretty sweet remote process injection to do its trick. The O2 Script you can see below invokes directly the process injection sequence (after starting a process with a WPF control)

Here is a video that show this in action:


And here is the script:
This next video was created when trying to use Snoop to find VisualStudio's TextEditor WPF control (see Snoop Tips & Tricks #1: Ctrl-Shift Mouse Over  for a much faster way to find an WPF child control):



Related Posts:

Wednesday 30 May 2012

Video: Injecting TeamMentor into Cat.Net running inside VisualStudio

Here is a pretty cool PoC where I used the O2 VisualStudio 2010 APIs to inject TeamMentor into Cat.NET.

To replicate this you will need:



Here is a video that shows the install process in action, and the extra functionality added to Cat.Net


Superhydrophobic Technology

This is one of the most amazing pieces of technology that I have seen in a while. These guys basically have invented a way to repel any liquid.

Here are the videos where I originally saw this technology




This technology is developed by http://www.neverwet.com who seem to be ready to launch a couple products based on it.

Tuesday 29 May 2012

Video: Running Chrome Natively in O2 and VisualStudio



UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for a much better and powerful way to consume Chrome (and IE and Firefox) in another process




Following from Run Chrome inside O2  and Installing and running CefSharp (C# Chrome with WPF Browser) here is the full implementation of running Chrome as a Native C# WinForms and WPF control.

This is pretty powerful since Chrome is FAST. I also like the fact that I can easily embed Chrome in WinForm or WPF control with a couple lines. (take a look at these scripts)

Here is a video showing the PoCs in action (with the examples using WPF doing a 360 rotation, because they can :) )


Monday 28 May 2012

Video: NodeJS O2 REPL environment (using node.exe)

NodeJS is pretty amazing, I was able to get the node.exe (from here) and run its REPL environment with only that exe (no other installation or dependencies needed!).

Since it was that easy, I added NodeJS support to the O2 Platform and created a couple REPL editor environments which make it easy to consume NodeJS.

Here is a video of these new O2 Scripts (note how easy it was to create an NodeJS webserver :)



Some NodeJS references:

On Fuzzing WebServices

Since Arvind is now ready to start Fuzzing TeamMentor (see Fuzzing TM Webservices…fuzzing anything..?), here are a couple pointers on how to approach it.

Fuzzing is the art of sending unexpected stuff to an application and analysing its result. This is a very important part of making an app resilient since it (the app) should be able to handle unexpected/crazy inputs.

In my view there are 3 key elements that need to be in place when doing a fuzzing session:

  • Execution environment
  • Fuzz payloads/state
  • Fuzz targets/analysis

Lets look at each one in turn:

1) Execution environment: 


Before starting a fuzzing session one must create an environment that will allow us to create automated fuzz sessions. Here are some of the components needed (in this case slightly tweaked for fuzzing TM web-services):

  • Automatically create a clean testing environment/target (with clean database and some test content)
  • Detect when the database has been corrupted, and trigger an rebuild (which in TM means recreating the XML files and/or source-code files)
  • Ability to invoke the target WebServices (which is the Pyhton API that Arvind has been creating)
  • (ideally) Ability to run multiple instances of the target server at the same time (to allow multi-thread requests)
  • Ability to detect abnormal behaviour on the application: weird responses, requests that take too long, large server CPU spikes, non-expected file access (maybe outside the TM directory)
  • Ability to detect when/if the server crashes (ideally running the target app under a debugger)
  • Speed-up or slow-down requests in order to find the maximum request load supported by the server (if you are running a fuzzing session locally you should be able to create more requests than the server can handle it)

2) Fuzz payloads/state:


In terms of Fuzzing Payloads a great place to start is the FuzzDB which is a good base line for fuzzing strings to send to an application.

Once we have a way to consume these payloads, the key is to adjust them to the target methods. Specially the ones that require some state (i.e. we need to provide some valid data or the payload never reaches the app)

So yes, some customisations will be needed on a per WebService method basis, since that is the only way to ensure maximum coverage.

Also very important is to look at the state/data returned from the WebService (with special attention being placed on cases where a payload sent to WebMethod A is returned from a normal request sent to WebMethod B).

Lack of 'understanding state' is the single reason why fuzzing is very hard. But without it we are just doing a  'fuzz-everything-that-moves' strategy (which sometimes works).

Finally, one must differentiate Infrastructure fuzzing vs  Application Fuzzing (although both are very important). Infrastructure fuzzing is when one fuzzes the underlying services like ASP.NET (in TM Case). This type of tests should be done once, and its results taken into consideration (for example fuzzing "GUID values on a method that expects a GUID" or "payloads on Headers" only really needs to be done once)

3) Fuzz targets/analysis:


When fuzzing one must have very specific targets and analysis in mind. 

For example here are a couple Fuzzing Targets:
  • Fuzz all WebService's methods with a small subset of crazy payloads (xss/sqi strings, large strings, negative numbers, large numbers, non ascii chars, weird Unicode chars, etc...)
  • Fuzz all WebService's methods with valid state and all strings replaced with:
    • XSS Payloads
    • SQLi Payloads
    • Directory transversal payloads
  • Fuzz all WebService's methods with valid state and all GUID replaced with
    • Random GUIDS
    • Valid GUIDs that should not be be accepted (for example an existing FolderID used on CreateFolder)
  • Fuzz Authentication methods for authentication specific issues (for example brute force account/passwords attacks)
  • Fuzz content creation methods for XSS data injection
  • Fuzz methods used by multiple users (for example an editor and admin) and see if payloads injected by an editor are shown to admins
  • Fuzz methods in random invocation sequence (to try to detect weird race-conditions created by a particular test sequence)
  • After creating a mapping of what methods can be invoked by what users (a very specific type of fuzzing)
    • Fuzz the methods that should not be accessed by a particular user to see if there are blind spots that (due to a bug/vulnerability) enable that execution to occur
  • Create requests that can be 'consumed' by 3rd party scanners (like Zap, Burp, Netsparker, AppScan, etc...) and:
    • trigger those tests
    • consume its results
  • Fuzz the Fuzz results
    • There will be cases where the fuzz targets will be the fuzz results of previous sessions
These tests will generate a LOT of data, which needs to be:
  • Normalised (with similar responses reported as one)
  • Stored (as raw as possible) to allow later analysis
  • Analysed, taking into account:
    • the expected result for the fuzzed method
    • the type of test being performed
  • Reported (in an easy to consume and replicate format)

It is important to restate that each type target requires a different type of analysis. Taking into account what is being tested and (more importantly) what is the expected method invocation result.

Another very important concept is the need to have a fully automated fuzzing environment. This should be a 'fuzz-and-forget' world where the fuzz tests are executed without any human intervention (don't forget to add a 'stop' button :)  )

Although this sounds like a lot, the harder part is to create the environment required to execute the first couple Fuzzing Targets (as described above). Once that is done, the rest are variations.

Finally, always keep in mind that the objective is to create something that can be added to build environment so that these tests can be executed automatically (with any new 'findings/fixes' reported to the developers)

Reddit
If you have comments or ideas about this post, please add them to this reddit discusion 

Related Posts


Friday 25 May 2012

Video: Installing and running CefSharp (C# Chrome with WPF Browser)



UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for a much better and powerful way to consume Chrome (and IE and Firefox) in another process




After we were able to Run Chrome inside O2  here is O2's native support for the CefSharp API (note that the first time that API is used, the install files will be downloaded and unzipped locally (if 7zip is not installed locally, it also will be downloaded and installed)

Here is the video that shows the CefSharp (C# Chrome) WPF and Windows Browser Controls in action:



Related Posts:

Chrome about:about (list of internal pages)

Just found this cool way to access a lot of Chrome's internal information.

Just open: about:about or chrome://about

Here are some examples of these extra pages:

Losing my mojo with Wordpress.com (they're not getting the basics right)

So I've been using wordpress.com for a while to host O2's blog, but it has become more and more painful to use.

It crashes, doesn't load fast, html formatting goes all wild, there is too much stuff going on ... (it's faster to use Blogger than wordpress!!!)

Unfortunately it's another good example of a product/service that keeps adding new features and losing sight of its core functions (i.e. writing a blog).

One key objectives of adding new features is to make things Simpler to use (or keep it as simple as they were before)

I'm really close to start looking at alternatives and maybe even trying to move that blog into a TeamMentor based site!

Thursday 24 May 2012

Video: Installing O2's VisualStudio 2010 Add-In

Here is a video that shows the steps required to install O2's Visual Studio 2010 Add-in (also described in this post Running O2 REPL Script environment inside Visual Studio 2010)


Video: Under the hood of O2's REPL Script Environment

Here is a video that shows what happens under the hood when you write an O2 Script.

The concept is quite simple: Grab the code in the Editor and insert it inside a full blown C# method inside a class (using comments to indicate extra using and dll references).

This way we have the best of both worlds. Full C# 4.0 coding capabilities (like the new Dynamic objects) in a much nicer/simpler REPL scripting environment.

Here is a video that shows this in action:



Video: O2's DWR support (and two-way Javascript manipulation)

This is an oldie one, but I was talking with an O2 user about O2's ability to send and receive data from Javascript (via the IE object), and this DWR is a great example of that.

Note how in the video the data sent to the DWR test server is manipulated (on the client side) by the Javascript (shown on the left) that is injected into the browser:


Wednesday 23 May 2012

C# Dynamic capabilities (using ExpandoObject)

This is reallllllllllyyyyyyyyyyyy cool+powerful!


What you have here the dynamic creation (a-la-python) of a variable and a method.

Humm... this opens up a HUGE amount of very interesting scripting capabilities, namely the ability to dramatically simplify the scripting of certain APIs :).

Some references:

Here is the code as a Gist:

Running Chrome inside O2



UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for a much better and powerful way to consume Chrome (and IE and Firefox) in another process




Here is something that I have been wanting to do for quite a while.

Using the compiled dlls from https://github.com/chillitom/CefSharp/ (which is a wrapper on top of http://code.google.com/p/chromiumembedded/), here is Chrome running inside O2


And here is the code that made this happen:

Wednesday 16 May 2012

Video: O2 Platform - Using FuzzDB on AltoroMutual for XSS and SQLi (with screenshot after payload)

Here is a video that shows a couple of O2 Scripts in action:
  • View FuzzDB XSS Payloads (after a first-time-run installation)
  • Fuzz AltoroMutual site with FuzzDB SQLi payloads, taking a screenshot after each request and colour coding the vulnerable status
  • Fuzz AltoroMutual site with  FuzzDB XSS payloads, taking a screenshot after each request and colour coding the vulnerable status



Saturday 12 May 2012

CS-Script - The C# Script Engine

CS-Script looks very similar to the O2 Scripting Environment.

Here is an Code Project article that provides more info on CS-Script: http://www.codeproject.com/Articles/8656/C-Script-The-Missing-Puzzle-Piece

Code Project is a great reference, and I really like how they allow tools to write technical articles in there. Maybe it is time to write a couple O2 articles and it put in there :)

UPDATE: if you are interested in C# Scripting environments, take a look at O2's C# REPL Script Environment 

Installing WiX Toolset

Just downloaded WiX RC0 from CodePlex which has now a new Metro GUI (I can see how they are trying to simplify the Install GUI)

The screenshot below is what happens after we click on the middle panel (which used to say 'Install') and wait for the progress bar (created inside that 'Install' Panel) to reach 100%



Although it looks good, when making something simple, one has to be careful not lose too much context.

For example, upon clinking on the install panel/button, there a was a big pause where I was confused on what was going on. And once it was completed there was no clue where the files where installed to! :)

I think the installed WiX files are now at C:\Program Files\WiX Toolset v3.6,  but that is a calculated guess since this GUI doesn't give me that information (or am I missing something obvious?)

Also on that folder, there doesn't seem to be any samples, which makes it a bit hard to see how WiX works, since I have never used WiX before.

Any tips on using WiX?

Glimpse : Amazing way to visualize asp.net mvc

Glimpse is a really powerful ASP.NET Server/Browser tool with very powerful features like ASP.NET MVC Route Debugging , Tracing in MVV, Ajax Support and extensibility

I have a bunch of places I would like to use Glimpse, but first I need to give it a test drive :)

Meanwhile, here is Glimpse in action:

Javascript Visualization tools/APIs

Here are a couple good resources for Javascript Visualization:

Some ideas for OWASP GSD Project

When I started talking about the OWASP GSD Project (GSD = Get Stuff Done) , with fellow OWAPS leaders, one of the questions I received was 'Ok so where will the money be used?'

The concept of GSD is to empower the OWASP Leaders to spend on OWASP projects, so in way the 'what would it be be used for' will be defined by them (the OWASP Leaders).

If you are an OWASP Leader, you are the one that will be empowered to spend GSD funds, so look in the mirror and ask yourself the question 'Where would I spend funds on OWASP Projects' :) .

OWASP GSD Project (GSD = Get Stuff Done)

Yesterday I started the OWASP GSD Project, based on:
The Project's main page is at: https://www.owasp.org/index.php/OWASP_GSD_Project  and below (end of this post) you will find a copy and paste of today's version of this project page (which is the first pass at defining what the GSD is)

What is OWASP?: OWASP is a Community (passionate about Application Security)

One of the interesting things about defining OWASP's mission is that I don't think the OWASP community can even agree on the 'definition of 'mission', never mind what that actual 'mission' should be.

Since OWASP is such a wide disperse worldwide group of people with massive disperse interests, ideas, beliefs, focus, values, etc... it is just about impossible to agree of a strategic 'mission'.

There was an attempt a while back to create a vision for OWASP (with mission, values, purpose, objectives....) which didn't really work, and currently we have an fuzzier definition of what OWASP is on the OWASP About page.

The problem I have with the current lack of definition of 'what is OWASP', is that we don't have a good way to measure our success or failure, i.e our progress.

So here is what I think OWASP is (you can call it is 'mission + vision + purpose'):

OWASP is a Community (passionate about Application Security) 

There are two key concepts in that definition:

1) OWASP is a community - At the core, this is what OWASP is. We are a massive social movement who is able to motivate a huge amount of people to dedicate their most valuable asset (time) for OWASP related activities

2) Passionate about Application Security - What is always striking about OWASP contributors is how much they are passionate about Application Security. They really care about this stuff and spend countless  efforts in trying to make it better (each on its own focused area).

And this is as far as we can define OWASP at a higher level. Everything else is a specific implementation/focus around this (basically, if something XYZ is about Application Security and it is a 'Community' activity, then that is part of the OWASP ecosystem)

And the reason why I think it is very important to put 'OWASP is a Community' at the heart of OWASP, is because it will give us a north when reviewing what is currently happening and what 'should' be happening that isn't.

I would say that every action that happens at OWASP that promotes community and creates connections between A and B, is something worthwhile doing. And when those connections are not happening, efforts should be made.

The reality is that creating, fostering and maintaining communities, is something that is very hard.

It is also something that doesn't happen by default since there are a lot of tasks (and jobs) that need to be done in order to allow a community to thrive and work.

And here is where the OWASP employees (and the 'OWASP Platform') comes into play.

That team of professional individuals is there to make the 'Community' part of OWASP work.

And the simple question "will this help OWASP's Community" should be used when faced with a financial, political or implementation decision.

OWASP is at a massive cross-road, where tough decisions need to be made and massive amounts of energy are needed in order to keep OWASP relevant and productive.

My hope is that this a simple idea (OWASP is a Community (passionate about Application Security) )  will allow those decisions to be made.

And the power of OWASP doesn't come from the Board or any other political structure. The power of OWASP comes from it's community, i.e. you.

So next time, somebody asks you 'What is OWASP?'

Just say: OWASP is a Community (passionate about Application Security) 

Friday 11 May 2012

To read: ENISA on 'National Cyber Security Strategies'

On May 08, 2012 ENISA published an National Cyber Security Strategies paper which the current status of cyber security strategies.
 
Here is their desciption:
"..The paper includes a short analysis of the current status of cyber security strategies within the European Union and elsewhere. It also identifies common themes and differences, and concludes with a series of observations and recommendations. The paper is based on the preliminary findings and analysis from an ENISA project that is working to develop a Good Practice Guide on how to develop, implement and maintain a national cyber security strategy. The Good Practice Guide is intended to be a useful tool and practical advice for those responsible and involved in cyber security strategies...."

Here is the PDF, any comments?

Btw, I had a quick look and found no reference to OWASP, shouldn't we be involved here? Or does Cyber-Security has nothing to do with Application Security?

Wednesday 9 May 2012

Video shown to Barcelona Team before the 2009 final

This is a great example of how to generate motivational energy before a big event:



Streaming RemoteDesktops via images

Bob Craven posted a series of blogs in 2009 that provide a very nice solution for streaming RemoteDesktops (and probably applications).

Here is how he does it:

  • take fast screenshots of the desktop
  • figure out what part of the image changed (when compared with the previous one)
  • share that image via WCF
  • push that info to clients
He has a PoC using both a Windows app and ASP.NET app (yes, streaming over the web :) )

Here are his amazing posts on this topic:


Note: on the topic of remote access this VNC# client library seems quite powerful

JustCode, anybody using it?

Just saw http://www.telerik.com/products/justcode.aspx and It looks like an interesting alternative to Resharper. I stopped using Resharper due to its performance (was slowing down VisualStudio quite a lot).

I wonder if JustCode is better?

Anybody using it?

What about it's code analysis capabilities? Any security rules in there?

Btw, I'm still amazed that these tools (code analysis and productivity) have not entered the SAST (Static Application Security Testing) market.

They clearly have all the artefacts/code-representations required to find security vulnerabilities via taint-flow analysis (and their GUIs/Workflows are so much more 'developer friendly')

Visualizing TeamMentor Link's structure (with Graphs)

Here is one of my TeamMentor related tasks for this week:

1) Find a big data visualizer/manager make prototype. Scenarios:
  • Show me structure of the library (directed graph, start from principles policies, filter external out) and let me manipulate the relationships.
  • Show me everything from this article (click on an associated article and you can move to that one) and let me add links to other articles and external links.
  • Show me external links that are broken.
Basically what we are trying to solve is how to visualize (and eventually manipulate) the links/connections between the multiple articles.

Tuesday 8 May 2012

Video on Creating stand-alone WinForms and H2 script

Michael asked me today how to create stand-alone WinForms via O2 scripts and what is an H2 file?

So, here is a video that provides the answers:


Basically to create an WinForms in an O2 Script all that is needed is to call the System.String 'popupWindow' extension method. For example:


The string is the form title, and the (optional parameters) are the Width and Height.

An H2 file is just an XML file with the serialization of an script (like the one above) which is registered to O2 so that when you double click on it, windows will invoke the O2 Platform with that file as a parameter.

When you do that, O2 will detect that there is an parameter and only execute that script, instead of loading up the main GUI (this is also how you can easily invoke O2 scripts from the command line)

Making Payments using Paypal at elance.com, why is it that hard!

So, I'm trying to set-up the payment workflow for the TeamMentor's elance.com contractors, and it is not going as smoothly as I would like.

  • First Paypal doesn't seem to have a way to allow its own merchant accounts to make payments via Paypal  (I was set-up an account in SI's corporate account which only seems to give me access to take payments, not make them)
  • Our solution was for me to create a personal paypal account, which is used to receive funds via paypal (who will change a commission!) from SI
  • Ideally I should be able to use this account to make payments at elance, except that elance.com doesn't seem to allow making payments via paypal funds (only cards)

I sent this question to elance's support, so let's see what they say

How do I make a payment using Paypal's fund currently available in that Paypal account?

I don't want to use a Card, since this are funds from the company I'm working for and they have transferred funds to me (via paypal)

But when I go into paypal, I don't get the option to pay using available funds

I guess I might take a look at https://www.odesk.com/ to see if they can handle this problem. I like Elance, but this is a deal-breaker issue (also Elance's speed from the UK is a bit of an issue)

Why does DISQUS want to update my tweets?

So I was trying to add a comment into Stephen's blog, and to authenticate I chose twitter.

This is great since It gives me a way to prove my identity without creating yet another account .

But, when I am redirected to Twitter to authorize DISQUS, I get this:


WTF! Why do I need to give DISQUS access to update my profile and post tweets?

I don't want that , I just want to authenticate myself.

Now Google seems to do a much better job here, since it only asks for my email address to be validated:

Well at least that is what I hope that the OAuth permission shown above actually does! (I really don't want DISQUS to access my inbox and start writing emails for me)

This is a great example of empowering users to make security decisions. Which is this case Google gets a #pass and DISQUS a #fail

Using BDD-Security in TeamMentor

Following my discovery of BDD-Securty (see Using BDD-Security to test WebServices Authorization Rules? ) I was able to contract (via SI) some of Stephen's time to work on integrating his BDD-Security project with TeamMentor.

The brief (as you can see on Stephen's blog Brief: Testing TeamMentor with BDD Security) is to


... create a set of BDD-Security tests to test the Web Services behind TeamMentor.

The deliverables for the project will be:

  1. An executable set of BDD-Security stories for a sample of 20 of TeamMentor’s web services
  2. Integration of BDD-Security with the Jenkins CI server. The CI server should monitor github, and everytime a commit is made to TeamMentor- the security tests should be run and a report generated.
  3. BDD-Security will run automated access control tests on the supported web services
  4. BDD-Security will run automated security scanning using Burp on the supported web services.
  5. A series of Blog posts describing the steps in the process.
This is a great step in creating a much more solid CI environment for TeamMentor

If you want to look/follow the code, the GitHub Repository is at:  https://github.com/stephendv/bdd-teammentor


This job is going to be managed via Elance, and you can see the proposal here: https://www.elance.com/j/testing-teammentor-bdd-security/30393016/ 

Two factor Identity protection at Elance.com

Elance.com (which I'm using for TeamMentor sub-contacting) has a couple interesting security features.

After login 

Note that the login has no apparent lockout, which is a good thing (i.e. it took me about 10 times to remember my pwd)

On new logins it asks for the answer to the favourite question:


Note that this 'extra step' doesn't show all the time. Here is their explanation for showing it:



The email and phone number need to be verified. 

For example this is what happens when I triggered the phone verification process:


SSL only experience
Even if login via http., the login is done over SSL which is preserved after login:


Its all about trust , threats and risk:
I really like their approach, since it is a good balance of security vs usability.

It also shows that security features are very closely connected with the trust level of the website, its threats and risk profile.

For example some of these would be over-the-top (in the current version) of TeamMentor 

Code Snippets in WordPress.com are driving me crazy (help and alternatives?)

I just created this RTF file to blog - adding OData to O2.rtf which provides a walk-through on adding OData support to O2.

My problem is that I don't have an easy way to convert the text and scripts from that RTF file into an Wordpress.com post, since the formatting/layout completely breaks! (even if coping and pasting from Notepad).

So here my question: what is the best place (blog engine) to write this type of articles (text + code snippets + images). I'm about to give up on Wordpress.com! 

Btw, if you know how to do this, then please help me in converting this RTF into a Wordpress.com post (that I could use in http://o2platform.wordpress.com). 

As you can see by the large number of posts with source-code samples (in http://o2platform.wordpress.com), I have done this conversion far to many times....and ... I'm really tempted to just add a couple features to TeamMentor and start doing this there :)

Monday 7 May 2012

Documenting how to test WebServices using scripts - the story so far

Here is the chronological consolidation of the  efforts (by Arvind and me) to write a detailed story of the steps required to create a Security / QA test suite for TeamMentor

These are my posts with analysis of what is going on, key concepts, extra briefing notes, and links to relevant Arvind's posts:

These are Arvind's posts with his efforts, ideas, problems, solutions and scripts:

Sunday 6 May 2012

Using O2 with HacmeBank

Michael Hidalgo (from OWASP's Costa Rica Chapter) just wrote a great blog post on using O2 with Hacmebank: Starting with OWASP O2 Platform : a short step in a long journey

If you are trying to use O2, I strongly recommend that you read it since it shows nice step-by-step instructions on how to use O2 to login to HacmeBank.

What is even more interesting is that Michael, didn't actually use the HacmeBank scripts that already exist in O2 :)

And there is a LOT that can be done with O2 and Hacmebank:

Friday 4 May 2012

TeamMentor Partner Program Update

Email Tom just sent to TeamMentor's Partners.

I really like the 'voice' of this email. Yes it is 'Marketing speak' (Tom is Director of Product Marketing), but as these type of messages go, I think its much more relaxed and low on the BS level :)

What do you think? am I to bias? is it OTT? is it OK?

Ping me with your views :)



-------------

Greetings Partners! As the TeamMentor Partner Program continues to grow rapidly, we want to provide you with a few resources to enhance your TeamMentor experience, get you comfortable using TeamMentor and get your customers to start using it. We've also tried to address questions we've heard from a few a few of you.

First off, TeamMentor V 3.1 is now generally available! The major improvements in V 3.1 focus on stability and usability for customers, with support for Active Directory and integration with additional Web Services API's. We've added a new content library featuring the CWE Top 25 Vulnerabilities consisting of 110 new articles and updated our PCI DSS Compliance library, both enhanced with prescriptive guidance for remediating software code. Full release notes are available here.

What does TeamMentor do?
TeamMentor helps bridge the gap between application security policies and secure development standards. By integrating prescriptive, technical security guidance with your security policies, TeamMentor is the perfect In-Practice companion to help reduce your application security risk profile.

Where can I find a TeamMentor use case?
Or here, on the TeamMentor Evaluation Resource page, where you can also try the Web version or download and install to run locally from your machine. (contact us and we will set you up to run locally)
Or here, on our YouTube channel, where you can see a series of short features-focused and integration videos. (We'll be releasing new videos for you soon)

Where can I find comprehensive documentation?
Or take a look at our new series of 'How-It-Works' articles on TeamMentor, right in TeamMentor? Click here.

Are industry analysts talking about TeamMentor? (the answer is yes)
"Implementing an application security program requires identifying gaps in the organization — among security, operations, development and business units — and bridging them in a scalable way.  Sharing a knowledge base is a good way to keep the information flow going, even when the meetings are done." -- Wendy Nather, Research Director, Enterprise Security Practice, 451 Research

Where can I find blogs on TeamMentor?
Blog by Dinis Cruz (Dinis is the principal architect of TeamMentor)
Tom Bain's blog (Interesting uses of TeamMentor for the non-technical user)
Follow TeamMentor on Twitter. @TeamMentor1

Where can I find marketing content?
Download our white paper to understand how mapping to the OWASP Top 10 and using TeamMentor to fix vulnerabilities help toward a comprehensive application security program.

Best regards,
Dinis Cruz, Principal Architect, Security Innovation

Tom Bain, Director, Product Marketing, Security Innovation


What is TeamMentor Licensing model?

I got a couple questions recently on the licensing model of TeamMentor, so it's better if I answer it here.

TeamMentor has an 'interesting' license structure and deployment:

  • The master version of TeamMentor's source code is published at GitHub, can be freely downloaded/cloned, AND is released under a soft 'not-for-commercial-use' license:
    • this means that you can use TeamMentor as long as you don't sell it (the application) or use it commercially as a service
    • note that any content created using TeamMentor is owned by the author (ie. you)
    • just to be clear: THIS is the full application! Apart from specific customer customizations, this is the same code-base as the one used in the 'paid for version' (which is a Git Fork)
    • There is no license restriction/controls, so we are trusting the community not to abuse it :)
  • There is an 'TeamMentor+OWASP Library' version (see http://owasp.teammentor.net) ,which we call our 'evaluation version' and contains:
    • a Git Fork of the full source code of TeamMentor (with the same soft 'not for commercial use' license)
    • an TeamMentor Library (written by SI about the OWASP top 10) which is released under CreativeCommons
  • There is paid version of 'TeamMentor + SI Library' which is the one with the 4000+ articles:
  • If you are security consultancy (providing security services to other companies), then you are what we call a 'Partner' and you can use TeamMentor for free internally and with your customers
  • if you are a product company (and want to embed/consume TeamMentor's content), you are also what we call a 'Parter' and will be able to use its content for free in your product (we have agreed internally on similar rules-of-engagement as the one used for security consultants)
Bottom line, TeamMentor is NOT FOSS software, but its closer than most products out there.

Note that the center-of-gravity at SecurityInnovation (SI) is more aligned with Content than with Tools. For example see their 40+ elearning courses delivered under the TeamProfessor platform, which should explain why SI is comfortable with this model for TeamMentor.

TeamMentor Demo Script

Below is a document that Jason (from SecurityInnovation) wrote about how to present TeamMentor for potential customers.

It is a really nice overview of how TeamMentor works and how to present it.

Note that this was written from  SecurityInnovation's point of view. If you want to reuse this to present TeamMentor, you probably want you add your own magic sauce into it :). 

--------------------------------

Introduction


Start by explaining how TeamMentor fits into the three pillars of success:

  1. Our goal is to help you reduce your application security risk
  2. The best way to reduce application security risk is to use a secure software development lifecycle
  3. The three pillars of success are:
    • Standards. These are the architecture, coding and deployment standards that allow your teams to comply with your corporate security policies.
    • Training. This is how you set the foundation of knowledge that your team needs in order to succeed.
    • Assessment. Use assessments to check your teams compliance with your security policies. Based on the gaps you find you can update your standards and your training
  4. TeamMentor is our solution of distributing secure development standards to your team and linking them to your security policies
  5. TeamProfessor is our solution for education
  6. We provide a set of assessment services to help you find and fix vulnerabilities in your code and gaps in your development processes.

Demo


Browse to http://teammentor.net

Log in:

  • Username: Admin
  • Password: ******

Explain what TeamMentor Is, and then flow the demo by the use cases first
  • TeamMentor consist of a web application, back end and source content.
  • The application allows you to use the content as is, customize it, or create your own.
  • Customers use TeamMentor in several ways. The key use cases are
    • A central place that allows easy access to the standards we talked about in a way that the information needed for a given task is easily accessible from the policy information to the technical information needed to implement the policy. Customer put their policies in TM and can link them to SI provided technical information, also customized for the environment.
    • A reference for the technical information needed to remediate software vulnerabilities found by scanners and assessments. TM allows easy searching and filtering to find the specific information needed in the language being used
    • A general reference for all SDLC secure application development best practices for all phases from design and architecture, through development, testing and deployment

Explain some TeamMentor facts:



  • TeamMentor contains over 3000 articles covering a wide range of technologies and best practices
  • We’ve broken them into a set of libraries based on technology areas such as .NET, Java, PHP, C++, etc.
  • Show the libraries UI and expand the .NET 3.5 library:
  • Explain how the libraries are organized into a library, folder, view structure
    • Libraries contain folders to focus on various important areas
    • Folders organize views
    • Views organize articles
  • Explain how the above structure makes it easy to organize policies and standards for easy access to what is needed at the time of use
  • Show some examples
    • Expand fundamentals of security and show how it collects articles for areas of security where mistakes are most often made
    • Expand OWASP Top 10 and show how it organizes articles by the Top 10 most pervasive threats for web applications. Talk about how this includes best practice and remediation advice in detail
    • Expand PCI DSS Compliance and show how it gives guidance on how to comply with each PCI requirement. Talk about how this can be integrated with corporate policies to ensure PCI compliance as part of practices OR can be used as is as the basis of a PCI app dev compliance.
    • Expand Security Engineering and show how we have process guidance for each phase of the software development lifecycle
    • Explain that we included top 5 vulnerabilities for thick client and web services to complement the more well known OWASP Top 10
  • Security engineer should still be expanded so click on Test Activities and show the two guidance items in this view.
  • Explain that guidelines represent prescriptive guidance, a standard you can use to guide you to do the right thing when trying to accomplish a task which can be linked to from policy or vulnerability reports
  • Checklists are created for every guideline and they explain how to assess that the standard has been followed. We are strong believers in a checklist-based approach to assessments so we’ve created checklists in every area to help with   code review, pen test, process review, etc. Explain how checklists can be used to help ensure compliance to internal policies and external requirements
  • Open the guideline and explain how the structure always shows What to do, why it matters, when to do it and then how to get it right.
  • Explain that this is how we take policies to the next level. Policies explain only what to do, our guidance explain how to do it right for the specific technology and environment that is relevant for the developer
  • Open the checklist item and explain how the structure always shows what to check for, why it matters, how to check and then if a problem is found, how to fix.
  • Open the article in a new window by either double clicking the title in the list view or by clicking the expand icon in the preview panel
  • Explain that articles can be edited by anyone with the proper permissions.
  • Click the edit guidance item
  • Show the editor and explain that you can modify the article title, attributes or content itself

  • Close the window and return to the main UI.
  • Mention that the entire library can be edited, click on the edit mode link to reveal this functionality
  • Right click on the .net 3.5 library and show the menu that allows you to add views, folders, new items, or add and delete libraries themselves.

Frequently Asked Questions


Q: What are the install requirements?
A: TeamMentor is typically run on IIS, though you can run it locally on Cassinni as well. You don’t need a database server or any other services, IIS alone is enough. The articles are all stored on the file system in XML files. We did this not only for ease of deployment but also for performance reasons. SQL was used in TeamMentor v1 and v2 but it was overkill.

Q: What are the performance constraints of TeamMentor?
A: We’ve used TeamMentor with 5,000 articles in a library and it ran fine. We found that it works best, however, if you have 3,000 or less articles in a library this is one reason we broke our articles into multiple technology articles. All of our processing is done on the client, so that is why searching, filtering and viewing articles is so fast. On a slow connection you may see a delay when you first load TeamMentor. This is caused by the fact that we pre-fetch the TeamMentor libraries when you first open the application.

Q: How do we handle updates if we make changes to the libraries?
A: We will create a github fork for you and you can use that source control for all of your articles. When we have an update ready for you, we will perform a merge for you so that your changes are retained and you get the newest updates from us. If you cannot use github we will work with you on another solution.

Q: When will you have X technology covered in your libraries?
A: We base our roadmap on customer feedback such as yours. If you purchase and have a technology area that you want included in a future release, please let us know and we’ll make it a priority. We update TeamMentor every quarter with new content and application improvements.

Using BDD-Security to test WebServices Authorization Rules?

Stephen de Vries just pointed me to BDD-Security which looks pretty powerful (BDD is definitely something I want to get more into).

Here are a couple references for BDD-Security:



I'm in :)

... now let's make this work: what is the best way to integrate BDD-Security with a .NET app like TeamMentor? 

I see a couple things to figure out:
  • Execute the BDD-Security tests outside Eclipse
  • Write the stories in a .Net environment (like O2, VisualStudio, MonoDevelop, SharpDevelop, LinqPad, etc...)
  • Find a way to convert the 'TeamMentor spreadsheet rules' into BDD security rules (in fact before we do that , we need to have working BDD tests for each of the WebServices (since most need state in order to even be executed))
  • I wonder if I could use IKVM or Sharpen or other to be able to run BDD-Security natively in .NET? :)
The way I'm looking at this, we need:
  • The official 'these are the business rules' mappings (in a consumable format like the spreadsheet below)
  • The static analysis of the code that extracts the current behaviour from the code (which in TeamMentor are implemented as CAS Security Demands)
  • The Dynamic invocation of the webservices methods (i.e. the attack surface)
  • The analysis of all this data (with the blind spots being vulnerabilities)
Related Posts: