Thursday 8 November 2012

FLOSSHack TeamMentor and the 'sausage making process' that is software/application development

OWASP's FLOSSHack events are a really powerful initiative.

"...Free/Libre Open Source Software Hacking (FLOSSHack) events are designed to bring together individuals interested in learning more about application security with open source projects and organizations in need of low cost or pro bono security auditing. FLOSSHack provides a friendly, but mildly competitive, workshop environment in which participants learn about and search for vulnerabilities in selected software. In turn, selected open source projects and qualified non-profit organizations benefit from additional quality assurance and security guidance...." 

See FLOSSHack_One for the details (and vulnerabilities discovered) of the first event.

OWASP's FLOSSHack is one of those 'magical' spaces where the OWASP's community and its projects can come together and add a lot of value.

In fact I remember the idea of doing something like this at the last Summit(s) but we couldn't find a FLOSS or commercial vendor that wanted to 'play the game' :)

And, just for record, I will be happy to help if an OWASP chapter (or University)  wants to do a similar FLOSSHack on TeamMentor 

Although TeamMentor (TM) is not OpenSource, it is very close, since the source code is available and SI allowed me to 'open it' as much (if not more) as other OpenSource projects (note that TeamMentor uses O2 Platform's FluentSharp APIs, and there has been significant changes/features in the latest version of O2 which are a direct consequence of my TeamMentor development activities (for example the O2 VisualStudio Extension or the  Real-Time Vulnerability Feedback in VisualStudio PoC)).

I'm quite proud of the level of openness that TM has, and I hope that other commercial tools follow these ideas/activities. Here are a couple blog posts I wrote about TM's Security:
Note that we really embraced Git and GitHub as part of TeamMentor's development and workflow:
My objective is to create a super secure+powerful application, with maximum visibility+openness, while creating documentation on how it happened (which you can see by the current blog posts)

I think that TeamMentor is a good case study for the challenges of writing secure code, since it is a real-world app, with real-world complexity, real-world legacy stuff and real-world security compromises. This is a great learning opportunity to look at the 'sausage making process' that is software/application development (with a bunch of  .Net, Asmx, jQuery, Javascript, and  xml files which can be easily deployed to the 'cloud'). We always talk how OWASP needs to engage with developers, work with them, help them to secure the app.... well here is a good opportunity to do just that. 

I want/need help in securing TeamMentor, and Its not an easy task :)

One area that I really want to move next, is the implementation of AppSensor-like-capabilities so that malicious activities can be detected and mitigated

Oh, and I could really do with a good layer of .NET ESAPI controls/capabilities :)