Sunday 28 April 2013

SC Magazine Interview: “A lack of security development and technology transparency harms users“ and the “Building a bank as fast as a restaurant” analogy

While at InfoSec last week I did an interview for SC Magazine UK that came out quite well (it’s good not to be misquoted :) ).

You can read it at

The RaspberryPi index (similar to the Big Mac Index)

The other day I was thinking about the loss of local industry that has happened in Europe (and lots of other countries) and I realised that what we need is the RaspberryPI Index which would work in a similar way to the Big Mac Index

The RaspberryPI Index  would be the "cost of producing a RaspberryPI compatible device in a particular country or region".

This would be a great measure of how much technological industry would exist in a particular country (and help to find the gaps in the market/production-chain).

What is Brand (in pictures)

Here are two amazing images that really show what a brand is:

Friday 26 April 2013

Practical Example of using Web CSharpREPL in TeamMentor’s development/customizations

Kofi asked me a couple days ago for practical examples of using the CSharpRepl that is included in TeamMentor’s Admin pages.

Well here is one.

I am currently writing a couple customizations for a TeamMentor client which are deployed/applied via the (new to 3.3.) UserData WebRoot_Files folder.

Monday 22 April 2013

Setting up Ian’s CI Development Environment (for TeamMentor)

Now that Ian (and Kofi) have pushed a couple commits (to his fork of TeamMentor) its time to set-up Ian's CI dev environment, so that his commits can be automatically tested and viewed on a live instance of TeamMentor.

First think to do is to go to Azure and create a website to hold Ian’s Fork

Creating TM4TP (TeamMentor for TeamProfessor)

Following the success of using TeamMentor to document the technical aspects of TeamMentor (which is what we call TM4TM and can be seen at, I’ve just set-up an equivalent site for TeamProfessor (SI’s eLearning courses) which you can see at the QA site (note that in a couple days tthis site will be at

Sunday 21 April 2013

Voice of reason – Bruce on the Boston Marathon bombs

I really respect Bruce Schneier since he usually one of the few 'voices of reason' when the whole ‘terrorist and fear’ factor is being played by the media.

See this his really good article The Boston Marathon Bombing: Keep Calm and Carry On and one of the respective Reddit threads

One issue we have in the Web Application Security industry space, is how the real agenda (i.e. 'we should be writing secure code') is being hijacked by the ‘cyber terror’ brigade (which is only selling FUD and a couple products/services they happen to provide)

Saturday 20 April 2013

TeamMentor 3.3 is now live on a number of SI managed sites

After many months of development, the 3.3. version of TeamMentor (soon to be ‘officially launched’) is now live on a number of sites:

How to restart an IIS Worker Process programmatically (i.e. shutdown the current ASP.NET Domain)

There are cases in TeamMentor’s live sites where we need to do a soft ‘reboot’ to the live website.

Although there is no public Asp.NET method to do that, a quick call (using reflection) to the HttpRuntime.ShutdownAppDomain (private static) method, will do the trick.

In TeamMentor, this provided via the Admin_Restart() method


which is a REST call:


On Open Communication (and the default ‘private’ email mode)

Here is Kofi's great comment about TM’s Open Communication model (after reading this post) and on the default behavior to use email (even when there are no privacy concerns)

Friday 19 April 2013

Is RNGCryptoServiceProvider is 'fast enough' to create a GUID (and using O2’s C# REPL to quickly test some C# code (i.e. s)

Earlier today Kofi (TM Dev) asked me if we could use the .NET's RNGCryptoServiceProvider (see Generating Cryptographically Secure Random Numbers) to create GUIDs:

Question about SI's level of openness and empowerment

I was asked today this question
    "Hi Dinis, just been looking at your blog. I saw the following quote "So if you are looking for a job to work on an spectacularly amazing project, lead by a crazy dude (me), for a company with a great culture of openness + empowerment, this is your opportunity." Can you elaborate a bit on the openness and empowerment?"
And here is my unedited answer:

Decoding an URL using O2 Platform C# REPL

Sometimes the O2 Platform helps me in the smallest of ways.

After my windows VM was forcible rebooted by Windows Update, I was facing with a pain to recover chrome’s open windows due to:
  • When I opened Chrome I was not logged in to Starbucks
  • Starbucks redirects to their login, while keeping the previous address in as URL encoded GET parameter
  • The redirect doesn’t work if you are already logged in

Finding a html link with no ID in the middle of a web page using WatiN (via IE objects and jQuery)

When coding web automation scripts,  a common problem is that the target HTML element that we want to access doesn't have any id or attribute that we can use to map it.

This posts shows a number of examples on how to to find those HTML elements using O2 Platform’s WatiN/IE extension methods.

OWASP AppSensor and O2 Platform at Security B-Sides London

(reblogging Colin’s post about this event :) )

Next week me and Colin Watson will be running an OWASP AppSensor and OWASP O2 Platform workshop at Security B-Sides London 2013.

We will be demonstrating and helping attendees of the workshop specify, define and implement application-specific attack detection and real-time response. Our agenda is:
  • OWASP AppSensor concept
  • Attack detection exercise
  • Real world implementation (using O2 Platform and TeamMentor)
  • Alternative deployment models
We'll be using paper-based materials and real code demonstrations (in .Net, Java and PHP), so just bring your brains along.

The workshop is being run from 14:00 to 15:30 hrs on Wednesday April 24th 2013 and can be booked on arrival at the event. It is available on a first come, first served basis.

Security B-Sides London is a community-driven free event but requires registration, but due to overwhelming demand there is a waiting list.

We hope to see you there.

Thursday 18 April 2013

O2 Platform 5.1.1 version with all dll references included

A common issue that happens when running the default O2 Platform default exe/gui from an corporate network is that some ‘on-demand dependency downloads’ fail due to restrictions imposed by the network’s web proxy.

So if you have this issue, try downloading the O2_Platform v5.1.1 [with extra References].zip which is 23Mbs

WinForms WebBrowser running inside a WPF Host (controlled by a WinForms TreeView)

Here is an example of how to use FluentSharp’s WPF/WinForms Extension Methods to host the WinForms WebBrowser Control (IE based) inside the WPF Graph element.

Tuesday 16 April 2013

Using CSharpRepl to batch change TeamMentor’s users email and settings

While deploying the 3.3. version of TeamMentor into the multiple servers we maintain, there are a number of edge cases that are usually a pain to deal with, but now that TM has the ability to run C# scripts directly on a server, I can codify the transformations required :)

The two problems I’m going to deal here are:
  • Batch setting the email based on the username
  • Batch setting the Account expiry date (based on a search)
Note that on both cases I’m going to first do the changes into a locally hosted version of TM that is consuming the respective UserData GitHub repo (and if anything goes wrong, I’m a git stash or git reset away from a clean start)

Why doesn't Waterstones (UK BookStore) also upsell kindle books?

Today I bought a book for my Mum in an local Waterstones and they didn’t even have the option or service to upsell a digital copy of that book!

If they had an offer like “25% extra and you also get a kindle version” I would had bought, because I also want to read that book (and they sell Kindle’s in that store!!!).

No wonder they are struggling (see Waterstones boss pledges to revive company's fortunes after a £37m loss  ), and although Waterstone’s management wants to blame Amazon (see Amazon is 'destroying Britain's book industry', claims Waterstones chief), they keep failing to adapt to the new digital world.

Saturday 13 April 2013

Is Google+ a step too far? Why Google should care about our Privacy (not try to erode it) and SAST to the rescue!

On the issue of Google+ being a step-to-far in its 'connecting the dots capabilities' and 'exposure of personal information', I wrote the text below in an amazing (internal to SI) thread about this topic (again it pains me that such great wisdom is going to be lost forever in the email's black hole)

If you ever doubt that OWASP needs more Project Managers/Resources

Like Samantha Groves  :

The problem with SSL is not performance, its management

In a chat with Michael Hidalgo about SSL, he mentioned the posts Overclocking SSL (from Google), Dispelling the New SSL Myth (from F5) and Still not computationally expensive (Google guy responding to F5).

Is Git a Single point of failure for TeamMentor?

Danny is getting into Git and just asked-me this:

“is it possible for Git to be a single point of failure for TM? If Git went down or offline, wouldn’t that be a problem?”

The short answer is “NO, in fact Git is a distributed point of success for TM”

Let's start with the differences between Git and GitHub.

Think of Git as a ‘file-based database of multiple versions of a particular file, with one version shown in the file system’, i.e. ‘Git’ is the .git folder and a checkout version of the files (in the file system)

Think of GitHub as a ‘web based location to store and share the .git folder’

Wednesday 10 April 2013

What the move from HTML to WikiText looks like (in GitHub)

Copy and paste of HTML is such a mess (even today in 2013).

I just converted a couple (converted from Word doc) TM articles from HTML into WikiText and it is shocking the difference in the amount of code (and complexity)

Linus gift to the world will be Git not Linux (and what about an OS built on top of an hash-driven file system?)

I know it is a big claim, but I think that Linus Torvalds will be more famous for creating Git than for this work on Linux

Linux is a great example of OpenSource development and a good OS. Its impact is mainly technical and behind the scenes.

Git is a hashed-based file system with built-it version control. Its impact is not only technical but social.

The more I use Git, the more I appreciate its beauty, simplicity and ability to scale while handling complex workflows.

Changing a User’s ExpiryDate from GitHub hosted file

For the cases where TeamMentor UserData is loaded from a GitHub repository, it is possible to change/manage user data directly from GitHub’s web GUI (or from a local clone of that repository).

Lets take for example Danny’s account, which is expired at the moment (today is 4/10/2013):

AppSscan Enterprise & Selenium (can you help?)

Early today I received this question:

"I've been looking for a way to integrate Appscan Enterprise with Selenium and noted some blog posts of yours that show integration with Appscan for various purposes.

I would like to know if you have any ideas on how it may be possible to glue together Selenium & Appscan.  I'm wishing there was a way to port Selenium to Manual Explore."

to which I replied:

Tuesday 9 April 2013

O2 Platform Fork of ManagedSpy

A while back I was trying O2Platform’s process hooking techniques and created a fork of the ManagedSpy tool which you can find at

Here are a number of PDFs that show the changes I made to the original code and how I used the FluentSharp APIs to simplify its code:

OWASP Executive Director Role (Not yet)

Following the announcement sent today to the owasp-leaders list (see below), I replied with my view that OWASP doesn't need this role today:

I think it is great that a decision to add another resource to OWASP super OpsTeam (the employees) was made, but as I said many times before I don't think that OWASP needs a CEO/ Executive-Director today.

For the record, I DO think that one day OWASP will need such position, but not today. At the moment, my view is that we should be adding resources to help our Projects or in managing the website content.

Friday 5 April 2013

Using SendGrid to send emails (with TM email logging and offline detection)

Roman just opened up the Emails are not sent consistently when they should be sent issue which I believe is caused by the fact that his test box went offline in the middle of his QA tests.

At the moment, before TeamMentor sends an email there is a check to see if we current server is offline (as shown below, the offline check is done after adding the email message to a temp Sent_EmailMessages variable, which is the one used in the TBot's View Email Messages page):

Creating QA versions of TeamMentor UserData repository, and using branches to show/test the multiple config options

Now that a number of TeamMentor settings can be configured from the UserData repositories, we need a way to test and document what can be done.

Let’s start by creating  a public GitHub repository ( to hold the multiple examples/tests:

Running Customized C# code loaded from TeamMentor’s UserData repository

A really powerful feature of TeamMentor 3.3. is its ability to run CSharp Scripts included in the mapped UserData repository (script execution is powered by O2 Platform's FluentSharp APIs).

This blog post shows how it works

Thursday 4 April 2013

No SSL on Azure WebSites (maybe in May 2013?), and shy SSL deployments are so hard

As with the dozen comments in the SSL and Windows Azure Web Sites thread, at SI we are also in the same situation, where we want to host a couple TeamMentor sites on Azure, but can’t do it properly without SSL.


Git pulling a TeamMentor Library and renaming it

Here is an example of how to use the new TM 3.3 capabilities to load libraries from GitHub and to rename them.

Let’s start with a version of TM that looks like this:

Tuesday 2 April 2013

To Read: A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

This looks like a promising way to deal with CSRF:

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications (PDF)

Proposal: Remove all commercial/non-OWASP logos from

Following the recent threads about the commercialization of OWASP, I think the time as come for a simple move, that will be a little bit painful, but will clear the water and send a nice big message of what OWASP stands for.

Remove all commercial/non-owasp-projects logos from

Hubspot current.js code includes JQuery on it

Although I’m using Angular.js on the HubSpot TBot page (see Submitting TM users to HubSpot via TBOT interface (using Angular JS) ) I’m still more comfortable/knowledgeable in jQuery, so I decided to use it to populate the HubSpot fields.

So my first action was to load jQuery at the top of the TBot page:

Pushing TBot RazorSharp page change into to GitHub and Live QA server

Now that the some of TeamMentor’s TBot pages are controlled via the user data repository, this post shows how a change to one of the TBot RazorSharp scripts is propagated from the local dev box into a live qa server.

Monday 1 April 2013

Submitting TM users to HubSpot via TBOT interface (using Angular JS)

Following the need to submit TM new users to HubSpot, I just created an TBot razor page (TM admin script) that uses Angular JS to get data about a particular user and populates a form that can then be submitted to HubSpot.

Here is what the Form looks like for the admin user (value provided on the url):