Friday 14 December 2012

CI is the Key for Application Security SDL integration

The more time I spent with CI (namely with TeamCity) the more my instinct is saying ‘this is how we should be delivering and automating security knowledge!'.

OWASP project reboot spent funds (not a lot spent so far)

From Alison here are the latest numbers from the OWASP Project Reboot 2012 initiative:


Humm, from the numbers in there, it looks like only the CISO Guide spent some funds

TeamMentor global search, duplicate articles and a new ‘Any’ Library

In the 3.2 version of TeamMentor image
there is a Library per technology (.Net, Android, C++, iOS, Java, PHP) and type (CWE, PCI DSS Compliance):

Wednesday 12 December 2012

Rewiting Git History (locally and at GitHub)

When fixing the ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor

I ended up with a number of Git Commits: locally image 

ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor

Here is an weird one....

Just did an TeamMentor auto-deploy (via a GitHub push that triggered AppHarbor via a webhook) and the published site is running OK (on the deployed AppHarbor server) ....

Problem with Environment.SpecialFolder.ApplicationData in Azure

While I was testing the TeamCity auto deployment from Git to Azure, I hit on an weird bug where TeamMentor's website would look (and load) OK in AppHarbor, but would fail in Azure.

Stylizer - Real-time CSS Editing

The Stylizer looks really powerful for CSS editing and customization. I really liked it’s video page which provided a great overview (and learning environment) for Stylizer multiple features (it is a great way to quickly and effective present a product)

Monday 10 December 2012

Testing an WCF Rest Service directly and via a local instance created by WebServiceHost

Here is an example of a simple REST based WebService which is tested using 3 techniques:

  • IIS
  • Direct object creation
  • Locally hosted instance of the WCF service (using .Net's WebServiceHost class)


Windows Azure is what IIS 7.5 should be

The more I look at Windows Azure (while dealing with IIS deployment automation issues in TeamMentor) the more I fell that Windows Azure is what IIS 7.5 (or 8) should be.

What is really good about Windows Azure is its deployment and versioning capabilities (you can even deploy via git pushes these days). And apart from the webserver bit, most of IIS' Gui is focused on website deployment (which is what Azure does really well).

JustCode is following VisualStudio 2012 bad Design decisions

I’m trying to avoid using VisualStudio 2012 because not only I haven’t seen any feature that I need, its ‘lets remove all the color Design’ is just horrible.

And what is really annoying, is that VisualStudio 2012 (very bad) Design decision are then followed by VisualStudio extension vendors (like JustCode) who create a Gui that looks like this (in VS 2010):

Minimum required files to run git.exe on windows (for clone, push and pull)

I want to add native Git support to TeamMentor (and O2) and don't want to ship the entire git folder structure that is installed with msysgit

Some JustCode compilation issues (on .NET 4.0 dynamic keyword and method default parameters)

I’m giving JustCode another go and it doesn’t seem to like some .Net 4.0 features (which btw compile ok in VisualStudio):

Sunday 9 December 2012

Two great posts on Gamification

From TechCrunch’s Tadhg Kell here are two great articles that explain the Gamification concept really well:
His core idea is that Gamification boilds down one of to three things: validation, completion and prizes

Adding a C# REPL Script to Windows Live Writer

Let’s give Windows Live Writer 'Copy and Paste of images' feature a test-drive by documenting how to inject a C# REPL script into it

Software Labels – Jeff’s OWASP AppSecDC 2010 presentation (another dropped good idea)

An old idea from Jeff Williams (which is spot on) is the need to apply Labels to Software and Web Applications.

The concept is simple, but its implementation is really hard, because of the lack of quality standards/metrics in our industry

Signs of a well Designed Feature

A well Designed Feature (i.e. that works) is one that, for a particular task (like coping and pasting images on this blog) gives its user the feeling that:
  • initially the new workflow just seems simpler and a little bit faster (when compared with the preview one)
  • after a while, how it worked before goes kinda misty
  • but, if the previous one has to be used again, it will seem REAAALLLLY slow and cumbersome!
Of course that in reality, the change is never that big, but once the user feels/understands the new version, using the old one is just painful.

Why does trying some Windows Live Writer Plug-ins expose me the total system compromise

As you can see on the Trying a couple more Windows Live Code Formatters post, I tried a number of Live Writer Plug-ins before I found one that I liked.
But if you notice (just to try a couple plug-ins!) I had to install a bunch of MSIs and give them full access to my box! And after installing those plug-ins run with Full Trust (again being able to do whatever they want to any of my windows processes)
This is crazy, this is faith-based security.

Trying a couple more Windows Live Code Formatters

As you can see at the end of the  Failing to use Windows Live Writer 2011 (and going back to 2009) the highest ranking (and recommended by default) code formatting plug-in didn’t work. So let’s try  a couple more:

Failing to use Windows Live Writer 2011 (and going back to 2009)

As you can see at the end of Using Window Live Writer to write Blogger posts I originally started using the 2009 version, so I tried use the 2011 and it failed miserably because, Copy and Paste doesn’t work anymore!!!! This is crazy!! Why???

Using Window Live Writer to write Blogger posts

As per this @shanselman reply https://twitter.com/shanselman/status/277514388376784896 (following a question I asked @troyhunt) I’m giving Windows Live Writer 2009 a try, and it seems to support Blogger, and (more importantly  copy and past of images (with auto upload to Picassa) which is exactly what I wanted (see The 'Sync Design Problem' of adding images to this blog for a description of the problem I had)

Saturday 8 December 2012

Just Uninstalled ReSharper

The performance hit was just too much, and since I got a reply from JustCode I will give it another try

Thursday 6 December 2012

Just tried JustCode and its a shame they don't support ExtensionMethods

I just gave JustCode VisualStudio Extension a test drive (which amazingly still hasn't entered the SAST market) and although I really liked what I saw (and felt much better/faster than resharper) it had a critical problem, where it failed to recognise the FluentSharp's Extension Methods in TeamMentor:

What a 'salad of DLLs' are the ASP.NET MVC 4.0 template projects

I was taking a look at ASP.NET MVC 4.0 to see how easy it would be to use its routing engine for TeamMentor REST API, and its just ridiculous the sheer amount amount of dependencies that it required (as per the the test/template projects).

ASP.NET Support in SAST and IBM F4F

At the moment (Dec 2012) my understanding is that all SAST tools struggle to scan/understand ASP.NET MVC apps.

The only way to really support/understand/scan ASP.NET MVC is to map how that framework works/behaves (I don't think any SAST vendor/tool does that),  and as with any Framework, there is a lot to map:
  • The controllers (equivalent to WebService's methods, which need to be marked as Tainted-Sources/Callbacks)
  • The controller's authorization/authentication mappings (done using Attributes)
  • The Autobinded Models
  • The Views mappings (i..e what views are connected to what controllers)
  • The MVC Execution life cycle
  • The auto-encoding (or not) of view controls (and new display engines like razor)

How to use TeamMentor for training?

Another area that I really would like to see pushed is the idea/concept to use TeamMentor (TM) materials for training.

And by training I don't just mean class-room or ICT. A key element of TeamMentor is the idea that it is a 'Mentor'  And mentors are by definition teachers :)

So how can TM be used in short (and in bursts) training sessions? (or knowledge transfers)

Feedback on TeamMentor webcast (with Ideas to make TeamMentor better)

Danny Harris saw the 'Streamline the Fix' Webcast, liked what he saw, and sent us great feedback

Here is what he sent (unedited by me):

Simple, Unique, Valuable - Lenovo Design Principles

Just saw on BBC the Rory in China: Lenovo's quest to be cool article which has an interesting 2m interview with Yao Yingjia (Lenovo's Jonathan Ive) where he talks about his views on design (and how it is 24/7 frame-of-mind)

In there Yao talks about what he calls Lenovo's Design Principles which are: Simple, Unique and Valuable

These are pretty good concepts and I really liked the way Yao was talking about design.

I couldn't find a page about Lenovo's Design Principles (the top link was this post that links to a Fast Company article on  9 Principles For Great Branding By Design), so I guess Lenovo still has a bit to go in publishing their internal ideas and visions :)

That said, Lenovo's Design Blog seems like a good start

Wednesday 5 December 2012

O2 Light - Dual Scan and Code Fix Tag (2009)

Here is a PoC I wrote in 2009 (post OunceLabs IBM acquisition) of a mini tool (with drag-n-drop support) that:
  • Fired up scans of Ounce 6 and AppScan Developer (the two SAST engines that IBM had at the time)
  • Imported both set of scan Findings to O2
  • Created consolidated list of Findings (i.e. findings that existed in both sets of results)
  • Showed consolidated Findings to user (with ability to open them in Ounce 6)
As with the OunceLabs WebScan Module this O2 Light - Dual Scan and Code Fix Tag module (downloadable from here) doesn't build in VisualStudio anymore, but I was able to get a couple screenshots from VisualStudio's Control Designer.

OunceLabs WebScan Module (with 'Will It Scan' feature)

Back in the days (2008) I created a PoC for OunceLabs engine where it was possible to trigger scans via a website.

I found the files but there were a number of missing dependencies (like some JNBridge stuff which was shipped with last version of the OunceLabs product (pre IBM)).

So the best I can do is to open it in VisualStudio and show the aspx pages in design view.

Notes on JSP TLD injection

Another oldie pdf I found on my archive which contains some interesting notes on xss injection on JSPs TLDs (this is probably the smallest pdf I've posted here for a while).

What is interesting about the JSP TLD is that there are two parsing stages (which affect the payloads/exploits/vulnerability state)

IIS permission problem on TM deployment ('race condition' like)

We're having an 'interesting' IIS deployment problem in one of TeamMentor live servers (running IIS 7.5)

After installing an TM library (using the technique show in the Installing New Libraries via control panel video) I was faced with this:

Unedited TeamMentor 3.2 Feedback

Here is some nice feedback I received today from a fellow security consultant whom I showed TeamMentor via a join.me session (which works great for this kind of 'quick remote desktop sharing' sessions)

"...So my initial thoughts were why does not every software organization has a copy of this, it seems like a no brainer to me. I haven't spent much time with the product but here is what I like from what I saw this morning:

Comparing two GitHub Issues List

Is there a way to compare two GitHub Issues lists?

What I need is a programatic way to compare the items that exist in two GitHub repositories (repo A and repo B),  do a diff, and list the ones that don't exist in repo B (i.e. which ones were not copied from repo A to repo B)

Tuesday 4 December 2012

Implementing S4 - Source-code Security Scanning Services - v0.5.pdf (2008)

From the OunceLabs archives here is a document I wrote back in 2008 that provides a roadmap (and template) for companies (or team) that want to implement a S4 (Source-code Security Scanning Services)

I never finished this document, but there are lots of good (and battle-proven) ideas in there :)

Interesting Encoding problem with TeamMentor Japanese translation

Here an interesting prob I had to deal today with the first pass of TeamMentor's translation into Japanese.

The translation phase was quite sweet. We sent the TeamMentor Xml files file to the translation company, which they were able to plug into their system, and once completed, they send us back a zip with the translated xml files :)

That zip was then uploaded (via drag and drop) into a TM test server (see video of that workflow here) and it all worked .... except for the metadata and filters:

O2 Presentation - from Jan 2009

Here is a presentation I delivered about O2 to OunceLabs (before the acquisition).

It's pretty cool to see the position (for O2) I had back then, and how that is still very relevant today (it's a bit depressing that the industry has not moved much in the last 4 years)

F1 How To - Scanning HacmeBank WebServices v0.6 (from 2008)

Another one from the O2 Archives, here is a pdf (shown below) that I wrote in June 2008 that showed how to use F1 (what the O2 Platform used to be called before it was Open Sourced) to scan HacmeBank Website and WebServices

Check out the consolidated graphs that I was able to create at the time. Pretty cool way to visualize multiple traces in one graph :)

The 2nd part of the document, shows how F1 was used to auto-create-callbacks (i.e. tainted sources) in the OunceLabs engine (this feature has since been added to the latest version of IBM AppScan Source)

ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)

Here is a old pdf that I wrote ages ago (Sep 2008) that documents a couple Spring MVC AutoBinding vulnerabilities (similar to the ones shown in Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform)

IBM AppScan Standard, Source and VisualStudio (in the same GUI/App)

Here are some cool screenshots sent to me by an O2 user, that used the technique shown in Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings) to create a GUI, where windows from AppScan Standard (.Net app), AppScan Source (Java app) and VisualStudio (C++/.NET/WPF app) are shown side by-by-side (fully functional) in an external process.

Bellow you can see the four Windows in action:

  • Top Left: Findings TreeView from AppScan Standard (.Net)
  • Top Right: Code Editor from VisualStudio (C++/WPF)
  • Bottom Left: Trace View from AppScan Source (Java)
  • Bottom Right: Guidance from AppScan Standard (WebBrowser)

OWASP Press and using LeanPub with GitHub and DropBox

As mentioned on my 934 page eBook/PDF with this blog from LeanPub.com post, Dennis Groves has found a way to use GitHub with DropBox to manage the workflow of creating eBooks using LeanPub

This is really great stuff, and you can read the details at his  OWASP Press post.

Slides for 'Streamline the Fix' Webcast

Just posted on SlideShare the slides we are going to present later today at the Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process Webcast (register here)

Monday 3 December 2012

TeamMentor Webcast I'm doing Tomorrow (on how to use TM to help fixing vulnerabilities)

If you want to take a look at TeamMentor, I'm doing a Webcast tomorrow (4th Dec 2012) on the topic Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process

You can register here and let me know if there is a specific scenario you would like me to cover



When is the next OWASP Summit!!!!!

Looking at the OWASP Summit pictures reminded me of the amazing experience that the OWASP Summit 2011 was. There was so much positive energy in the air and we got much done (see the final report and the session's outcomes).

We need another one!!!!

Surely we can have one in 2013!

It's nice to get a compliment, and please go and HUG an FOSS project today

The thing about Open Source development is that there is this weird 'coding to the fog' situation where the number of feedback that is received is SO small that it takes a lot of 'self-motivation' to keep going (specially at a high speed/energy level).

For example, I received today this really nice comment from Steven regarding the talk I did last week  (where I presented a variation of Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings) ):

...I was amazed by your work on O2, in fact so baffled I forgot to give you a standing ovation at the end of your talk at the OWASP Benelux days...

And it's nice to hear this ....  thanks Steven, it means a lot to me :)

OWASP Revenue Splits and the "Non-profits have a charter to be innovators"

Seth Godin recent post on Non-profits have a charter to be innovators is really spot-on, and very accurately describes the problem that (I believe) exits today at OWASP

When Seth mentions that non-profits usually say: '...We're doing important work. Our funders count on us to be reasonable and cautious and proven, because the work we're doing is too important to risk failure...',  he could be speaking on behalf of a number of OWASP Leaders, since I have heard many variations of that phrase at OWASP before (in fact you will see such variation later on this post)

Contrary to what a lot of OWASP core leaders (the ones that care and spend time on 'OWASP the entity') believe, OWASP doesn't have a lack of funds problem!

OWASP has a 'how to spend money' problem 

and a

'Not spending enough OWASP funds' problem!

Sunday 2 December 2012

I never liked the term 'Rugged Software', what about Robust/Resilient Software?

I still have not fully rationalised why I don't like (as security professional and as a developer) the term (and some parts of the concept) of the Rugged Software

Recently when talking about similar concepts (i.e. writing secure code/applications) I found myself talking about the need to create Robust/Resilient Applications.

Isn't Resilient Software a better term to describe applications/code that are able to correctly handle, mitigate and react to malicious behaviour/input?

Netflix “Resilience Engineering” FOSS Library and Security

Really powerful stuff (and to-read material):


934 page eBook/PDF with this blog from LeanPub.com

[UPDATE Mar/2014]: following what started with the post below, I have now published a book created at Leanpub on AngularJS. See Published Beta version of "Practical AngularJS" Book (in both digital and print format) for all the details



Dennis Groves called my attention to the really interesting/powerful online publishing leanpub.com website/service (which he is trying for publishing OWASP books).

I just tried with the content from this blog, and as a first pass, I'm quite impressed with the results.

To get the 934 page pdf (or EPUB/MOBI file) for this blog:

TeamMentor Pricing, Licensing and Partner program

Following questions received, here are the details about the current TeamMentor's pricing and partner program:

Mapping the relationships between: Principles, Guidelines, Checklists, How-Tos, etc...

From the (under construction) tm4tm site (TeamMentor for TeamMentor), here is a nice diagram (see below) that maps the relationships between the multiple types of TM articles/Guidances:


Would I recommend Checkmarx as a SAST engine?

I was asked this question twice in the last couple days, and my answer is YES!

Although CheckMarx is still not as open and easy to engage as I would like them to be, they are actually one of the best ones out there.

And there is one asset that CheckMarx SAST engine has that is REALLY GOOOOOOODDDDDDD!!!!

Their rules are written in C# and if you (like me) like to write custom rules, they have a nice REPL interface that can be used by power users (with access to a lot of the metadata and code-transformations created during the analysis phase)

I'm currently integrating TeamMentor with Checkmarx (for a joint customer) and I really like it. You can see our latest PoC at http://checkmarx.teammentor.net, which includes a view that shows a mapping between:

  • a security finding, 
  • it's CWE description
  • the TeamMentor landing page (for that finding)
  • the C# CheckMarx rule that triggered that finding

Saturday 1 December 2012

To research further: BeanShell, EasyHook, C# Cookbook and PhantomJS/CasperJS

From the O2 training class I delivered last week (and the research on Windows Messages) here are a couple interesting APIs/Tools to research further, and see if it is easy to add O2 support for them:



Eric Lippert joining Coverity

This is VERY interesting, since Eric is one of the C# Microsoft Gurus.

You can read his announcement on is his last MSDN post A new fabulous adventure and on his new blog

Good on Coverity for catching such good talent, and I wonder if they are (finally) going to enter the SAST space for C#/.Net

Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings)

UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process


Here is the video presented at OWASP BeNeLux conference, which shows how I used the O2 Platform to create a consolidated view of 3 different window's processes (one from .Net/CLR, one from Java/JM and one from C++ applications). Note that these windows are hosted by a 4th (.Net) process and are fully functional.

The objective of this 'consolidated multi-process window view', is to give developers a really strong 'vulnerability fixing environment'.