Tuesday, 9 December 2014

Node + Chrome TDD test environment (finally got it to work)

In the past 3 months I've spent countless hours (and a good number of weekends) trying to figure out a way to better TDD node and JS, and finally I got it to work:

Monday, 1 December 2014

Node-Webkit REPL with support for Chrome's WebDriver

I needed to write some Selenium WebDriver scripts and since I couldn't find a good REPL for it, I wrote this one in the last coupe days:

I'm actually really happy with how it turned out:

See https://github.com/o2platform/webkit-repl  for the execution instructions, the code and more screenshots

This UI is based on https://github.com/rogerwang/node-webkit and the selenium/webdriver integration is provided by https://github.com/admc/wd

Sunday, 23 November 2014

Chrome OS is now running under a 64 bit CPU

While following the Node and NPM on Chromebook (Chrome OS) blog on how to set up Node, I had the same problem as some of the users that posted a comment. I was getting an cannot execute binary file error when trying to run the downloaded binary files from Archlinux.

This can be confirmed by running uname -m (one of the ways to check if linux OS is 32 bit or 64 Bit) which should return x86_64.

This means that the links provided on that link should be changed from:

Running git, node, python,make and levelgraph on Chrome OS (inside a ChromeBook)

After creating the Chrome REPL extension, I was curious if it would run under Chrome OS and ChromeBook. To try it out, I was able to get my hands on a Dell ChromeBook 11, and It was nice to see that it worked perfectly.

While using the ChromeBook I was thinking that if I was able to run (tools like) git, node and LevelGraph (which is needed for my current dev focus at SI: TM_Graph_DB) I would have a really portable development environment (specially for running longish batches of Unit Tests).

After a bit of Linux fiddling, I was able to get it working and here is a screenshot of the final result:

Friday, 21 November 2014

Chrome REPL (first O2 Platform Chrome Extension)

I was doing some browser automation and it was driving crazy the fact that I was not able easily write code directly on Chrome. Basically what I needed was a Chrome REPL, and since after looking for one, I couldn't find one that suited my needs, I decided to write one :)

It was quite easy to write (about 1 day's work) since Chrome is quite an easy platform to develop for.

You can get this extension from the Chrome Web Store or from the Chrome-REPL Github repo (you can install from the code if you enable 'developer mode')

Here is how to install it from the Web Store and run a couple of the provided test scripts

Saturday, 15 November 2014

Question about ESAPI for .NET

I was asked recently about 'ESAPI for .NET?' (by XXX, who is an SI customer) and here was my reply


Hi, unfortunately there isn't a simple answer/solution for your question

I would definitely not recommend of using any of the ESAPI libraries, specially the .NET since that is not even in a workable state.

The best security controls out there are actually the Microsoft ones, which when used in secure ways, do provide a lot of security (for example Razor now encodes by default which does a lot to prevent XSS). On the topic of XSS, the Microsoft AntiXSS library is really good, and is now part of .NET 4.5.

FluentNode API - please help

I've been working on an Fluent API for node which you can get from https://www.npmjs.org/package/fluentnode

It is basically a large number of JS prototype functions (written in coffee-script) which try to simplify node development, improve developer productivity and make the code more readable.

It's still early days, but there are already a good number of APIs in there (and all are covered by UnitTests)

I would love go get some feedback on the current APIs (and other APIs to add)

Reddit thread

Monday, 1 September 2014

O2Platform question on 'Interactive development with Visual Studio'

Here is a reply I posted today to the O2 Platform Mailing list regarding a question about 'How to use O2 inside VisualStudio and WPF support' (with lots of links to code samples and blog posts)

Hi Chris, I'm glad you found the O2 Platform, specially since it looks like it already have the main features you are looking for :)

The key concept used across the main O2 Platform (and FluentSharp) APIs is the REPL (Read Eval Print Loop), which should be very common to you (btw you can run .Net's version of Lisp via this O2 script : Util - Clojure-clr REPL (Lisp).h2 )

Saturday, 23 August 2014

Friday, 15 August 2014

OWASP O2 Platform 5.5 - RC1 , please give it a test drive

Just pushed to bintray the latest version of the O2 Platform (v5.5).

I'm calling it RC1 (Release Candidate 1) so that it can be given a good test drive before I update the main O2 Platform download and links.

This version is distributed as a zip, since there were a couple issues with the auto-extraction of the stand-alone exe version (used in the 5.3 version).

So please download the 16Mb O2_Platform_5.5_RC1.zip ,  unzip it into a local folder, and execute the O2 Platform 5.5 - RC1.exe file:

Sunday, 10 August 2014

Just used bintray.com to publish a number of O2Platform/FluentSharp stand-alone exes

I just tried BinTray (see https://bintray.com/o2-platform) as a platform to host exe/binaries/release files, and I have to say that it was a great experience.

Ever since I added to the O2 Platform and FluentSharp the ability/feature to package O2/H2 scripts as stand-alone exes, I've been trying to find a nice place to host them (since there are dozens, if not hundreds, of mini-tools that I want to publish).

For a while I used DropBox, but not only that was not THAT practical, DropBox never gave me any stats. Even worse, DropBox started blocking the downloads (saying 'too much traffic on this account') but was not able to tell me which files were causing the problem!!

The good news is that BinTray.com seem to work perfectly for publishing these O2 Platform created tools.

To see this in action and download one or more of these tools, open https://bintray.com/o2-platform/O2-Tools

Extract from my SANS Interview on Application Security (in 2007)

While trying to find a link to the SANS What Works 2007 conference (where I presented Inconvenient Truth(s) on Application Security) I found this Interview on the Interweb which contains a number of responses that I want to capture on this blog. That page might disappear one day (just like the SANS conference page form 2007), and most comments are still relevant today (Oct 2014)

Here is an extract of the of interview I did with Stephen Northcutt in June 11th 2007 (see full version here):

Inconvenient Truth(s) on Application Security (presented in 2007 and still relevant in 2014)

Here and embedded below is a presentation that I did in 2007 at an SANS conference when I was working for OunceLabs.

Here are the 13 Inconvenient Truth(s) mentioned on that presentation (I'm not sure if I should be encouraged that I made some good points, or depressed on how little progress we have done in Application security over the past 7 years)
  • #1 There are no metrics!
  • #2 Global Warming ~ Software InSecurity
  • #3 Secure software doesn’t make business sense
  • #4 Our systems are safe today
  • #5 We will be doomed!
  • #6 The attacker's business model is still immature
  • #7 Physical Extremism doesn't scale (but Digital Extremism does)
  • #8 We need better engineering
  • #9 We need containment
  • #10 Open Source security is a myth
  • #11 Most Source Code must be disclosed
  • #12 Most IT Security products have negative ROI
  • #13 The 'digital Armageddon' will never happen

Can you spot the vulnerabilities? (6 code snippets in C# and Java)

I was cleaning up a bit one of my laptops and I found these 6 code snippets that (I think) we used for one of the conferences I participated with SI (on some marketing materials with a question like 'Spot the vuln and get a free beer at our booth').

So ...  can you spot the 6 vulnerabilities on the code snippets below? (some of these are from HacmeBank v2):

Monday, 4 August 2014

The 4 components of the new TeamMentor 4.0 design (and IE support)

Thinking at the new TeamMentor 4.0 design from a technical, implementation and shipping point of view, there are 4 kinda-separate parts of the new design.

1) the 4.0 look and feel + basic use (simple navigation, basic search and article viewing)
2) the 4.0 ' search driven functionality'
3) the 4.0 design with full article (and library / metadata) editing capabilities
4) the 4.0 design on TBot/Admin features

For the 1st one, we should aim to have a full-backwards compatible version of TM. Note that this version would also be the 'TM Mobile' version (i.e. the default way to consume TM on a mobile, or in a small window space like what we get inside an IDE plugin (bootstrap has a 'responsive, mobile first fluid grid system' which makes this easier))

For the 2nd, this is where the main UE and UI thinking/experimentation needs to occur.

Search feedback loop and other TeamMentor 4.0 Search related topics

While thinking and researching how to do the search on TeamMentor 4.0 (next version of TM), one of the key workflows that I kept coming back into are:
  • need to have feedback loop on the search results (this is really what makes Google Google), which can be be captured: 
    • explicitly: via the user clicking on the + or - sign close to each search)
    • implicitly: via detecting which search result the user clicks (and which rank that search had)
    • by mapping: where the user (or TM admin/editor) is able to provide feedback on a particular search. For example saying that the search results for 'X' should be the search results for 'Y'
  • need to learn: this is connected to the feedback loop mentioned above and is based on the idea that the TM search results should become better with time
  • need to start collecting data as soon as possible (ideally leveraging the current hundreds or thousands of Application security searches SI employees already do every day
  • need to explain how we calculated a particular search result (of course that this needs to be hidden to normal users (unless they want it to), but we really need to show TM Editors/Admins the logic behind the search formula (and data) used to create those results, and reach the conclusion that 'article X' should be shown before 'article Y' (or folder/view/category 'X' should be shown before folder/view/category 'y')
  • Provide links to other search engines and application security websites (like google, StackOverflow, OWASP, Wikipedia, etc...). this would allow us to make the case 'first search in TM and then go into Google' (I think google used to do this with other search engines (in a long distant past)):
    • If fact, this could also allow use to 'fix' Google queries, since we could say "Hey you searched for XSS but what you probably want (from google) is 'How to fix XSS vulnerabilities in .NET" (assuming we had detected that that user was looking at .NET results
  • Provide recommended searches based on past searches: the typical "users that searched/bought this item also searched/bought this ones"

Thursday, 31 July 2014

FluentSharp July 2014 Update - Better README.MD page, list of issues to help and NuGet Packages

I just cleaned up the main FluentSharp README.md file (with lots of info) and added a number of issues to:
Please take a look and see which ones you would like to solve :)

As you can see by the commit activity (graphs/contributors and commits/master) there has been quite a number of API updates and fixes (for example there is quite a lot of great new stuff on the WatiN IE Web Automation front, including native support for Cassini).

Although I have not created a separate O2 Platform exe release, you can already get all the APIs from the NuGet packages:

Friday, 18 July 2014

Wednesday, 16 July 2014

From NUnit AppDomain, accessing properties and invoking methods on 'Serializable MarshalByRefObject TeamMentor objects' (hosted on Cassini's AppDomain)

After How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance) it was time to start accessing internal TeamMentor objects from the NUnit AppDomain.

The main change I did was to add the [Serializable] and the MarshalByRefObject to the TeamMentor (TM) objects that I want to consume (i.e. access data and invoke methods) from NUnit tests.

Here is an example of what it looks like in one of the main TM's data classes:

Tuesday, 15 July 2014

How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance)

A question I received after posting The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain was 'Ok, that is is interesting, but how fast is it?'

That is actually one of the 'THE' key questions, since if we want to be able to create NUnit tests that use newly created Cassini-driven websites (i.e. a new Cassini server per test or test class) they have to be fast.

Ok, so how 'fast' is fast?

Well, in my book, that is either less than 1 second (for quick tests) or 10 seconds (for more complex setups).

More than that, and it is not practical to run those tests from NCrunch (or even manually via Resharper/NUnit-GUIs)

The good news is that (as you can see below), I was able to execute an 'NUnit-Cassini-driven' test in:
  • 6 sec: via NCrunch (consuming a TM instance with 0 libraries)
  • 7 sec: via ReSharper (consuming a TM instance with 3 libraries)

The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain

As you can see at the end of How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website, although I was now able to start cassini in the current NUnit process, I was still not able to have direct/native access to the running objects of that website.

Basically what I wanted was to be able to access programatically the live TeamMentor (TM) objects from an NUnit test (note that both are running on separate AppDomains).

Not only this would make some of the tests I want to write possible, it would allow me to much faster setup specific test environments (for example cases when I need a number of users to already exist in TM).

The key problem is that after starting the 'TM website running inside Cassini, triggered from the NUnit test' I was left with two AppDomains:
  • The NUnit AppDomain running the NUnit Test and the Cassini Server
  • The Cassini AppDomain running the TM website
In practice what I wanted to do is to be able to access and edit one of TM objects (for example TeamMentor.Schemas.TM_Config from the NUnit test).

And that is exactly what I was able to do :)

Friday, 11 July 2014

How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website

One of the cool new capabilities that I'm using when writing QA Automation scripts for the latest version of TeamMentor, is the https://www.nuget.org/packages/FluentSharp.CassiniDev which allows the execution of an an 'in memory' version of Cassini (hosting the full TeamMentor website) in the same process as the Unit Test driving the IE automation of the hosted website (using FluentSharp.WatiN)

In practice, what this means is that the UnitTests are being executed in the same process as the main TeamMentor Website. This something that I have been wanting to have for ages, and the key capability I gained from it was the ability to debug both live website and UnitTest in the same session.

Lets set it in action.

Using WatiN and Embedded Cassini to run complex TeamMentor Automation (Create and Delete an Library)

Here is an QA Automation script I created today which performs a number of Integration Tests on the new version of TeamMentor.

These are the main moving parts (of the QA Environment and script):
  • Using an embedded WatiN IE window inside an WinForms window to drive Cassini hosting an .NET 4.5 website (this 'popupWindow' was actually opened from a UnitTest :) )
  • Driving the IE browser using  a number of FluentSharp ExtensionMethods
  • Number of waits for links to exist (needed due to the Ajax nature of TeamMentor)
  • When needed, directly query javascript variables ('window.TM.WebServices.Data.AllLibraries.length') and invoke core TM Javascript APIs ('window.TM.Gui.LibraryTree.remove_Library_from_Database')  
  • Use of Lambda methods to create an basic TM API (login, logout, open xyz page, trigger complex workflows, etc...)
Here is what this test QA environment looks like: