Wednesday, 25 May 2016

Intro to O2 Plartform

(here is an intro to the O2 Platform email that I wrote, which was bouncing of the recipient email's server due to '554 rejected due to spam URL in content')

The O2 Platform is all about automating and scripting. It's a platform/framework which means that it helps to have a 'hard question' to start with.

Here are a good place to start with the O2 Platform:

Wednesday, 18 May 2016

Threat Modeling Template and Concepts v0.6

Here is an updated version of Threat Model Template v0.5  and a new Threat Model Concepts page.

You can download the pdfs and draw.io files from this GitHub repo

Tuesday, 17 May 2016

The BBC should open source most (if not all) of its developed technology

Following on the Recipe for disaster post on the topic of BBC to close recipes website as part of £15m savings, I wanted to put down this idea, which in my view, goes to the heart of the value that public entities (like the BBC, but also the NHS, public services, Non-profit orgs, charities, etc... ) should provide to society:

The BBC should open source most (if not all) of its developed technology 

The BBC hires a large number of software/application teams (from Devs, to QA, to Designers, to Architects), which create a large body of code, that is in most cases behind closed doors and not available to the general public (namely other public or private organisations that would benefit from that code)

Thursday, 12 May 2016

Looking for AppSec jobs? Here are some opportunities for you

The AppSec market is definitely getting hotter, and I'm getting more and more calls from recruiters.

The problem is that I'm too senior or expensive for most of them, so there is not much I can do to help. I also do a lot of AppSec training where I get asked a lot the question 'How do I get into AppSec?'

I've decided to try to connect these two worlds and see if we can get more AppSec roles filled up (specially by devs who want to move into AppSec).

I'm starting with job opportunities, but it would be interesting to also list professionals looking for a job.

You can find the page at http://blog.diniscruz.com/p/appsec-jobs.html (starting with two roles from The Hut Group)


Threat Model Template v0.5

Here is a an improved simple Threat Model template which contains info about STRIDE and DFD Elements (which is based on the diagram shown at Threat Model WebServices v0.2)

You can download both PDFs from here


Sunday, 8 May 2016

Threat Model WebServices v0.2

Here is an experiment in trying to create an Threat Model (A3 size) that can be easily consumed during the Threat Model session(s).

This diagram was created using https://www.draw.io/ which is pretty amazing (and allows team collaboration):


Friday, 6 May 2016

AppSec and Software Quality - Presentation v0.5

Here is a slimmed down version of the presentation I delivered in Italy last March.

This version does not contain the part that talks about the problem (i.e. the attacks and why you need to do Application Security)

The key idea that I defend is that we can use Application Security to define and measure Software Quality

Let me know what you think

Wednesday, 27 April 2016

BSIMM Questions for Teams v0.7 (with all consolidated team questions and maybe column)

Following from Updated version of BSIMM Questions for Teams (now will all activities mapped) here is an improved version with:

  • All team questions in one page
  • Added a Maybe column
  • Removed the 'If No, why not?' text from the last column
  • Added spaces to ask for Application name and Jira ID

The source file is available at GitHub

Tuesday, 26 April 2016

Updated version of BSIMM Questions for Teams (now will all activities mapped)

Following from First pass at BSIMM questions for teams here is an updated version of the questionnaire for developers.

It looks like this and it has 3 sections:


The source file is available at GitHub

Note: this is still a very first early draft of these mappings (with many changes expected in the next couple weeks).

First pass at BSIMM questions for teams

Here (also embedded below) is a mapping of several BSIMM activities and translating them into a questionnaire that can be easily filled in by developers, technical architects,  business owners and security champions (called satellites in BSIMM).

Note that not all activities are there. Some only made sense for SSG (Software Security Group) to answer, and I already knew the answer for others.

This is still a work in progress, and I'm not happy with the wording of some of the questions. But it is good enough to give a try and get feedback.

The objective is to create metrics about multiple development teams, so that a set of targets can be set (and an action plan created)

Sunday, 24 April 2016

Started working on new book "Measuring Software Quality using Application Security"

Over the 3 weeks I spent in the US (in an RV with family) I started working on a book based on the ideas shown at the "New Era of Software with modern Application Security" presentation (v1.0).

The current title is "Measuring Software Quality using Application Security" and it is going to be published at LeanPub: https://leanpub.com/Software_Quality

All content is hosted on the public GitHub repo
https://github.com/DinisCruz/Book_Software_Quality/tree/master/content, where you can also see a number of issues I plan to address (including areas for research)

I am currently in the brain dump stage of development, where I'm adding the content I want to talk about (in a kinda-structured way). The idea is to expand the bullet points into text and normalise the content in logical areas (some topics already have a first pass at expanding the ideas into final text).

Wednesday, 23 March 2016

When talking about Application Security and Software Quality, Pollution is a much better analogy than Technical Debt

One of the analogies that I make in my "New Era of Software with modern Application Security"  presentation is that Pollution is a much better way to describe quality (and security) issues (vs Technical Debt):

 


This analogy is inspired by David Rice's amazing keynote at OWASP AppSec USA 2010 "Upon the threshold of opportunity" (which you can see the video here)

David Rice is the author of the also amazing Geekonomics book, which really shows The Real Cost of Insecure Software

Unfortunately, David Rice after going to work for Apple, seems to have disappeared from the internet, which is a great loss for the world, since he was doing amazing research (of course that I'm sure he is doing great stuff for Apple, but it is a shame that we are not able to learn from him anymore)

David's http://blog.geekonomicsbook.com/ book site is down, but luckily the wayback machine was able to get a copy of the page with the abstract of this talk:

    In the 1960s, pollution in the United States reached a breaking point. Large corporations, by and large, had been unresponsive to environmental issues leaving the nation's skies filled with smog, rivers filled with sludge, forests defoliated by acid rain, and fresh water lakes declared "dead." The natural heritage of the nation was being destroyed by its industrial prosperity.

    The U.S. response was a series of less-than-satisfactory regulatory attempts to correct for substantial environmental damage. Faced with serious and costly legacy issues of industrialism however, many companies stonewalled and delayed for much of the 1980s and 1990s, emphasizing legal compliance and reactionary practices over real progress. The turn of the century ushered in a fresh perspective in corporate America, with companies like GE, DuPont, and Wal-Mart actively pursuing sustainability initiatives linked to corporate performance, transforming environmental crisis into financial opportunity. What happened?

    Within the story of the U.S. battle against environmental pollution lies key lessons for confronting the equivalent of pollution in cyberspace: software vulnerabilities. The toxic effluence of software vulnerabilities leave networks saturated with spam, computers clogged with malware, and servers defoliated of sensitive private data.

    To date, a series of less-than-satisfactory regulatory attempts – such as PCI, SOX, and data breach laws – have been enacted to address what appears to be widespread unresponsiveness to the substantial harm to the global digital eco-system caused by unrestricted vulnerability dumping. Faced with serious and costly legacy issues of poorly implemented software systems however, many companies continue to stonewall or delay security programs, emphasizing legal compliance and reactionary practices while demonstrating no real improvement. What would it take to change this, to turn the crisis of “pollution” in cyberspace into an opportunity?

    This keynote highlights a possible fresh perspective, putting software security into the context of social responsibility linked to corporate performance, illustrating how the software market - like corporate America - stands upon the threshold of its greatest opportunity.

Related posts:


Sunday, 20 March 2016

"New Era of Software with modern Application Security" presentation (v1.0)

This is the final slide deck of the "New Era of Software with modern Application Security" presentation I delivered at Codemotion Rome, which was a developer-focused conference (with 2000 tickets sold).

Description: "This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive"

Friday, 4 March 2016

Simple Threat Model (template) - Good place to start

When teaching about Threat Models, the most common question I get is 'How do I start?'.

To make this process easier, I usually recommend to use the simple '1 page Threat Model' which you can see on the right ( download here)

The idea is to kickstart the process by mapping out the:

  1. Data Flow Diagrams (i.e app architecture)
  2. Entry Points (i.e Attack surface)
  3. Assets (i.e. what is valuable and needs to be protected)
  4. External Dependencies and Trust Levels
  5. Threats(edited)
Another great source of (first steps on Threat Modelling) resources are the Microsofts' At a Glance: Web Application Threat Modeling and OWASP's Application Threat Modeling pages 

Thursday, 3 March 2016

JIRA RISK workflow handling of 'Risk Fatigue'

On a email thread related to Updated JIRA RISK workflow (now with a 'Fixing' State), I received this great question:
I really like the idea of forcing someone to almost sign that they accept the risk. Forces them to really think about it.

One thing I'm curious about is whether there is such as thing as "risk fatigue" like you have "monitoring fatigue". So, the first few times you accept risk you do so with a heavy heart, but each time you do it and there are no perceived negative consequences, it gets a little easier. That is until the point when you're completely exposed and something bad does actually happen. Having said that, the alternative of not physically accepting the risk in some way is far worse IMO, and that by using something like Jira you can at least measure the ratio of fixed vs risk accepted over time. Hopefully it moves in the right direction!
And here is my answer:

Wednesday, 2 March 2016

Updated JIRA RISK workflow (now with a 'Fixing' State)

As an improvement of the workflow I showed at JIRA Workflows for handing AppSec RISKS here is a version that adds a 'Fixing' state between 'Allocated for Fix' and ‘Test Fix’.

The reason for this change, was to take into account projects (or components) that have a large number of open issues that want to be fixed (vs risks to be accepted).

Since we try to use an Kanban 'Work in Progress' model for the issues to fix (i.e. no more than 3 to 4 active items), this new state helps to keep a nice separation between the issues that:
  • need to be 'Risk Accepted' (i.e. there is no intention (or resources) to fix in the next couple months)
  • have been reviewed and are 'Allocated for Fix'
  • are currently being worked on (i.e. in a 'Fixing' state)

Tuesday, 1 March 2016

Sunday, 28 February 2016

Thinking of writing a book called "Measuring Software Quality using Application Security"

This book will be based on the ideas I've been talking about in my "New Era of Software with modern Application Security" presentation.

The plan is to use my experience with Leanpub (where I have published 7 books), with the content being hosted on GitHub and published early and ofter.

Saturday, 27 February 2016

Is Quality is a measure of how successful a product is in what it is SUPPOSED to do?

Here is a question I received on the concept "Application Security can be used to define and measure Quality" (slides here
Quality is a measure of how successful a product is in what it is SUPPOSED to do.

AppSec is a measure of how many and what things product does that it is NOT SUPPOSED to.

These two are not related. A startup may have a good quality product full of security holes, and a bank may have a highly secure product that is also of great quality.
I think that measuring Quality by only looking at the success rate of a product is a very narrow definition of Quality.

Friday, 26 February 2016

Video for my LSCC presentation on: New Era of Software with modern Application Security

Skillsmatter has just published the video of the presentation I delivered last week at the LSSC (London Software Craftsmanship Community)

You can see it here:
https://skillsmatter.com/skillscasts/7582-new-era-of-software-with-modern-application-security

"New Era of Software with modern Application Security" updated presentation (v.0.6)

Here is the updated version of the talk I delivered last week at the LSCC (this time around delivered at the OWASP London Chapter)

There are a number of new slides, but it is still far from complete :)

Please take a look at the slides and let me know what you think of them? (and what can be improved for the next version)

Monday, 22 February 2016

I'm delivering an Application Security Training in London on 3rd and 4th of March

This is an 100% customised course (to the participants) with as many practical examples as possible.

Here is the course description:

Friday, 19 February 2016

V0.5 of "New Era of Software with modern Application Security" presentation

Here is my first pass at creating the "New Era of Software with modern Application Security" presentation, which I will deliver as a Keynote at the Codemotion Rome developer conference (March 19th)

This is the version that I presented yesterday at the London Software Craftsmanship Community event and its video is here

Interestingly, one of the concepts that I arrived at (when working on the slides) was that Application Security can be used to define and measure Quality.

This is something that I have been thinking about for a long time, and I'm starting to find a way to explain how I'm able to use Application Security to help developers to create better applications (with not only better security, but with better quality)

Please take a look at the slides and let me know what you think of them? (and what can be improved for the next version)

Friday, 12 February 2016

Published update to my Practical Eclipse book

You can get the latest version from https://leanpub.com/Practical_Eclipse for FREE by choosing the $0 minimum price.

Here is the email I send to my readers:

Wednesday, 10 February 2016

Speaking at LSCC (18th Feb) on "New Era of Software with modern Application Security"

In preparation to my CodeMotion keynote in March, next week I'm presenting a first version of it at LSCC (London Software Craftsmanship Community) which is also a developed focused audience.

You can register at https://skillsmatter.com/meetups/7845-lscc-talks-feb-2016

Here are the talk details:

Title: New Era of Software with modern Application Security

Description: This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.

Bio:Dinis is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.