Wednesday, 28 January 2015

beta.teammentor.net just went live .. so hack it :)

Below is the email that Roman just sent to everybody at SI about the new Beta version of TeamMentor (still a lot to do before it is shippable, but already shows where we're going with it)

As before (see Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job)) if you want to have a go and hack it (i.e. find vulnerabilities) please go for it!

If you find anything, since this is still not released (and in production), fell free to to open it directly at https://github.com/TeamMentor/TM_4_0_Design/issues

Take a look at the TM Security page which documents all that we currently know about the security of this app (including known security issues that we want to fix before going live)

I'm specially interested if you can find an XSS on this app, which would be quite a feat, since this application is done in pure HTML with no Javascript :)

Saturday, 24 January 2015

Real-Time code coverage in NodeJS app using Atom

Here is my current dev environment on Atom's Editor where I am able to have quasi-real-time (i.e. in about 1s to 2s) feedback on the test executed and its code coverage

For example here is what I see when there is a test failing:
  • note the red dots on the left (after line 44)
  • note the error message right (where '1.2' is not'1.3')
  • code coverage is at 92.50%

Sunday, 18 January 2015

Does your team has a Security Champion? If not, get this Mug and Library

If your dev team doesn't have an assigned security team champion, get one of these Mugs :)



Basically that 'Security Expert' Mug should represent the fact that at the moment when a developer has an Application Security question, he might as well ask the dude on that Mug for help :)

I also like that it re-enforces the idea, that for most developer teams, just having somebody assigned to application security, is already a massive step forward!!

Saturday, 17 January 2015

Thinking and coding in Graphs, some screenshots of last 6 months

In the past 6 months I have been working on TeamMentor 4.0  (new version) which is based on a graph database and written in node.

I was cleaning up my desktop today and found the images below which represent the multiple experiments I have been doing in ways to visualise the content data we have.

This is quite a raw dump, but if you would like some descriptions about what each one means (and believe me that each one as nice story behind), let me know and I'll write more about them


Sunday, 11 January 2015

So why can't I in 2015 write a post in Blogger using Markdow (and paste screenshots)

I just wrote this [Atom Editor] How to run tests from a loaded package using GitHub's Issue UI, and it was a great writing experience (and a real-time preview like discourse would had made it even better)

But I can't post it here!!! Because Blogger does not support markdown!!!

Talk about not keeping up the pace of innovation

What this really means is that I'm getting closer and closer to moving this blog into another platform (the question is which one?)

Thursday, 8 January 2015

FluentSharp, FluentNode or NWR needs your help

If you are into C# take on an issue from https://github.com/o2platform/FluentSharp/issues

If you are into NodeJS take on an issue from https://github.com/o2platform/FluentNode/issues

If you are into Chrome or Selenium take on an issue from https://github.com/O2Platform/nwr/issues

Thanks :)

Achieving 98% Code Coverage, by running mocha Web Automation Tests in Chrome (from WebStorm)

Here is what the high-productive Node + Chrome TDD test environment (that I use every day) looks like, when executing the TM_4_0_QA UI Automation tests

This is the setup that allows me to have 98% to 100% code coverage (see The quest for 100% Code Coverage, the 96cc idea and 'apps with low CC must be insure' for more details)

The Chrome window on the right is powered by O2 Platform's NWR project

The use of WebStorm is not required for the tests to run, since the same result can be achieved by running npm test from the console.

Video: Running mocha Web Automation Tests in Chrome (from WebStorm)

Thursday, 1 January 2015

The quest for 100% Code Coverage, the 96cc idea and 'apps with low CC must be insure'

I've spent the last day improving the UnitTest coverage of TM_4_0_Design and since this codebase as been developed with a nice TDD workflow, after a bit of code-cleanup and refactoring I was able to achieve 100% Code Coverage :)


Saturday, 27 December 2014

Updated FluentNode's description (now aligned with Functional Programming)

You can see it at https://github.com/o2platform/FluentNode and looks like this:


There is also a new documentation site at http://o2platform.com/fluentnode

Please take these for a test drive and let me know what you think of it

Tuesday, 9 December 2014

Node + Chrome TDD test environment (finally got it to work)

In the past 3 months I've spent countless hours (and a good number of weekends) trying to figure out a way to better TDD node and JS, and finally I got it to work:


Monday, 1 December 2014

Node-Webkit REPL with support for Chrome's WebDriver

I needed to write some Selenium WebDriver scripts and since I couldn't find a good REPL for it, I wrote this one in the last coupe days:

I'm actually really happy with how it turned out:


See https://github.com/o2platform/webkit-repl  for the execution instructions, the code and more screenshots

This UI is based on https://github.com/rogerwang/node-webkit and the selenium/webdriver integration is provided by https://github.com/admc/wd

Sunday, 23 November 2014

Chrome OS is now running under a 64 bit CPU

While following the Node and NPM on Chromebook (Chrome OS) blog on how to set up Node, I had the same problem as some of the users that posted a comment. I was getting an cannot execute binary file error when trying to run the downloaded binary files from Archlinux.

This can be confirmed by running uname -m (one of the ways to check if linux OS is 32 bit or 64 Bit) which should return x86_64.

This means that the links provided on that link should be changed from:

Running git, node, python,make and levelgraph on Chrome OS (inside a ChromeBook)

After creating the Chrome REPL extension, I was curious if it would run under Chrome OS and ChromeBook. To try it out, I was able to get my hands on a Dell ChromeBook 11, and It was nice to see that it worked perfectly.

While using the ChromeBook I was thinking that if I was able to run (tools like) git, node and LevelGraph (which is needed for my current dev focus at SI: TM_Graph_DB) I would have a really portable development environment (specially for running longish batches of Unit Tests).

After a bit of Linux fiddling, I was able to get it working and here is a screenshot of the final result:

Friday, 21 November 2014

Chrome REPL (first O2 Platform Chrome Extension)

I was doing some browser automation and it was driving crazy the fact that I was not able easily write code directly on Chrome. Basically what I needed was a Chrome REPL, and since after looking for one, I couldn't find one that suited my needs, I decided to write one :)

It was quite easy to write (about 1 day's work) since Chrome is quite an easy platform to develop for.

You can get this extension from the Chrome Web Store or from the Chrome-REPL Github repo (you can install from the code if you enable 'developer mode')

Here is how to install it from the Web Store and run a couple of the provided test scripts

Saturday, 15 November 2014

Question about ESAPI for .NET

I was asked recently about 'ESAPI for .NET?' (by XXX, who is an SI customer) and here was my reply

---------

Hi, unfortunately there isn't a simple answer/solution for your question

I would definitely not recommend of using any of the ESAPI libraries, specially the .NET since that is not even in a workable state.

The best security controls out there are actually the Microsoft ones, which when used in secure ways, do provide a lot of security (for example Razor now encodes by default which does a lot to prevent XSS). On the topic of XSS, the Microsoft AntiXSS library is really good, and is now part of .NET 4.5.

FluentNode API - please help

I've been working on an Fluent API for node which you can get from https://www.npmjs.org/package/fluentnode

It is basically a large number of JS prototype functions (written in coffee-script) which try to simplify node development, improve developer productivity and make the code more readable.

It's still early days, but there are already a good number of APIs in there (and all are covered by UnitTests)

I would love go get some feedback on the current APIs (and other APIs to add)

Reddit thread

Monday, 1 September 2014

O2Platform question on 'Interactive development with Visual Studio'

Here is a reply I posted today to the O2 Platform Mailing list regarding a question about 'How to use O2 inside VisualStudio and WPF support' (with lots of links to code samples and blog posts)



Hi Chris, I'm glad you found the O2 Platform, specially since it looks like it already have the main features you are looking for :)

The key concept used across the main O2 Platform (and FluentSharp) APIs is the REPL (Read Eval Print Loop), which should be very common to you (btw you can run .Net's version of Lisp via this O2 script : Util - Clojure-clr REPL (Lisp).h2 )

Saturday, 23 August 2014

Friday, 15 August 2014

OWASP O2 Platform 5.5 - RC1 , please give it a test drive

Just pushed to bintray the latest version of the O2 Platform (v5.5).

I'm calling it RC1 (Release Candidate 1) so that it can be given a good test drive before I update the main O2 Platform download and links.

This version is distributed as a zip, since there were a couple issues with the auto-extraction of the stand-alone exe version (used in the 5.3 version).

So please download the 16Mb O2_Platform_5.5_RC1.zip ,  unzip it into a local folder, and execute the O2 Platform 5.5 - RC1.exe file:

Sunday, 10 August 2014

Just used bintray.com to publish a number of O2Platform/FluentSharp stand-alone exes

I just tried BinTray (see https://bintray.com/o2-platform) as a platform to host exe/binaries/release files, and I have to say that it was a great experience.

Ever since I added to the O2 Platform and FluentSharp the ability/feature to package O2/H2 scripts as stand-alone exes, I've been trying to find a nice place to host them (since there are dozens, if not hundreds, of mini-tools that I want to publish).

For a while I used DropBox, but not only that was not THAT practical, DropBox never gave me any stats. Even worse, DropBox started blocking the downloads (saying 'too much traffic on this account') but was not able to tell me which files were causing the problem!!

The good news is that BinTray.com seem to work perfectly for publishing these O2 Platform created tools.

To see this in action and download one or more of these tools, open https://bintray.com/o2-platform/O2-Tools

Extract from my SANS Interview on Application Security (in 2007)

While trying to find a link to the SANS What Works 2007 conference (where I presented Inconvenient Truth(s) on Application Security) I found this Interview on the Interweb which contains a number of responses that I want to capture on this blog. That page might disappear one day (just like the SANS conference page form 2007), and most comments are still relevant today (Oct 2014)

Here is an extract of the of interview I did with Stephen Northcutt in June 11th 2007 (see full version here):

Inconvenient Truth(s) on Application Security (presented in 2007 and still relevant in 2014)

Here and embedded below is a presentation that I did in 2007 at an SANS conference when I was working for OunceLabs.

Here are the 13 Inconvenient Truth(s) mentioned on that presentation (I'm not sure if I should be encouraged that I made some good points, or depressed on how little progress we have done in Application security over the past 7 years)
  • #1 There are no metrics!
  • #2 Global Warming ~ Software InSecurity
  • #3 Secure software doesn’t make business sense
  • #4 Our systems are safe today
  • #5 We will be doomed!
  • #6 The attacker's business model is still immature
  • #7 Physical Extremism doesn't scale (but Digital Extremism does)
  • #8 We need better engineering
  • #9 We need containment
  • #10 Open Source security is a myth
  • #11 Most Source Code must be disclosed
  • #12 Most IT Security products have negative ROI
  • #13 The 'digital Armageddon' will never happen

Can you spot the vulnerabilities? (6 code snippets in C# and Java)

I was cleaning up a bit one of my laptops and I found these 6 code snippets that (I think) we used for one of the conferences I participated with SI (on some marketing materials with a question like 'Spot the vuln and get a free beer at our booth').

So ...  can you spot the 6 vulnerabilities on the code snippets below? (some of these are from HacmeBank v2):