Tuesday, 21 April 2015

Secure coding in a SCRUM cloud (for UK Azure User Group)

Next Monday (27th of April) I'm presenting at the UK Azure User Group in London on the topic of: Secure coding in a SCRUM cloud

You can see on the Research on Azure WebSite security: Process Execution (cmd.exe, git.exe, node.exe, xyz.exe) and Folder Browsing (outside azure root) post what I presented last time (July 2013)

This time around I'm going to focus more on secure coding, real-time unit test execution, continuous deployment, static analysis, and real-time code scanning (for example Real-Time Vulnerability Feedback in VisualStudio)

Hopefully I will also have an new version of the O2 Platform to show :)

If you are around London (from 7 till 10), please join us.

You can RSVP at: http://www.meetup.com/UKAzureUserGroup/events/220849015/

Tuesday, 14 April 2015

London Hack the Curriculum - focused on for key Stage 3 Computing curriculum (11-13 years old kids)

Check this out, https://www.eventbrite.co.uk/e/hack-the-curriculum-and-include-birthday-celebration-tickets-15351043384

This looks like an really interesting event, and a great way to help to shape the next generation of coders :)

I'm planning to attend, so if you have any good ideas on how we (OWASP or AppSec industry) can help, let me know and I'll relay those ideas

Sunday, 8 February 2015

On the current OWASP Project Summit efforts (in Feb 2015)

It's really hard to create an OWASP Project Summit with the current model (with little funding, with no dedicated team, attached to a conference, etc..)

The formula that worked in the past was to start with a set budget (lets say 50k to 100k) and :
  • use those funds to make sure the key players (in this case project leaders and 'new players') are going to attend (by offering to cover all travel and accommodation expenses (while asking them if they can get their employee to pay instead))
  • hire a dedicated summit team (for that period)
  • secure dedicated venue and summit resources
  • generate a huge amount of energy about the summit sessions (starting by inventing all sorts of sessions, until the real sessions become solid) 
  • cast a very wide net of 'invitations to attend the summit' (with the vision that 'the summit is THE place to be, where all the key players will be in the same location, and  where REAL work can be done')

Saturday, 24 January 2015

Real-Time code coverage in NodeJS app using Atom

Here is my current dev environment on Atom's Editor where I am able to have quasi-real-time (i.e. in about 1s to 2s) feedback on the test executed and its code coverage

For example here is what I see when there is a test failing:
  • note the red dots on the left (after line 44)
  • note the error message right (where '1.2' is not'1.3')
  • code coverage is at 92.50%

Sunday, 18 January 2015

Does your team has a Security Champion? If not, get this Mug and Library

If your dev team doesn't have an assigned security team champion, get one of these Mugs :)

Basically that 'Security Expert' Mug should represent the fact that at the moment when a developer has an Application Security question, he might as well ask the dude on that Mug for help :)

I also like that it re-enforces the idea, that for most developer teams, just having somebody assigned to application security, is already a massive step forward!!

Saturday, 17 January 2015

Thinking and coding in Graphs, some screenshots of last 6 months

In the past 6 months I have been working on TeamMentor 4.0  (new version) which is based on a graph database and written in node.

I was cleaning up my desktop today and found the images below which represent the multiple experiments I have been doing in ways to visualise the content data we have.

This is quite a raw dump, but if you would like some descriptions about what each one means (and believe me that each one as nice story behind), let me know and I'll write more about them

Sunday, 11 January 2015

So why can't I in 2015 write a post in Blogger using Markdow (and paste screenshots)

I just wrote this [Atom Editor] How to run tests from a loaded package using GitHub's Issue UI, and it was a great writing experience (and a real-time preview like discourse would had made it even better)

But I can't post it here!!! Because Blogger does not support markdown!!!

Talk about not keeping up the pace of innovation

What this really means is that I'm getting closer and closer to moving this blog into another platform (the question is which one?)

Thursday, 8 January 2015

FluentSharp, FluentNode or NWR needs your help

If you are into C# take on an issue from https://github.com/o2platform/FluentSharp/issues

If you are into NodeJS take on an issue from https://github.com/o2platform/FluentNode/issues

If you are into Chrome or Selenium take on an issue from https://github.com/O2Platform/nwr/issues

Thanks :)

Achieving 98% Code Coverage, by running mocha Web Automation Tests in Chrome (from WebStorm)

Here is what the high-productive Node + Chrome TDD test environment (that I use every day) looks like, when executing the TM_4_0_QA UI Automation tests

This is the setup that allows me to have 98% to 100% code coverage (see The quest for 100% Code Coverage, the 96cc idea and 'apps with low CC must be insure' for more details)

The Chrome window on the right is powered by O2 Platform's NWR project

The use of WebStorm is not required for the tests to run, since the same result can be achieved by running npm test from the console.

Video: Running mocha Web Automation Tests in Chrome (from WebStorm)

Thursday, 1 January 2015

The quest for 100% Code Coverage, the 96cc idea and 'apps with low CC must be insure'

I've spent the last day improving the UnitTest coverage of TM_4_0_Design and since this codebase as been developed with a nice TDD workflow, after a bit of code-cleanup and refactoring I was able to achieve 100% Code Coverage :)

Saturday, 27 December 2014

Updated FluentNode's description (now aligned with Functional Programming)

You can see it at https://github.com/o2platform/FluentNode and looks like this:

There is also a new documentation site at http://o2platform.com/fluentnode

Please take these for a test drive and let me know what you think of it

Tuesday, 9 December 2014

Node + Chrome TDD test environment (finally got it to work)

In the past 3 months I've spent countless hours (and a good number of weekends) trying to figure out a way to better TDD node and JS, and finally I got it to work:

Monday, 1 December 2014

Node-Webkit REPL with support for Chrome's WebDriver

I needed to write some Selenium WebDriver scripts and since I couldn't find a good REPL for it, I wrote this one in the last coupe days:

I'm actually really happy with how it turned out:

See https://github.com/o2platform/webkit-repl  for the execution instructions, the code and more screenshots

This UI is based on https://github.com/rogerwang/node-webkit and the selenium/webdriver integration is provided by https://github.com/admc/wd

Sunday, 23 November 2014

Chrome OS is now running under a 64 bit CPU

While following the Node and NPM on Chromebook (Chrome OS) blog on how to set up Node, I had the same problem as some of the users that posted a comment. I was getting an cannot execute binary file error when trying to run the downloaded binary files from Archlinux.

This can be confirmed by running uname -m (one of the ways to check if linux OS is 32 bit or 64 Bit) which should return x86_64.

This means that the links provided on that link should be changed from:

Running git, node, python,make and levelgraph on Chrome OS (inside a ChromeBook)

After creating the Chrome REPL extension, I was curious if it would run under Chrome OS and ChromeBook. To try it out, I was able to get my hands on a Dell ChromeBook 11, and It was nice to see that it worked perfectly.

While using the ChromeBook I was thinking that if I was able to run (tools like) git, node and LevelGraph (which is needed for my current dev focus at SI: TM_Graph_DB) I would have a really portable development environment (specially for running longish batches of Unit Tests).

After a bit of Linux fiddling, I was able to get it working and here is a screenshot of the final result:

Friday, 21 November 2014

Chrome REPL (first O2 Platform Chrome Extension)

I was doing some browser automation and it was driving crazy the fact that I was not able easily write code directly on Chrome. Basically what I needed was a Chrome REPL, and since after looking for one, I couldn't find one that suited my needs, I decided to write one :)

It was quite easy to write (about 1 day's work) since Chrome is quite an easy platform to develop for.

You can get this extension from the Chrome Web Store or from the Chrome-REPL Github repo (you can install from the code if you enable 'developer mode')

Here is how to install it from the Web Store and run a couple of the provided test scripts

Saturday, 15 November 2014

Question about ESAPI for .NET

I was asked recently about 'ESAPI for .NET?' (by XXX, who is an SI customer) and here was my reply


Hi, unfortunately there isn't a simple answer/solution for your question

I would definitely not recommend of using any of the ESAPI libraries, specially the .NET since that is not even in a workable state.

The best security controls out there are actually the Microsoft ones, which when used in secure ways, do provide a lot of security (for example Razor now encodes by default which does a lot to prevent XSS). On the topic of XSS, the Microsoft AntiXSS library is really good, and is now part of .NET 4.5.

FluentNode API - please help

I've been working on an Fluent API for node which you can get from https://www.npmjs.org/package/fluentnode

It is basically a large number of JS prototype functions (written in coffee-script) which try to simplify node development, improve developer productivity and make the code more readable.

It's still early days, but there are already a good number of APIs in there (and all are covered by UnitTests)

I would love go get some feedback on the current APIs (and other APIs to add)

Reddit thread

Monday, 1 September 2014

O2Platform question on 'Interactive development with Visual Studio'

Here is a reply I posted today to the O2 Platform Mailing list regarding a question about 'How to use O2 inside VisualStudio and WPF support' (with lots of links to code samples and blog posts)

Hi Chris, I'm glad you found the O2 Platform, specially since it looks like it already have the main features you are looking for :)

The key concept used across the main O2 Platform (and FluentSharp) APIs is the REPL (Read Eval Print Loop), which should be very common to you (btw you can run .Net's version of Lisp via this O2 script : Util - Clojure-clr REPL (Lisp).h2 )

Saturday, 23 August 2014

Friday, 15 August 2014

OWASP O2 Platform 5.5 - RC1 , please give it a test drive

Just pushed to bintray the latest version of the O2 Platform (v5.5).

I'm calling it RC1 (Release Candidate 1) so that it can be given a good test drive before I update the main O2 Platform download and links.

This version is distributed as a zip, since there were a couple issues with the auto-extraction of the stand-alone exe version (used in the 5.3 version).

So please download the 16Mb O2_Platform_5.5_RC1.zip ,  unzip it into a local folder, and execute the O2 Platform 5.5 - RC1.exe file:

Sunday, 10 August 2014

Just used bintray.com to publish a number of O2Platform/FluentSharp stand-alone exes

I just tried BinTray (see https://bintray.com/o2-platform) as a platform to host exe/binaries/release files, and I have to say that it was a great experience.

Ever since I added to the O2 Platform and FluentSharp the ability/feature to package O2/H2 scripts as stand-alone exes, I've been trying to find a nice place to host them (since there are dozens, if not hundreds, of mini-tools that I want to publish).

For a while I used DropBox, but not only that was not THAT practical, DropBox never gave me any stats. Even worse, DropBox started blocking the downloads (saying 'too much traffic on this account') but was not able to tell me which files were causing the problem!!

The good news is that BinTray.com seem to work perfectly for publishing these O2 Platform created tools.

To see this in action and download one or more of these tools, open https://bintray.com/o2-platform/O2-Tools

Extract from my SANS Interview on Application Security (in 2007)

While trying to find a link to the SANS What Works 2007 conference (where I presented Inconvenient Truth(s) on Application Security) I found this Interview on the Interweb which contains a number of responses that I want to capture on this blog. That page might disappear one day (just like the SANS conference page form 2007), and most comments are still relevant today (Oct 2014)

Here is an extract of the of interview I did with Stephen Northcutt in June 11th 2007 (see full version here):