Monday 30 September 2013

Java Tainted Strings

At AppSec EU Steven van der Baan approached me with the great idea of seeing if we could do an open source implementation of Java Tainted Strings.

The idea is to (somehow) add metadata to the java.lang.String object and allow an App (or APIs) to taint a string (i.e. mark it as 'potentially malicious') and to modify that App/API's behaviour based on tainted information (for example "don't execute an SQL statement if its sql command string is tainted")

There is still a lot of thinking that needs to happen on this idea, and we are currently in the 'pre PoC' stage.

Physical Books are the best technology for reading, and bookstores should 'give' an eBook with every physical book published

I just bought 5 books at a really nice book store in central London and it is amazing how:
  1. these bookstores are still afraid of the digital world 
  2. don't have the confidence to say: 
      "... If you buy a physical copy, we will give you (or sell for 10%) the eBook version. 

       ... the reason we 'give' you the eBook, is because the 'real' book is much better, but there are places were you might want to use the eBook.."
This is something that I already talked about it in my Why doesn't Waterstones (UK BookStore) also upsell kindle books? post (which has more ideas on what bookstores should do to provide a better service to readers).

Saturday 28 September 2013

Script to Git Clone 13 repositories in order to have all TeamMentor Libraries in one folder

Part of the push for the 3.4 release of TeamMentor, I wanted to have a copy of all TeamMentor libraries locally (there are 13 libraries on the 3.4 release).

Since O2 Platform’s FluentSharp has native Git support, I was able to do create the clones using this script (note how simple it is to create a clone from a GitHub repo):

Friday 27 September 2013

Using TeamMentor Checkmarx proxy to scan a vulnerable PHP application inside Eclipse

Michael Hidalgo has posted a really nice article which shows:

  • an PHP app, 
  • inside Eclipse,
  • scanned by Checkmark's SAST,
  • with security guidance provided by TeamMentor

Check it out at :

The Open Web Interface for .NET (OWIN) and Katana

Definitely need to take a look at this: (anybody used it?)

Here is its hello world example:

A quick skim of that article showed that they were inspired by Rack and Node.Js , which can't be a bad thing :)

Wednesday 25 September 2013

Should developers code naked once a week? (or in a mankini?)

That way developers (or managers) would have more 'empathy' with the 'naked' state of the applications they are developing and publishing :)

I got this idea, following from this comment/suggestion on Guidelines of OWASP:

Tuesday 24 September 2013

Reaching out to Developers, Aspect is doing it right with Contrast

UPDATE: I got the dates wrong when I posted this. The Contrast blog post and presentation are from 2012, it is the award that is from 2013:

In case you missed it OWASP's long time contributor Aspect Security were at Java One conference in presenting their (commercial) product Contrast.

I was not there, but from the noises I'm hearing it was quite a successull event, with lots of developers reached.

Here is a cool picture from their Contrast @ JavaOne post (which contains a link to their presentation (also embedded below));

Monday 23 September 2013

Chaos Computer Club breaks Apple TouchID (the bad idea that is fingerprint biometrics and 'its cool to hack Apple now')

Well it didn't took long: Chaos Computer Club breaks Apple TouchID

For me the key statement of that post is: "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token"

I have to say that I have never been involved in designing or testing fingerprint biometrics, but I always had this voice in the back on my head saying "...humm... it really doesn't sound good the idea that the security ID cannot be changed, and once that ID is stored in digital format, there is nothing that can be done to prevent its reuse...."

OWASP Flight Booking using Amex and Project's Mini-Summit at OWASP AppSec USA 2013

I just booked my flight using the new OWASP 'Amex travel' partnership and it was a great experience

Guidelines of OWASP

OWASP got a great quote on this EU Regulations document which is aimed at laying down technical specifications for online collection systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the citizens’ initiative)

Wednesday 18 September 2013

Video: Coding WebInspect in real-time to Inject Fortify Plugin Views

Here is a detailed video that shows the multiple steps required to inject windows originally hosted in Eclipse (Java process) into WebInspect (.NET process).

Of course that this workflow could be automated using a script, but I hope that the video below helps to explain how it is actually works, and how windows are hijacked from one process into another:

Two Videos showing TeamMentor Eclipse Plugin integration with Fortify Eclipse Plugin (as shown in HP Protect 2013 conference)

Here are main videos shown at the HP Protect 2013 conference.

This is our first working version of an TeamMentor Eclipse plug-in that is able to show security guidance natively on Eclipse.

Injecting Fortify Eclipse Plug-in Views into Notepad and WebInspect (and key difference between Fortify content and TeamMentor content)

Following from Opening up a native Chrome Browser window inside Eclipse (raw version) and Injecting HP Fortify Eclipse Plug-in Views into HP’s WebInspect UI  here are a couple more examples of how to reuse Fortify Eclipse Plug-in Views into other processes.

Example 1: WebInspect with Fortify and TeamMentor (inside Chrome)

Injecting HP Fortify Eclipse Plug-in Views into HP’s WebInspect UI

Using the O2’s Win32 Window Hijacking capabilities (see also Opening up a native Chrome Browser window inside Eclipse (raw version)) , here is a PoC on how to inject a couple Eclipse Views from the HP Fortify Eclipse plug-in (which is Java app running under an JVM) into the HP WebInspect UI (which is .NET app running under an CLR).

The power of this PoC is to show that we can have the best of both worlds and show security consultants and developers the best possible environment/UI for them to analyze, review and fix security vulnerabilities.

Opening up a native Chrome Browser window inside Eclipse (raw version)

On the Win32 Window’s Hijack theme, here is a raw version of how to show an actual Chrome browser window inside an Eclipse view (ie. a window from a C++ process inside a JVM-based Process).

Using the Groovy execution capabilities described in the Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in) post, in Eclipse, I start by creating an instance of a SWT panel and get its handle:

Using IKVM on a Apache Derby Database

After creating the .Net version of the Derby dlls using:

Saturday 14 September 2013

No more UFOs :)

Great post from Seth: Cell phone cameras repel UFOs which points to this XKCD cartoon:

On the topic of 'devices' being carried by everywhere, I wonder how long until we'll find out how easy it is (or not) for 3rd parties (NSA, criminals, etc...) to remotely enable a mobile/laptop microphone and push the captured data (in real-time or not) into an external location :)

Microsoft should sell Fully Patched Windows XP licenses (or open source it)

Microsoft should sell Windows XP because its newer operating systems should be so much better than Windows XP that its customers would be happy to buy the newer versions.

May the 'Farm' be with you - Grocery Store Wars (2005)

This is a funny video from 2005 which talks about a very important topic in a really cleaver way

Wednesday 11 September 2013

Running Groovy natively in .NET using IKVM

I’m really getting into Groovy (see also Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in)), but one problem is that Groovy runs natively on the JVM!

And although I could use Jni4Net to create a bridge between a JVM and the CLR, it would be much nicer if I could write Groovy scripts under the CLR (with live access the FluentSharp APIs and O2 created objects).

And by using IKVM I was able to do exactly that :)

I was able to convert the main Groovy jar JVM bytecode into .NET CLR bytecode, and evaluate Groovy scripts directly in C# (i.e. without a JVM loaded in the current process). For more O2 usage of the amazing IKVM API's see Util - O2 Java Tools (IKVM Based) v1.0 

Evaluating an Groovy script in .NET:

After created the groovy-all-2.1.6.dll .Net IKVM dll (see Appendix 1) Creating groovy-all-2.1.6.dll below), I was able to consume it (in O2’s C# REPL) like this:

Consuming password protected TeamMentor Articles using REST GET APIs (and creating mini-tool to view article's data)

As described by the TeamMentor’s CX integration requires TM instance that is serving the content to be open to anonymous access issue, there are times when programmatic access is needed to password protected TeamMentor articles.

Let’s take for example the Add Unique Tokens to HTTP Requests Using ESAPI article, which has the 7d647e95-e47f-42e3-bb84-fd0dd727245c GUID, and can be opened directly at (free account is needed to see that link)

Tuesday 10 September 2013

Example of using GitHub Pull Requests to merge changes made on Branches

After the fixes explained in the Git Flow - Moving patches from one Commit into another Commit  post and the reset of the TeamMentor 3.4 branch, Michael reapplied his other changes/fixes to the correct 3.4 commit, and I’m now in the process merging his Pull Requests into the 3.4_Release branch (and eventually into the master branch).

This post walks through my current workflow.

At the moment there are a number of Pull Requests to process:

Saturday 7 September 2013

Do you use the O2 Platform? (and O2 page at

I just updated the O2 Platform project page at OHLOH see and if you use it, please register your interest :)

Note that the stats only include the main O2 Platform code and the commits made to GitHub (the multiple O2 Forks and past SVN stats are not there)

Thursday 5 September 2013

Git Flow - Moving patches from one Commit into another Commit

This (longish) post will cover detailed git workflows and is part of the series of blog posts that show how we use the Git Flow workflow to manage TeamMentor's source code (you will also see practical applications of GitHub's powerful  of powerful features like Network Graphs and Pull Requests).

The key problem that we are going to solve, is the situation created by Michael Hidalgo’s TeamMentor fixes/commits/branches that were done against an commit (38bfcd54d8046372c0ace2409324ecc965761504) which was originally planed to be part of the next release, but we decided that the next 3.4 Release of TeamMentor will be based on the current 3.3.3 version (with is based on the earlier commit: b97a470ffa173d67a9c74373593eea03eb7a2da4).

The key reason is that he  38bfcd54d8046372c0ace2409324ecc965761504 commit (currently the parent of Michael’s fixes/branches) is not stable and is going now to be the basis of the 3.5_Release (this code contains a number of big changes which need more TLD and testing: native ASP.NET MVC routing, better Git support, native Markdown editor, depreciation of HTML WYSIWYG editor, and more)

In a nutshell, we need to re-apply Michael’s bug fixes to an earlier commit than the one used (i.e. backport those commits).