Wednesday 27 November 2013

TeamMentor Plugin and Builder v1.5.6 (Source Code and Eclipse Update site)

TLDR: open eclipse and install the plugin from: http://eclipse-plugin-builder.azurewebsites.net

I just updated the TeamMentor_Eclipse_Plugin repo with the latest version of this plugin (take a look at the develop branch which is in sync with the develop branch in my dev fork).

This code is now Open Source (see SI Open Sources the Eclipse Plugin-development toolkit that I developed for TeamMentor) so fell free to take a look, fork it and figure out how to use it.

Executing two H2 scripts after compiling them

Sometimes you want to reuse a script that already exists, for example to have multiple copies of it running at the same time (great for Fuzzing of load testing).

Here is a simple example (from the TeamMentor UnitTest/Tools collection) that does exactly that:

Util - Browse TeamMentor Libraries.h2

Here is another simple tool that allows for a quick browse of TeamMentor Articles (download exe from: Util - Browse TeamMentor Libraries v1.0.exe )

The objective of this tool is to show how to mass consume TeamMentor Articles (if you look at the code you will notice that all metadata will be downloaded locally so that after an initial delay, all navigation happens in real time (with the articles being downloaded on demand).

Note that that there is a more advanced version of this tool (called Library Manager), but for local access and quick views of TeamMentor Libraries, this is quite a nice tool:

No OWASP app on the OSX AppStore (Nov 2013)

Definitely a missed opportunity here :)

What types of App should exist?

At least we should have a couple that expose OWASP materials (books, wiki pages) , projects and events.

I will be a happy guy when this page doesn't look like this:

Monday 25 November 2013

Script to create stats from TeamMentor Libraries

While creating a better tool to manage the new 'TeamMentor Researcher Programme' (more details later today), I am updating the https://github.com/TeamMentor/UnitTests/ scripts to the latest version of TeamMentor (3.4) and FluentSharp Apis (5.3).

Amongst the scripts/apis I'm fixing there is the Calculate TM article totals.h2 which I created a while back when we needed to know the size of TeamMentor articles for translation (btw, if you speak Japanese, there is a version of TM in your language almost done).

Here are the stats of the current version of TM:

Sunday 24 November 2013

SI Open Sources the Eclipse Plugin-development toolkit that I developed for TeamMentor

For the past couple months I have been working on a Eclipse plug-in for TeamMentor (see Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in) , Opening up a native Chrome Browser window inside Eclipse (raw version) , Injecting HP Fortify Eclipse Plug-in Views into HP’s WebInspect UI  and Two Videos showing TeamMentor Eclipse Plugin integration with Fortify Eclipse Plugin (as shown in HP Protect 2013 conference) ).

I had a number of culture chocks coming from a C#/VisualStudio/O2Platform/REPL world into a Java/Eclipse one. The biggest one by far was the loss of 'semi-real-time' code execution that I have in Windows/C#. I used the O2 Platform REPL (and Resharper+Ncrunch VS plugins) to have a proper TDD development mode (i.e. high effectiveness and productivity), and in the Eclipse world (specially in plugin development) I had a 10 to 30 sec delay before seeing the result of any code or UnitTests execution! (which is 95% slower than what I was used to)

So, as I guess it is typical of me, I didn't just create an Eclipse Plugin. I created an 'Eclipse Plugin to create/develop Eclipse Plugins' (think of it as a 'Groovy based Eclipse Plugin where the Groovy scripts have access to the Eclipse Objects of the Eclipse instance running those Groovy scripts' :)

4 Million USD to build a secure Operating System to run Secure websites?

Is that too expensive or a great investment?

Well ... I meet a great friend at AppSec USA that already built a secure OS (based on Open Source technology) years ago in a company that failed (i.e. went bust at great personal cost). He is one of the most cleaver guys I know, and he and his team built (at the time) an OS that powered a very high-profile and targeted website that was NOT compromised.

The only catch is that their previous efforts was done under a 'closed software' platform, and my view is that such creation needs to be done under an Open Source model. This would allow the code to be peer reviewed and checked. Just like crypo, a secure OS needs to have the highest degree of assurance.

And since we can't really have a 'Secure Website' without a 'Secure OS' , I'm sure we will see multiple 'Secure OSes' in the future. My only doubt is if my friends' creation will be one of them.

So how do I got to the 4 Million USD value?

Friday 22 November 2013

Just disabled AdSense for this blog

I was curious on how it was going work out, but never really liked the idea of exposing readers to adds.

And since I want to move into a static based blog as soon as possible (maybe something like docpad), it was just a matter of time.

Friday 15 November 2013

I'm doing the 'Survival of the Fittest' (please sponsor if you can)

Sarah and I have been offered last minute places to take part in race called 'Survival of the Fittest', to raise money for the Philippines.

We have decided to go for it with very little preparation because we are raising money for a really important Philippines charity and the disaster relief fund. Splitting the funds 50/50.

If you haven't already made a donation to the disaster appeal then please consider sponsoring us.

The charity already sponsors some of the poorest children in the Manilla, and they are now suffering from the recent typhoon.

Friday 8 November 2013

Presenting at OWASP Turkey Chapter on Sat 10th of November (on Secure Continuous Delivery)

If you happen to be in Turkey this weekend, there is a great OWASP event happening tomorrow, where I'm also presenting on "Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating".

This is basically going to be a review of the O2 Platform and development work I have been doing for the past years (namely in trying to automate application security knowledge).

Wednesday 6 November 2013

Video for: "Using the O2 Platform to Automate Application Security Knowledge and Workflows"

As per a request from Samantha and Kate, I did an OWASP webcast on Nov 6th about the O2 Platform, and here is its video:

Tuesday 5 November 2013

Updating my bio description (as of Nov 2013), now more 'developer focused'

My current bio is quite a bit out of data and it looked like this:
    Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project.
This was used in a number of places I presented recently (for example http://appsecusa2013.sched.org/speaker/dinis.cruz) and it not an accurate representation of what I'm currently focused on.