Thursday 31 January 2013

OWASP Connector January 22, 2013

Here is OWASP Connector for January 22, 2013

Note the request for support for the GSD project which you can read about at OWASP GSD Project (GSD = Get Stuff Done) and Some ideas for OWASP GSD Project

OWASP Connector January 8, 2013

Here is the January 8th OWASP Connector (pretty cool ins't it?)

Great stuff from the OWASP's OpsTeam:

Wednesday 30 January 2013

Why Can't We Get Anything Done?

Here are '...16 rules that explain why, despite so much knowing, there's so little doing...'Why Can't We Get Anything Done?

I saw this from the latest Seth Godin's daily post which i get on email every day (subscription page is here)

HubSpot OAuth Implementation Plans

Following First PoC of TeamMentor integration with HubSpot here is the brief agreed with Justin (a developer I found in

HubSpot Integration Plan

Stats used to support OWASP Top 10 entries (next version must publish them)

Following from Should Mass Assignment be an OWASP Top 10 Vulnerability?, if I want to make the case for MA (Mass Assignment) to for example replace the A10 - nvalidated Redirects and Forwards,  I will need to provide data and analysis to justify it.

Unfortunately, for practical reasons, there is no published data to back up the current OWASP Top 10 entries.

Why NDAs have no place at OWASP

I was looking for a place to link why it is such a bad idea for OWASP to consider or accept the idea of signing NDA's with 3rd parties, and since I couldn't find it on the OWASP Wiki, I'm reposting here what I wrote in June 2011:

Apigee paid version has ‘PCI and HIPAA compliance’

I was looking at Apigee pricing

Live Meeting crash


Google/Trimble SketchUp looks really cool

Just read a review of Google SketchUp  which seems to be a pretty powerful 3D Auto-Cad-like tool to design buildings and shapes.

You can download it from here and there is a vibrant community around it here

This could be another way to get kids engaged in programming and coding :)

Saturday 26 January 2013

'Aaron's Army' and 'Aaron's suicide: System Contributed, Society Perpetuated'

Aaron's death should be a big wake up call for our industry. It is easy to forget that the crazy computer Laws our governments have published (including the UK's CMA) have real consequences.

Aaron's death for example :(  

Please read the Aaron's Army which is a Memorial for Aaron Swartz at the Internet Archive.

Jeremiah Grossman also posted an amazing (and personal) post which is also a must read
Aaron's suicide: System Contributed, Society Perpetuated

Contract work to help with OWASP Wiki edits

Here is an email I just sent to a couple contacts Samantha Groves (OWASP Project manager) gave me as resources I could use to make changes/edits to the OWASP wiki.

Feedback needed on 'Static Analysis Tool Evaluation Criteria'

Sherif Koussa is looking for feedback on the Static Analysis Tool Evaluation Criteria document he is working on.

This is a really important document/criteria which would help SAST users to know which is the best tool for their needs.

It looks good and I will try to read it in the next week or so.

There is a mailing list which you should join if interested in this topic.

Should Mass Assignment be an OWASP Top 10 Vulnerability?

I was just having a thread with Dave (who is working on the OWASP Top 10 2013) about the idea that Mass Assignment vulnerabilites should be part of the next OWASP top 10, and here is his view:

Asking the OWASP leaders to help with my request to help Ian

Just sent this request to the owasp-leaders list:

This is a weird request, but there has been some great developments around O2 and IBM which could be great for our industry, and really push this area of research to the next level.

tl;dr: if you complain about the fact that SAST tools like AppScan Source don't really 'work' in the real-world, and wish they could be more customisable, please send your support, ideas, thoughts and requests to

Please show Ian Spiro your support for his IBM AppScan research, ideas and energy

tl;dr: if you complain about the fact that SAST tools like AppScan Source don't really 'work' in the real-world, and wish they could be more customisable, please send your support, ideas, thoughts and requests to

Sometimes one has to go on the record and publicly support who deserves it.

Ian Spiro is one of them.

Friday 25 January 2013

GUI with WebStorm and JsTestDriver controlling 3 Hijacked Browser windows (Chrome, Firefox and IE)

Following from PoC - Selenium - Gui with 3 Hijacked Browser Windows and  Running JavaScript TestCase Unit Tests using JsTestDriver (in WebStorm)  here is a similar PoC, now with JsTestDriver controlling 3 Browsers in the same GUI:

Running JavaScript TestCase Unit Tests using JsTestDriver (in WebStorm)

As part of the process of adding more UnitTests to TeamMentor (while using WebStorm) I’m starting to convert some of QUnit Tests written a while back into JsUnitRunner (which I can execute directly from WebStorm’s IDE)

The process is quite easy since WebStorm already supports JsUnitRunner, which is explained in detail in this JetBrains JavaScript unit testing support blog post.

Wednesday 23 January 2013

Trying out SendGrid for cloud-based emailing (with nice intro video)

I need a solution to send emails (TeamCity build events, TeamMentor user’s activities, etc…),  which basically means that I need an SMTP server.

Looking around it looks like there are 4 solutions:

The power of Static Analysis to create solid code (in this case JSLint)

I just spent some time using JSLint inside WebStorm cleaning up and refactoring the TeamMentor’s GlobalVariables.js file, so that It shows the much desired green box (top right)

Can Git be used instead of Word's 'Track Changes'


Text changes are just a simplified version of source code :)

Here are a number of really amazing 'non-code' stuff that is happening with Git's content-versioning capabilities:

Great Visualization presentation and style from Hans Rosling

From Arvind's Fantastic data visualizations post, here are two TED videos that show Hans Roslin's brilliant way to present lots of data, using powerful visualization tools and animation:

OData ASP.NET Web API: An Mass Assignment vulnerability in the making?

When I saw Getting started with OData services in ASP.NET Web API (via reddit) :

Daniel Pradilla on 'Stop punishing your users and learn some design'

Daniel Pradilla has a great post on Stop punishing your users and learn some design which is also been discussed on reddit

Try F# online (using Silverlight)

Just noticed the which looks really good:

Why does YouTube still require Flash in Jan 2013!!!!

I thought flash was over and I find it ridiculous that I need to have it just to see a Video:

Downloading O2 Platform v4.5 and manually updating the scripts

Here is how to manually update the O2.Platform.Scripts if you are running the version available for download (vs from a GitHub clone)

You start by downloading the O2 Platform it from:

Tuesday 22 January 2013

PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2

While working on TeamMentor’s browser automation using Selenium, I created a pretty cool PoC/Script where I was able to show natively the 3 main browsers (IE, Firefox and Chrome) in the same Application/GUI.

The O2 Platform script is called PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2, and this is what it looks like when opened up:

TeamMentor’s Javascript-based Event Driven Architecture

Arvind is looking at TeamMentor’s Javascript (see Studying TM architecture) and he is trying to figure out how certain methods or WebServices are called. In this post I'm going to try to point him on the right direction and explain some of TeamMentor’s event-driven architecture.

TeamMentor’s GUI is 100% Html/Javascript based (i.e. with no asmx or other-type of server side dynamic code).

This means that the data shown in the GUI is all fetched via AJAX (using jQuery).

To see this in action, look at the some of the calls made during main page load.

Saturday 19 January 2013

Using TeamCity and NUnit to Start WebServer, Run Selenium Tests and Stop WebServer

Following the move to split the TeamMentor Brower automation tests into the UnitTests_WebAutomation repository, I just committed a bunch of git pushes (from here up to here) and customized a TeamCity project , so that TeamCity EC2 box will:

Is O2 like Humane Assessment?

Dennis Groves pointed me to saying “This looks a lot like the O2 Platformand I have to say that at first glance, yes, yes it does:

Talking a look at how AppScan Source creates WAFL files for ASP.NET ASMX WebServices

To try to understand how to improve AppScan’s Source support for ASP.NET based Frameworks (see Ian’s post Extending AppScan's Web Application Framework to support ASP.NET MVC) a good place to start is to look at how AppScan’s Source already does (a bit of) that for ASP.NET *.asmx based WebServices (where AppScan Source is able to successfully create Tainted Callbacks for methods tagged with the [WebMethod] attribute)

AppScan Source uses the powerful IBM research technology called F4F (Framework For Frameworks) which in practice is a bunch of *.jar files that create WAFL files.

Tuesday 15 January 2013

Using PostSharp to monitor WebServices Calls (deployed via TeamCity to Azure)

I just added PostSharp StarterEdition to TeamMentor

I’ve always been a fan of AoP / PostSharp, and as I need to add a number of method-driven-events-mapped-as-attributes, the time has come to use PostSharp (which is also much more mature than a couple years ago).

The registration, download and install was quite smooth

Monday 14 January 2013

Creating a Server-Side Google Analytics data submitter (in VisualStudio using C# REPL)

Following from Sending messages to TeamCity and UnitTest to check if the Google Analytics file has changed post, now that we have the ga.js hosted on TeamMentor’s code base (used to handle the original client side request), we need to add the ability to submit server-side data to Google Analytics (GA).

To do that we will need to replicate the client-site (JavaScript based) request sent to GA (Google Analytics) servers.

Sunday 13 January 2013

Asp.Net App_Code AppInitialize non-documented featured (invoked before Application_Start)

I was looking for a way to apply website specific customizations to TeamMentor (i.e. code that should be website specific, not TeamMentor.Corelib.dll specific).

The key requirements are that this code:
  • is executed as soon as possible (and only once), 
  • is not placed inside the Global.asax file and 
  • it can be used to apply targeted customization to the code in TeamMentor's CoreLib.dll 
I found exactly what I was looking for in the AppInitialize undocumented feature of Asp.Net.

Saturday 12 January 2013

OWASP Principles based on NHS?

For a while now, my view is that OWASP's Mission, Focus and Vision should just be: "WEB APPLICATION SECURITY"

That's it. OWASP's community and scope is so wide (a great thing) that trying to be even more specific will end up in a massive thread and unproductive discussion (where just about everybody will be a bit right about something)

Private threads are SO inefficient, Application Security Knowledge is available at the point of Need, and Password Hashes over SSL

On the topic of Can you put this on a Hyperlinkable location? I just wrote this on an (internal TM Dev) thread about Client Side Password Hashing:

The only thing wrong with this thread is that we are having this on a private channel. This means that:
  • all the efforts put in here will be eventually lost (into the email pit), 
  • we lose the ability to cross-reference (and re-read) the points made here in the future
  • we don't get to view/see/learn from other points of view/knowledge/experiences,
  • we don't expose the process/journey that we are taking (which is very valuable for somebody in the future faced with the same questions)

It is really painful how the current 'closed doors conversation' culture is so strong (even in a company as open and relaxed as SI)

My iPhone 5 was stolen yesterday

While I was at a local Starbucks on a conf call using Skype.

If I got the the sequence of events right:

Sending messages to TeamCity and UnitTest to check if the Google Analytics file has changed

Since it is a really bad idea for websites to load Javascript files from external domains, my objective is to host the Google Analytics ga.js file directly in TeamMentor’s Javascript folder (i.e. not load ga.js from Google's server (which btw, is what most websites do)).

The only potential side-effect of hosting this file natively, is if Google changes the content of the ga.js file (where we are would be using an out-of-date version that could cause problems in the way the data is processed by Google). So to handle that case, I’m going to write a unit test to compare the 'TeamMentor hosted version' with the version at (this UnitTest needs to also be executable from TeamCity)

Friday 11 January 2013

Using Selenium to Login using Multiple Browsers

Following from yesterday's posts:
Michael added IE support overnight, and here is a pretty cool PoC of running TeamMentor's Login UnitTest using 3 browsers (IE, Firefox and Chrome):

Is the TeamMentor Development/SDL team as good as it gets? (from a security point of view)

As we're having another internal (which should be public but is a topic for another post) debate/email-thread at SI/TM about the 'best way to handle user passwords/hashes', I was thinking "is this (TM SDL) as good as it gets?"

Here is what we have today (regarding TeamMentor's SDL and Team):

Thursday 10 January 2013

Writing custom C# scripts when Edit-and-Continue is not possible

Due to limitations of Edit-and-Continue, we can’t make code changes here:

OpenQA.Selenium.DriverServiceNotFoundException on Chrome

While trying to running a TeamMentor UnitTest in Chrome I got this error:

Coding Firefox in C# in real-time using Selenium's Firefox driver

The best way to write and debug Selenium Web Automation scripts is to be able to be able to write code snippets in real time (in a REPL)

This post will show how I just did that for the TeamMentor’s UnitTests environment that Michael Hidalgo is working on.

Dangerous bug between Git, GitHub and Windows (duplicate directories with different capitalization)

After doing this rename, here is what GitHub looks like:

Using VisualStudio C# REPL to quickly find issue

While refactoring a TeamMentor UnitTest, I hit on this error:

Just moved from MSTest to NUnit

Because although we did try to use MSTest for TeamMentor UnitTesting, it lacked a couple key features (namely the ability to define generic types in the Class Attribute).

Here is Michael’s commit that shows a simple NUnit test with multiple Browser invocations (note the TestFixture attributes):

GitHub is having some probs today

Here is what a GitHub Commit page looks like:

Nice way to give Feedback to Google

Ok, now this is quite cool (and I just used it to send a link of my last blog post to Google)

Choosing the 'Send feedback' link:

Blogger just changed the way it handles post edits (i.e. it changes the date now)

Blogger must have pushed an update that changed the date of an post everytime there is a minor edit on it.

This means that the couple (old) posts that I just changed a couple labels, have now the wrong date!!! 

Viewing an Azure WebSite IIS Logs

On Azure created websites, the main Azure UI provides some interesting stats:

Why does windows Azure need to '0wn' my GitHub Account?

While creating an Azure website (part of TeamMentor CI) I tried to connect Azure with GitHub and got this request:

On how to get paid to work on OWASP projects

Here is an old blog post (from May 2012) that I never got around to publish (got lost on the drafts folders), that provides more info on why OWASP cannot pay its leaders, and how to get paid to work on OWASP projects

Nice SI 2012 Q4 Newsletter

SI just published its 2012 Q4 AppSec Report newsletter which looks really good, and has a couple sections about TeamMentor :)

You can get the pdf from here or view it online here (or below)

IBM AppScan eval downloads - and what is the difference between Standard, Source, Enterprise and Dynamic?

If you go the IBM AppScan download page you can see four downloads:
  • IBM Security AppScan Standard V8.6 Evaluation Windows 
  • IBM Security AppScan Source for Analysis V8.6 Evaluation Multiplatform
  • IBM Security AppScan Enterprise Server V8.6 Evaluation Multiplatform
  • IBM Security AppScan Enterprise Dynamic Analysis Scanner V8.6 Evaluation

Wednesday 9 January 2013

First PoC of TeamMentor integration with HubSpot

Here is a Video that shows a PoC of consuming and manipulating HubSpot user database (called Contacts) natively from inside TeamMentor:

Tuesday 8 January 2013

Anonymous Vulnerability Reporting Service

Is there an Anonymous Vulnerability Reporting Service out there?

Basically one where it is possible to report a vulnerability on a website without worrying about the other side throwing a tantrum and accusing the messenger with 'malicious hacking'?

It is a sad state of our industry that this is needed, but with the current computer criminal laws making all internet users a potential criminal, it is too risky to put a carrer in a the hands of the company that created the vulnerable product or service.

Ideally this service would allow:

My focus, O2 as the Open Platform, why IBM needs open standards and O2+AppScan research project

Here is an email (with minor edits) that I wrote recently to an (retired) IBMer and Bill Cheswick an Network Security guru (where I tried to answer the questions: "What are you trying to do? What is O2? and how can O2 help IBM?")

Hi Bill

My focus is on Web Application Security, namely on how to create secure applications.

My key objectives are to:
  • enable developers to write secure code
  • enable buyers/users to make informed and risk-based 'application security' decisions
  • scale application security knowlege
In order to make this happen, I wrote an Open Platform (called the OWASP O2 Platform) which allows the creation of custom 'analysis engines'. These engines are created from security expert's knowledge/workflows and the output/capabilities of Application Security Tools (like the ones from IBM AppScan, HP Fortify, Veracode, CheckMarx, etc...). I am also the lead architect and developer of the TeamMentor product (from Security Innovation) which is aimed at providing hyperlinked Security Knowledge to developers (e.g. prescriptive guidance for developers mapped to corporate policies)

Monday 7 January 2013

Teaching kids how to code - UK's CodeClub

CodeClub looks like a great way to be involved in the UK in teaching kids how to program (which I believe to be very important).

The first lessons seem to use Scratch from MIT.

Interesting spam message

The key is in the link of the poster name (which points to a YouTube video trying to sell a product).

This is a good example of one of the current malicious business models: Web Traffic Generation

Friday 4 January 2013

Adding git support to IIS (maybe using Kudu?)

What is the best way to allow git publishing via an IIS site? Namely from a TeamCity build?

As nicely described on Deploying: Add Git support to your IIS server, maybe Kudo could be a good option (kudu is used by Windows Azure) - interesting tool and good site

We’re looking at a better way to manage the TM dev team and Michael suggested VersionOne which looks really interesting.

I also like the layout of its main page and the way the video clearly shows how the tool works (that kind of animation is really powerful)


Another feedback form that fails – this time from Telerik JustCode

I just uninstalled JustCode, was asked to provide feedback:

Thursday 3 January 2013

Can you put this on a Hyperlinkable location?

"Can you Hyperlink that?" is a question that over the years I have been asking more and more.

The idea is that if information is not in an Hyperlinkable location, then it can't be easily found (or indexed or refereed to).

if you make it easy people will buy it (vs 'steal it')

A while back (I think in early 2000) when I was more involved in the music industry I remember reading an amazing research paper that basically said: "...If the music industry, instead of fighting Napster, creates a solution where the normal user/consumer can easily buy music at a 'fair' price, then most users will do it..." (unfortunately I was not blogging back then, so I lost that link :(  )

Of course that this advise was not listened to and it took Steve Jobs to actually make it happen.

I think the time as come for OWASP to have its own secure browser(s)

The idea is to create a customised version of a popular browser (like Chrome or Firefox) that has been customised to be secure out-of-the-box.

It could even be something like but I want to leverage the trust-network that OWASP has (and its potential to peer-review) to create a piece of software that I actually trust (or that it can earn my trust with time)

2013 wish list and objectives

Happy new year. I’m just back from spending a week in the US where I actually didn’t touch my laptop (for work or coding) and was able to relax, read a number of books and spend a great time with family and friends.

On the way back I started writing on my (paper-based) molenskine notebook a bunch of ideas/concepts/plans (which should appear in future blog posts)

One of the things I wrote down was this (unedited and not-in-specific order) 2013 wish list and objectives: