Sunday, 25 September 2016

Threat Model Community

(from Software Quality book)

There is currently (late 2016) space within the application security world to develop a community focused on Threat Modeling. Such community would allow the many parties working on Threat Modeling to share information and provide a voice to all different stakeholders.

Friday, 23 September 2016

The business model of selling a fork

(from Software Security Book)

An open source based business model that I really like, is the idea that the company (or team) behind a particular open source project, sells a fork of the master repository, that is customised and/or maintained for a particular customer.

What that means is the customer buys access to a fork, from the authors of that particular code/repo/project.

That way the company developing the application has a direct connection with the client, and a regular revenue stream.

AppSec should buy tools for developers

(from Software Quality book)

This is a great opportunity to generate goodwill and positive working relationships with developers. If the AppSec team is able to actually find the budget for tools, it will help developers be more productive.

Two great examples are WallabyJS for javascript and NCrunch for .Net

Inside a large organization, you will find teams where for some reason or another, management hasn’t seen as a priority to invest in tools for developers.

Developers need data classification

(from Software Security Book)

Every type of data that exists in an organisation, especially the data that is consumed by applications, needs to have a Data Classification mapping.

Developers need to know if a particular piece of data is sensitive, and what value it holds for the business.

A good way to determine the expected level of confidentiality and integrity, is to ask what would happen 'If a particular set of data were to be fully disclosed?' (for example uploaded to PasteBin) or 'If some of the data was being maliciously modified over a period of months?'.

I Abuse the term ‘Unit Test’

(from Software Security Book)

For me a Unit Test is a test of an 'unit’. The only question is how big is that 'unit’.

If you go to Wikipedia page for List of Unit Testing Frameworks you will see a large list of ‘unit test’ frameworks which range from traditional ‘unit tests’ (on individual function or procedure) all the way to:
  • integration tests,
  • production tests,
  • e2e tests (end-to-end)
  • performance tests
  • smoke tests, etc…
  • (i.e. every-type of automate-able test).
For me, if you can run it with a unit test framework, then it is a unit test.

Putting Data in PasteBin

(from Software Quality book)

One of the best ways to make Developers, Architects and Managers understand confidentiality of data hosted by their application, is to ask the question, 'Can we put all of the data on your database on PasteBin?' [^PasteBin]

That question makes all parties involved really think about what that database contains.

Ideally, the correct answer is yes, there is no problem. All that data could go to pastebin because the data shouldn't mean anything by itself.

Graduates to manage JIRA

(from Software Quality Book)

One of the challenges of the JIRA RISK workflow is managing and maintaining the opened issues. This can be a considerable amount of work, especially when there are 200 or more issues.

Note that, in large organizations, the number of risks opened and managed should be above 500, which is not a lot, and in fact, is the level when visibility into existing risks really starts to happen.

The solution isn't to have less issues.

Describe Risks as Features rather than as Wishes

(from Software Quality Book)

When opening up a risk JIRA ticket, it is key to describe the exact behavior of that issue as a feature, versus how you would like to see happening (i.e your wish list).
For example:
  • instead of saying 'application should encode XYZ value', you should say that 'XYZ value is not encoded'
  • don't say an 'application shouldn't be vulnerable to XSS or SQL injection', you say ' application is vulnerable to SQL injection'. In this case SQL Injection is a feature of the application, and while the application allows SQL Injection, the application is working as designed (whether that is intended or not, that is a different story :) )

Know what was not tested

(from Software Quality Book)

When you're reading an application security report (like a pentest), one of the most important questions that you should get an answer to is 'What tests did they run?'. This is especially important for the tests (i.e. exploits) they tried to run but were unsuccessful.
The report(s) will show what was successful, but that's only half (or potentially less than half) of what you want to know.

Broken Tests Aren't The Problem

(from Software Quality Book)

It is quite worrying how many times you hear complains about test's execution (for example their speed or how hard they are to maintain)
These complains can be so strong, that they can even question if the tests are 'worth it'? (i.e. the negative sides of maintaining the tests are higher than its benefits)
This is very dangerous because it is promoting the idea that it is OK not to test your code. And that is just crazy!

Thursday, 22 September 2016

"Turning TDD upside down - For bugs, always start with a passing test" - v0.5 Sep 2016

Here is the presentation I delivered at LSCC (London Software Craftsmanship Community) on the 22nd Sep 2016

Title: Turning TDD upside down - For bugs, always start with a passing test
Description: Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough'

Thursday, 23 June 2016

40 technologies used on the 'Maturity Models' nodeJS application

I've been working on an Maturity Model application to help me manage a project where I'm doing an large BSIMM mapping exercise.

The tech stack is based on NodeJS + Angular, and it looks like this:

Tuesday, 21 June 2016

OWASP Mobile Top 10 2016 (Release candidate)

When looking a mobile applications security a great place to start is the OWASP Mobile Top 10 2016 which is currently in its release candidate state (previous version can be found here)

When doing a Threat Model of an mobile application, in addition to the STRIDE questions, go through these 10 items and ask the questions:

Should dependencies be committed to main source-code repo?

What do you think?

Please cast your vote here

Sunday, 19 June 2016

Working on major update of 'Practical Angular JS' book

(email I just sent to my Leanpub readers that chose to be contacted directly)

Thanks for being an reader of my Practical Angular JS book and allowing me to contact you directly with updates (you chose to share your email with me).

The first version of the book was mainly made of blog posts I published at, and it took me a while to figure out how to best complete the book. 

Recently I started working on an project (creating Maturity Models mappings and visualisations for BSIMM) which I was able to open source. This project is a clean implementation of my ideas of how to code and test AngularJS, and once I had the first version of the app working, I realised that this was a perfect first for this Practical Angular JS book.

My current plan is to split the book in to two parts, where 'Part I' is the new content, and 'Part II' is the existing (published content).

Thursday, 9 June 2016

Link to join OWASP Slack

If you want to participate in one of the multiple great AppSec channels at and don't have an account, please use this link:

(posting this a blog so that it is easy to find on Google)

Some draft content on JIRA RISK workflows

On the Software Quality book that I'm writing, I've started to map out the JIRA RISK workflows (as described in this previous blog post)

Here are some of the (very draft) chapters that I have written on this topic.

Let me know what you think of these concepts

Sunday, 5 June 2016

6 sections added to Software Quality Book (on AppSec and Testing)

I have been slowing working on my Software Quality book (with tons of notes captured on small Moleskine notebooks and new audio recordings).

Here are the sections I worked on this week:

Please let me know what you think of them, and if you spot any issues or have comments to make, feel free to open an Issue or send a Pull Request

Wednesday, 25 May 2016

Intro to O2 Plartform

(here is an intro to the O2 Platform email that I wrote, which was bouncing of the recipient email's server due to '554 rejected due to spam URL in content')

The O2 Platform is all about automating and scripting. It's a platform/framework which means that it helps to have a 'hard question' to start with.

Here are a good place to start with the O2 Platform:

Wednesday, 18 May 2016

Threat Modeling Template and Concepts v0.6

Here is an updated version of Threat Model Template v0.5  and a new Threat Model Concepts page.

You can download the pdfs and files from this GitHub repo

Tuesday, 17 May 2016

The BBC should open source most (if not all) of its developed technology

Following on the Recipe for disaster post on the topic of BBC to close recipes website as part of £15m savings, I wanted to put down this idea, which in my view, goes to the heart of the value that public entities (like the BBC, but also the NHS, public services, Non-profit orgs, charities, etc... ) should provide to society:

The BBC should open source most (if not all) of its developed technology 

The BBC hires a large number of software/application teams (from Devs, to QA, to Designers, to Architects), which create a large body of code, that is in most cases behind closed doors and not available to the general public (namely other public or private organisations that would benefit from that code)

Thursday, 12 May 2016

Looking for AppSec jobs? Here are some opportunities for you

The AppSec market is definitely getting hotter, and I'm getting more and more calls from recruiters.

The problem is that I'm too senior or expensive for most of them, so there is not much I can do to help. I also do a lot of AppSec training where I get asked a lot the question 'How do I get into AppSec?'

I've decided to try to connect these two worlds and see if we can get more AppSec roles filled up (specially by devs who want to move into AppSec).

I'm starting with job opportunities, but it would be interesting to also list professionals looking for a job.

You can find the page at (starting with two roles from The Hut Group)

Threat Model Template v0.5

Here is a an improved simple Threat Model template which contains info about STRIDE and DFD Elements (which is based on the diagram shown at Threat Model WebServices v0.2)

You can download both PDFs from here