Saturday, 25 May 2013

Creating o2platform.com website using GitHub Pages (with screenshots of all design options)

In order to set-up a site for the http://o2platform.com domain, I just used GitHub Pages to create and publish a brand new site.

This is what it looks like:


What do you think? 

Please see below the other design options and let me know if I made a mistake. Also if you want help in editing this site, ping me with your GitHub account, and I'll give you push access (or fork the o2platform.github.com repo and send me  pull requests)

Using FluentSharp API’s to refactor C# TreeView sample

While reading reddit’s r/csharp I saw the Can anyone help me answer a quick question about treeview? thread which asked this question:

image


Creating a GitHub Fork in order to commit changes to PartyCraft

After posting Minecraft In-Game C# REPL I was curious on how it worked, so I quickly created a local clone of the https://github.com/SirCmpwn/PartyCraft repo and opened up the main Solution file in VisualStudio 2010.

PartiCraft has a couple Submodules, so the VisualStudio load process had a couple missing projects.

The problem is that after updating the two required submodules, the project references/paths where still wrong.

The fixes where easy (path changes and re-adding the references) which when done allowed the C# based Minecraft server to fire up ok.

But this meant that my local clone was out of sync with GitHub, and since I din't have push privileges into the main PartyCraft repo, I needed to push my changes into my own fork.

Friday, 24 May 2013

Embedding O2 Platform Mailing list in this blog

While looking at the Google Groups options for the new O2 Platform mailing list I found an 'Embedding your Group' which I decided to try on this blog.

And the result is quite in interesting.

You can see it in action here (or by clicking on the O2 Platform Mailing List link above) and it looks like this:

Minecraft In-Game C# REPL

This is really cool, just saw on this reddit thread the video below which shows a REPL inside minecraft

This is part of C# Minecraft written in C#:


Should we use Bayesian or Neural Networks for SAST? yes, but not yet (we are not ready for it)

The super sharp OWASP Leader Johanna Curiel, while trying to get her head around the O2 Platform, asked me earlier today :
    in your research, have you try static code analysis using any form of artificial intelligence such as Bayesian or neural networks ?

    let know, while I was studying, I was researching this stuff. I just would like to hear from you if you had any experience with this
The short answer is NO, I have not really looked at Bayesien or Neural Networks for SAST (Static Analysis)

The longer answer is We Dont need it (yet), since there are many bigger limitations of the current SAST technology and tools, which we need to solve first before we look into that type of advanced analysis and techniques.

Thursday, 23 May 2013

Sarah Baso as OWASP Executive director, how it broke the model, structure and culture of OWASP employees

(note: I don't have a lot of time to write the detailed analysis that I wanted to do,  but as time is passing by, I wanted to go on the record with my thoughts of that happened. So think of this post as a brain dump of my views on this important topic for OWASP)

In April 8th the OWASP board announced that OWASP Creates Executive Director Position.

My view at the time (and still is) was that OWASP Executive Director Role (Not yet), specially because:
    What we need are another Kate, Sarah, Kelly or Samantha, they still work FAR too much for OWASP and my worry is that they will implode one day. Not sure that they need a boss to tell them what to do, if anything I would delegate to them the powers currently 'assigned' to the Executive Director.
What happened next surprised most OWASP leaders since a couple days later the OWASP board announced that Sarah Baso would become the new OWASP's New Executive Director

Why should a company open source one of their products? and what is the business case?

If you where asked by a friend to help him make the business case to open source a product created by his company, how would you answer?

The scenario is a company that has a couple products and fells that it is not able to spend significant time and resources in one of them.

My answer was to 'just do it and push the support + maintenance efforts to the community'

Here are some links to good articles on Open Source business models:

Trying Google Groups as the OWASP O2 Platform mailing list

This is something that some OWASP project leaders have talked/tested in the past, so to try it I moved the current mailman-based O2 list to the new Google Groups (which look much better than a couple years ago)

How TeamMentor creates SHA256+PBKDF2 password hashes and stores them in XML files

In the 3.3. version of TeamMentor there was a significant change in how the user's password hash is submitted and stored.

In version 3.2. we used a SHA256 hash of “username+password” (created either on the client (browser) or server) which was stored in the user’s xml file (which is a serialization of the in memory user-object).

Although we never stored the user’s password on disk (in fact in most cases we never even sent it to the server), due to advances in processing power and Credentials Brute Force Attacks, in 2013 that is not a secure way to store password anymore.

After some threads (see TM stores passwords insecurely issue), it was agreed that a solution based on PBKDF2 should be used.

Wednesday, 22 May 2013

Upgrading the 'TeamMentor View Library Links Status’ tool to 3.3

One of the tools I developed during the 3.2 release was a window's tool that allowed the analysis and mapping of broken links in an TeamMentor library.

This tool is similar to the one I showed in this video and is on the https://github.com/TeamMentor/UnitTests repository:

Tuesday, 21 May 2013

[Great post] Git: Who cares about branches? It’s all about collaboration and code reviews

This is a great explanation of the power of Git : Who cares about branches? It’s all about collaboration and code reviews

here is the author's TL;DR:

TL;DR: Using Git has made our team much better by removing barriers to collaboration and code reviews. Those are the real Git benefits, not specific features like fast branches.

I complete agree and it is the ability to easily review code (and send code back for rewrite during pull requests) that really makes git powerful :)

On this topic also read Great presentation on Git Branching (very similar to the model we are using in TeamMentor) 

Sorry about some of the recent reposts

I was just trying to see if I could get TweetFeed to pick them up (since it automatically pushes blog updates to twitter) but that wasn't working

The root cause was the failure of FeedBurner that happened on this blog

I'm stoping now since it is clearly not working (the save as draft and changing the post date, didn't work in blogger and http://twitterfeed.com)

Offline copy of the entire NuGet.org gallery. What should I do with these 4.05 Gbs of amazing .Net Apps/APIs?

As you can read on the posts below, I was able to create an offline copy of the entire http://nuget.org/ gallery (as of the 4th of May)

Downloading the entire NuGet package database

When I was having the serialization problems described in Saving the entire list of NuGet Packages I realized that adding a NuGet IPackage (retrieved from the GetPackages() method) to a SharePackageRepository will also download actual packages :)

Saving the entire list of NuGet Packages

Following from Retrieving NuGet package programatically using NuGet.exe classes (not command line), here is the script that downloads and saves the raw http responses (from the request used by the NuGet API to get them)

Retrieving NuGet package programatically using NuGet.exe classes (not command line)

Following from Consuming NuGet programmatically outside VisualStudio (downloading the list of packages) , here is how I was able to consume NuGet.exe directly and create a strongly-typed NuGet Packages object

I started by opening up NuGet.exe in ILSpy and see what it’s Main method is doing:

Consuming NuGet programmatically outside VisualStudio (downloading the list of packages)

I wanted to write an O2 Script today that consumed an NuGet package and was annoyed by the fact that there doesn’t seem to be an easy way to just download and consume the dlls directly (i.e. without VisualStudio).

I did a quick search and although it looks like I’m not the only one with this problem, since there isn’t an easy solution out there:
So the solution was to add support for it the O2 Platform :)

'How to start using the O2 Platform and its scripting capabilities?' (and how I used the O2 Platform to solve a hard integration problem in May 2013)

A question I get regularly is 'how to start using the O2 Platform and its scripting capabilities?' 

And although there are a large number of blog posts about O2 out there (see here and here) there isn't a good number of 'where do I start' and 'how is O2 used in the real world' examples (hint: I could do with some help on the O2 Documentation :)  )

So to help answering this question, I just posted (grab a coffee first) Using AST to programatically create a Proxy class for a WSDL webservice (in this case HacmeBank and Checkmarx ASMX) which contains links to a series of blog posts that explains how I used O2 this past week to solve a hard problem and create a nice innovative solution.

For your convenience here are the links:

(grab a coffee first) Using AST to programatically create a Proxy class for a WSDL webservice (in this case HacmeBank and Checkmarx ASMX)

For this past week I worked on a way to intercept and change data returned from an C# ASMX web service (exposed via a WSDL)

After trying multiple options (including PostSharp), I found a way to:

Programatically use AST C# generation (from ICSharpCode.NRefactory and O2 Platform's FluentSharp.REPL APIs) to:

  • create a 'proxy' C# of  an ASMX with the same exposed web methods as the original one
  • by default the new proxy ASMX WebService will call the original WebService's method (think class A implements class B, with all methods in class A calling the base method from class B)
  • make it easy to extend the new ASMX WebService  C# code and change the data sent/received from/to the original WebService's methods.

While I was working on the solution, I created a number of (long) blog posts that explains in detail all the steps I took to create the 'proxy' C# of  an ASMX.

Here are they, ordered by creation date (so if you want to see the final result, look at the last one)