Thursday, 23 June 2016

40 technologies used on the 'Maturity Models' nodeJS application

I've been working on an Maturity Model application to help me manage a project where I'm doing an large BSIMM mapping exercise.

The tech stack is based on NodeJS + Angular, and it looks like this:

Tuesday, 21 June 2016

OWASP Mobile Top 10 2016 (Release candidate)

When looking a mobile applications security a great place to start is the OWASP Mobile Top 10 2016 which is currently in its release candidate state (previous version can be found here)

When doing a Threat Model of an mobile application, in addition to the STRIDE questions, go through these 10 items and ask the questions:

Should dependencies be committed to main source-code repo?

What do you think?

Please cast your vote here

Sunday, 19 June 2016

Working on major update of 'Practical Angular JS' book

(email I just sent to my Leanpub readers that chose to be contacted directly)

Thanks for being an reader of my Practical Angular JS book and allowing me to contact you directly with updates (you chose to share your email with me).

The first version of the book was mainly made of blog posts I published at, and it took me a while to figure out how to best complete the book. 

Recently I started working on an project (creating Maturity Models mappings and visualisations for BSIMM) which I was able to open source. This project is a clean implementation of my ideas of how to code and test AngularJS, and once I had the first version of the app working, I realised that this was a perfect first for this Practical Angular JS book.

My current plan is to split the book in to two parts, where 'Part I' is the new content, and 'Part II' is the existing (published content).

Thursday, 9 June 2016

Link to join OWASP Slack

If you want to participate in one of the multiple great AppSec channels at and don't have an account, please use this link:

(posting this a blog so that it is easy to find on Google)

Some draft content on JIRA RISK workflows

On the Software Quality book that I'm writing, I've started to map out the JIRA RISK workflows (as described in this previous blog post)

Here are some of the (very draft) chapters that I have written on this topic.

Let me know what you think of these concepts

Sunday, 5 June 2016

6 sections added to Software Quality Book (on AppSec and Testing)

I have been slowing working on my Software Quality book (with tons of notes captured on small Moleskine notebooks and new audio recordings).

Here are the sections I worked on this week:

Please let me know what you think of them, and if you spot any issues or have comments to make, feel free to open an Issue or send a Pull Request

Wednesday, 25 May 2016

Intro to O2 Plartform

(here is an intro to the O2 Platform email that I wrote, which was bouncing of the recipient email's server due to '554 rejected due to spam URL in content')

The O2 Platform is all about automating and scripting. It's a platform/framework which means that it helps to have a 'hard question' to start with.

Here are a good place to start with the O2 Platform:

Wednesday, 18 May 2016

Threat Modeling Template and Concepts v0.6

Here is an updated version of Threat Model Template v0.5  and a new Threat Model Concepts page.

You can download the pdfs and files from this GitHub repo

Tuesday, 17 May 2016

The BBC should open source most (if not all) of its developed technology

Following on the Recipe for disaster post on the topic of BBC to close recipes website as part of £15m savings, I wanted to put down this idea, which in my view, goes to the heart of the value that public entities (like the BBC, but also the NHS, public services, Non-profit orgs, charities, etc... ) should provide to society:

The BBC should open source most (if not all) of its developed technology 

The BBC hires a large number of software/application teams (from Devs, to QA, to Designers, to Architects), which create a large body of code, that is in most cases behind closed doors and not available to the general public (namely other public or private organisations that would benefit from that code)

Thursday, 12 May 2016

Looking for AppSec jobs? Here are some opportunities for you

The AppSec market is definitely getting hotter, and I'm getting more and more calls from recruiters.

The problem is that I'm too senior or expensive for most of them, so there is not much I can do to help. I also do a lot of AppSec training where I get asked a lot the question 'How do I get into AppSec?'

I've decided to try to connect these two worlds and see if we can get more AppSec roles filled up (specially by devs who want to move into AppSec).

I'm starting with job opportunities, but it would be interesting to also list professionals looking for a job.

You can find the page at (starting with two roles from The Hut Group)

Threat Model Template v0.5

Here is a an improved simple Threat Model template which contains info about STRIDE and DFD Elements (which is based on the diagram shown at Threat Model WebServices v0.2)

You can download both PDFs from here

Sunday, 8 May 2016

Threat Model WebServices v0.2

Here is an experiment in trying to create an Threat Model (A3 size) that can be easily consumed during the Threat Model session(s).

This diagram was created using which is pretty amazing (and allows team collaboration):

Friday, 6 May 2016

AppSec and Software Quality - Presentation v0.5

Here is a slimmed down version of the presentation I delivered in Italy last March.

This version does not contain the part that talks about the problem (i.e. the attacks and why you need to do Application Security)

The key idea that I defend is that we can use Application Security to define and measure Software Quality

Let me know what you think

Wednesday, 27 April 2016

BSIMM Questions for Teams v0.7 (with all consolidated team questions and maybe column)

Following from Updated version of BSIMM Questions for Teams (now will all activities mapped) here is an improved version with:

  • All team questions in one page
  • Added a Maybe column
  • Removed the 'If No, why not?' text from the last column
  • Added spaces to ask for Application name and Jira ID

The source file is available at GitHub

Tuesday, 26 April 2016

Updated version of BSIMM Questions for Teams (now will all activities mapped)

Following from First pass at BSIMM questions for teams here is an updated version of the questionnaire for developers.

It looks like this and it has 3 sections:

The source file is available at GitHub

Note: this is still a very first early draft of these mappings (with many changes expected in the next couple weeks).

First pass at BSIMM questions for teams

Here (also embedded below) is a mapping of several BSIMM activities and translating them into a questionnaire that can be easily filled in by developers, technical architects,  business owners and security champions (called satellites in BSIMM).

Note that not all activities are there. Some only made sense for SSG (Software Security Group) to answer, and I already knew the answer for others.

This is still a work in progress, and I'm not happy with the wording of some of the questions. But it is good enough to give a try and get feedback.

The objective is to create metrics about multiple development teams, so that a set of targets can be set (and an action plan created)

Sunday, 24 April 2016

Started working on new book "Measuring Software Quality using Application Security"

Over the 3 weeks I spent in the US (in an RV with family) I started working on a book based on the ideas shown at the "New Era of Software with modern Application Security" presentation (v1.0).

The current title is "Measuring Software Quality using Application Security" and it is going to be published at LeanPub:

All content is hosted on the public GitHub repo, where you can also see a number of issues I plan to address (including areas for research)

I am currently in the brain dump stage of development, where I'm adding the content I want to talk about (in a kinda-structured way). The idea is to expand the bullet points into text and normalise the content in logical areas (some topics already have a first pass at expanding the ideas into final text).

Wednesday, 23 March 2016

When talking about Application Security and Software Quality, Pollution is a much better analogy than Technical Debt

One of the analogies that I make in my "New Era of Software with modern Application Security"  presentation is that Pollution is a much better way to describe quality (and security) issues (vs Technical Debt):


This analogy is inspired by David Rice's amazing keynote at OWASP AppSec USA 2010 "Upon the threshold of opportunity" (which you can see the video here)

David Rice is the author of the also amazing Geekonomics book, which really shows The Real Cost of Insecure Software

Unfortunately, David Rice after going to work for Apple, seems to have disappeared from the internet, which is a great loss for the world, since he was doing amazing research (of course that I'm sure he is doing great stuff for Apple, but it is a shame that we are not able to learn from him anymore)

David's book site is down, but luckily the wayback machine was able to get a copy of the page with the abstract of this talk:

    In the 1960s, pollution in the United States reached a breaking point. Large corporations, by and large, had been unresponsive to environmental issues leaving the nation's skies filled with smog, rivers filled with sludge, forests defoliated by acid rain, and fresh water lakes declared "dead." The natural heritage of the nation was being destroyed by its industrial prosperity.

    The U.S. response was a series of less-than-satisfactory regulatory attempts to correct for substantial environmental damage. Faced with serious and costly legacy issues of industrialism however, many companies stonewalled and delayed for much of the 1980s and 1990s, emphasizing legal compliance and reactionary practices over real progress. The turn of the century ushered in a fresh perspective in corporate America, with companies like GE, DuPont, and Wal-Mart actively pursuing sustainability initiatives linked to corporate performance, transforming environmental crisis into financial opportunity. What happened?

    Within the story of the U.S. battle against environmental pollution lies key lessons for confronting the equivalent of pollution in cyberspace: software vulnerabilities. The toxic effluence of software vulnerabilities leave networks saturated with spam, computers clogged with malware, and servers defoliated of sensitive private data.

    To date, a series of less-than-satisfactory regulatory attempts – such as PCI, SOX, and data breach laws – have been enacted to address what appears to be widespread unresponsiveness to the substantial harm to the global digital eco-system caused by unrestricted vulnerability dumping. Faced with serious and costly legacy issues of poorly implemented software systems however, many companies continue to stonewall or delay security programs, emphasizing legal compliance and reactionary practices while demonstrating no real improvement. What would it take to change this, to turn the crisis of “pollution” in cyberspace into an opportunity?

    This keynote highlights a possible fresh perspective, putting software security into the context of social responsibility linked to corporate performance, illustrating how the software market - like corporate America - stands upon the threshold of its greatest opportunity.

Related posts:

Sunday, 20 March 2016

"New Era of Software with modern Application Security" presentation (v1.0)

This is the final slide deck of the "New Era of Software with modern Application Security" presentation I delivered at Codemotion Rome, which was a developer-focused conference (with 2000 tickets sold).

Description: "This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive"

Friday, 4 March 2016

Simple Threat Model (template) - Good place to start

When teaching about Threat Models, the most common question I get is 'How do I start?'.

To make this process easier, I usually recommend to use the simple '1 page Threat Model' which you can see on the right ( download here)

The idea is to kickstart the process by mapping out the:

  1. Data Flow Diagrams (i.e app architecture)
  2. Entry Points (i.e Attack surface)
  3. Assets (i.e. what is valuable and needs to be protected)
  4. External Dependencies and Trust Levels
  5. Threats(edited)
Another great source of (first steps on Threat Modelling) resources are the Microsofts' At a Glance: Web Application Threat Modeling and OWASP's Application Threat Modeling pages 

Thursday, 3 March 2016

JIRA RISK workflow handling of 'Risk Fatigue'

On a email thread related to Updated JIRA RISK workflow (now with a 'Fixing' State), I received this great question:
I really like the idea of forcing someone to almost sign that they accept the risk. Forces them to really think about it.

One thing I'm curious about is whether there is such as thing as "risk fatigue" like you have "monitoring fatigue". So, the first few times you accept risk you do so with a heavy heart, but each time you do it and there are no perceived negative consequences, it gets a little easier. That is until the point when you're completely exposed and something bad does actually happen. Having said that, the alternative of not physically accepting the risk in some way is far worse IMO, and that by using something like Jira you can at least measure the ratio of fixed vs risk accepted over time. Hopefully it moves in the right direction!
And here is my answer:

Wednesday, 2 March 2016

Updated JIRA RISK workflow (now with a 'Fixing' State)

As an improvement of the workflow I showed at JIRA Workflows for handing AppSec RISKS here is a version that adds a 'Fixing' state between 'Allocated for Fix' and ‘Test Fix’.

The reason for this change, was to take into account projects (or components) that have a large number of open issues that want to be fixed (vs risks to be accepted).

Since we try to use an Kanban 'Work in Progress' model for the issues to fix (i.e. no more than 3 to 4 active items), this new state helps to keep a nice separation between the issues that:
  • need to be 'Risk Accepted' (i.e. there is no intention (or resources) to fix in the next couple months)
  • have been reviewed and are 'Allocated for Fix'
  • are currently being worked on (i.e. in a 'Fixing' state)