Saturday, 25 May 2013

Creating website using GitHub Pages (with screenshots of all design options)

In order to set-up a site for the domain, I just used GitHub Pages to create and publish a brand new site.

This is what it looks like:

What do you think? 

Please see below the other design options and let me know if I made a mistake. Also if you want help in editing this site, ping me with your GitHub account, and I'll give you push access (or fork the repo and send me  pull requests)

Using FluentSharp API’s to refactor C# TreeView sample

While reading reddit’s r/csharp I saw the Can anyone help me answer a quick question about treeview? thread which asked this question:


Creating a GitHub Fork in order to commit changes to PartyCraft

After posting Minecraft In-Game C# REPL I was curious on how it worked, so I quickly created a local clone of the repo and opened up the main Solution file in VisualStudio 2010.

PartiCraft has a couple Submodules, so the VisualStudio load process had a couple missing projects.

The problem is that after updating the two required submodules, the project references/paths where still wrong.

The fixes where easy (path changes and re-adding the references) which when done allowed the C# based Minecraft server to fire up ok.

But this meant that my local clone was out of sync with GitHub, and since I din't have push privileges into the main PartyCraft repo, I needed to push my changes into my own fork.

Friday, 24 May 2013

Embedding O2 Platform Mailing list in this blog

While looking at the Google Groups options for the new O2 Platform mailing list I found an 'Embedding your Group' which I decided to try on this blog.

And the result is quite in interesting.

You can see it in action here (or by clicking on the O2 Platform Mailing List link above) and it looks like this:

Minecraft In-Game C# REPL

This is really cool, just saw on this reddit thread the video below which shows a REPL inside minecraft

This is part of C# Minecraft written in C#:

Should we use Bayesian or Neural Networks for SAST? yes, but not yet (we are not ready for it)

The super sharp OWASP Leader Johanna Curiel, while trying to get her head around the O2 Platform, asked me earlier today :
    in your research, have you try static code analysis using any form of artificial intelligence such as Bayesian or neural networks ?

    let know, while I was studying, I was researching this stuff. I just would like to hear from you if you had any experience with this
The short answer is NO, I have not really looked at Bayesien or Neural Networks for SAST (Static Analysis)

The longer answer is We Dont need it (yet), since there are many bigger limitations of the current SAST technology and tools, which we need to solve first before we look into that type of advanced analysis and techniques.

Thursday, 23 May 2013

Sarah Baso as OWASP Executive director, how it broke the model, structure and culture of OWASP employees

(note: I don't have a lot of time to write the detailed analysis that I wanted to do,  but as time is passing by, I wanted to go on the record with my thoughts of that happened. So think of this post as a brain dump of my views on this important topic for OWASP)

In April 8th the OWASP board announced that OWASP Creates Executive Director Position.

My view at the time (and still is) was that OWASP Executive Director Role (Not yet), specially because:
    What we need are another Kate, Sarah, Kelly or Samantha, they still work FAR too much for OWASP and my worry is that they will implode one day. Not sure that they need a boss to tell them what to do, if anything I would delegate to them the powers currently 'assigned' to the Executive Director.
What happened next surprised most OWASP leaders since a couple days later the OWASP board announced that Sarah Baso would become the new OWASP's New Executive Director

Why should a company open source one of their products? and what is the business case?

If you where asked by a friend to help him make the business case to open source a product created by his company, how would you answer?

The scenario is a company that has a couple products and fells that it is not able to spend significant time and resources in one of them.

My answer was to 'just do it and push the support + maintenance efforts to the community'

Here are some links to good articles on Open Source business models:

Trying Google Groups as the OWASP O2 Platform mailing list

This is something that some OWASP project leaders have talked/tested in the past, so to try it I moved the current mailman-based O2 list to the new Google Groups (which look much better than a couple years ago)

How TeamMentor creates SHA256+PBKDF2 password hashes and stores them in XML files

In the 3.3. version of TeamMentor there was a significant change in how the user's password hash is submitted and stored.

In version 3.2. we used a SHA256 hash of “username+password” (created either on the client (browser) or server) which was stored in the user’s xml file (which is a serialization of the in memory user-object).

Although we never stored the user’s password on disk (in fact in most cases we never even sent it to the server), due to advances in processing power and Credentials Brute Force Attacks, in 2013 that is not a secure way to store password anymore.

After some threads (see TM stores passwords insecurely issue), it was agreed that a solution based on PBKDF2 should be used.

Wednesday, 22 May 2013

Upgrading the 'TeamMentor View Library Links Status’ tool to 3.3

One of the tools I developed during the 3.2 release was a window's tool that allowed the analysis and mapping of broken links in an TeamMentor library.

This tool is similar to the one I showed in this video and is on the repository:

Tuesday, 21 May 2013

[Great post] Git: Who cares about branches? It’s all about collaboration and code reviews

This is a great explanation of the power of Git : Who cares about branches? It’s all about collaboration and code reviews

here is the author's TL;DR:

TL;DR: Using Git has made our team much better by removing barriers to collaboration and code reviews. Those are the real Git benefits, not specific features like fast branches.

I complete agree and it is the ability to easily review code (and send code back for rewrite during pull requests) that really makes git powerful :)

On this topic also read Great presentation on Git Branching (very similar to the model we are using in TeamMentor) 

Sorry about some of the recent reposts

I was just trying to see if I could get TweetFeed to pick them up (since it automatically pushes blog updates to twitter) but that wasn't working

The root cause was the failure of FeedBurner that happened on this blog

I'm stoping now since it is clearly not working (the save as draft and changing the post date, didn't work in blogger and

Offline copy of the entire gallery. What should I do with these 4.05 Gbs of amazing .Net Apps/APIs?

As you can read on the posts below, I was able to create an offline copy of the entire gallery (as of the 4th of May)

Downloading the entire NuGet package database

When I was having the serialization problems described in Saving the entire list of NuGet Packages I realized that adding a NuGet IPackage (retrieved from the GetPackages() method) to a SharePackageRepository will also download actual packages :)

Saving the entire list of NuGet Packages

Following from Retrieving NuGet package programatically using NuGet.exe classes (not command line), here is the script that downloads and saves the raw http responses (from the request used by the NuGet API to get them)

Retrieving NuGet package programatically using NuGet.exe classes (not command line)

Following from Consuming NuGet programmatically outside VisualStudio (downloading the list of packages) , here is how I was able to consume NuGet.exe directly and create a strongly-typed NuGet Packages object

I started by opening up NuGet.exe in ILSpy and see what it’s Main method is doing:

Consuming NuGet programmatically outside VisualStudio (downloading the list of packages)

I wanted to write an O2 Script today that consumed an NuGet package and was annoyed by the fact that there doesn’t seem to be an easy way to just download and consume the dlls directly (i.e. without VisualStudio).

I did a quick search and although it looks like I’m not the only one with this problem, since there isn’t an easy solution out there:
So the solution was to add support for it the O2 Platform :)

'How to start using the O2 Platform and its scripting capabilities?' (and how I used the O2 Platform to solve a hard integration problem in May 2013)

A question I get regularly is 'how to start using the O2 Platform and its scripting capabilities?' 

And although there are a large number of blog posts about O2 out there (see here and here) there isn't a good number of 'where do I start' and 'how is O2 used in the real world' examples (hint: I could do with some help on the O2 Documentation :)  )

So to help answering this question, I just posted (grab a coffee first) Using AST to programatically create a Proxy class for a WSDL webservice (in this case HacmeBank and Checkmarx ASMX) which contains links to a series of blog posts that explains how I used O2 this past week to solve a hard problem and create a nice innovative solution.

For your convenience here are the links:

(grab a coffee first) Using AST to programatically create a Proxy class for a WSDL webservice (in this case HacmeBank and Checkmarx ASMX)

For this past week I worked on a way to intercept and change data returned from an C# ASMX web service (exposed via a WSDL)

After trying multiple options (including PostSharp), I found a way to:

Programatically use AST C# generation (from ICSharpCode.NRefactory and O2 Platform's FluentSharp.REPL APIs) to:

  • create a 'proxy' C# of  an ASMX with the same exposed web methods as the original one
  • by default the new proxy ASMX WebService will call the original WebService's method (think class A implements class B, with all methods in class A calling the base method from class B)
  • make it easy to extend the new ASMX WebService  C# code and change the data sent/received from/to the original WebService's methods.

While I was working on the solution, I created a number of (long) blog posts that explains in detail all the steps I took to create the 'proxy' C# of  an ASMX.

Here are they, ordered by creation date (so if you want to see the final result, look at the last one)

Using WebServices Proxy Wrapper to replace Checkmarx’s CWE Guidance with TeamMentor’s Articles

After Creating a WebServices Proxy Wrapper for Checkmarx’s CxWebService its time to replace the existing guidance with TeamMentor’s articles.

We start with a folder containing the CxWebService.asmx

Creating a WebServices Proxy Wrapper for Checkmarx’s CxWebService

Now that we have the an API to create proxies (see Creating an API to create the WebServices Proxy Wrapper classes/asmx files) its time to create the proxy I really need, which is the Checkmarx webservice responsible for (amongst other things) returning security guidance (see Adding O2's CSharp REPL to the Checkmarx main WebService for more details)

Currently I have the latest version of Checkmarx installed on my dev box, which uses the UltraDev web server:

Running the Asmx WebServices WebMethod invocation wrapper on a local WebServer (i.e Hacmebank UserManagement.asmx)

After the Creating an Lambda Method that creates an Asmx WebServices WebMethod invocation wrapper post, the next step is run the proxy class as a local webservice and consume it from HacmeBank.

Following from the code sample in the last blog post, I did a bit of refactoring so that the both files (the original WSDL C# file and the wrapper file) are saved on the same local folder.

Also the CSharp generation is now on a separate lambda method:

Releasing HotFix 1 for TeamMentor 3.3 (using Git to deploy updates to live servers)

This is how I updated the 3.3 version of TeamMentor to 3.3.1, which contained a fix for the Password expiry cannot be set from the main TM GUI issue

Since we are now using the Vincent Driessen GitFlow branching model (see also these Git-Flow scripts and this great presentation), after the issue 437 was reported+prioritised, all development happened on a Feature Branch called HotFix_3_3_1 (which was created from a Pull Request from Ian's own 437-Password-Expiry dev branch).

Once TM's QA (ie. Roman) was happy with the patch, it was time to push it to the first batch of TM production servers (my responsibility was to update the server, while Roman updated the , and the rest will be updated by Michael K + Michael H). Technically I did a pull from those servers :)

Here are my steps:

My Current Loans on Kyva (May 2013)

I just updated my Kyva page which is a great way to help out a bit:

I'm part of the team OWASP ( and it is great to see that together we already funded $37,250 :). Thanks to James Mcgovern for pushing the OWASP community to participate.

Here are my current loans:

Friday, 17 May 2013

The post that broke Feedburner

Here is something weird, I was noticing that some of my recent posts were not having the normal traffic and after digging a little bit I found that the last post on the xml feed:

Responding to Andrew's O2 Platform feedback on the OWASP Leaders list

Here is my answers to OWASP's Andrew van der Stock on this feedback on the O2 Platform. My answers contains good info on my approach to O2 Platform's community and development.

Andrew's words are in italic below

----------------- (start) -----------------

(changing the title to reflect the new thread on the O2 Platform)

Hey Andrew, thanks a lot for your feedback, and please see my comments below

On 16 May 2013 13:41, vanderaj vanderaj <> wrote:

I know what you mean about the lack of O2 feedback. So I'm going to
give you a tiny bit, and hopefully it will help rather than hinder the

PDF with (draft) Exam of OWASP Top10 questions

On the topic of exams and certificates, JBI Training wants to offer their clients some kind of certificates, so I'm helping them to figure out how to do it.

The first step was to have something to ping JBI's developer community with (i.e former students) so I pointed Nigel Laurens to the OWASP Exams project and he created this pdf (embedded bellow) to kickstart things.

Where Is .NET Headed? and the cost for Microsoft of ignoring the O2 Platform

Here is good post from Scott Allen on the topic Where Is .NET Headed?

I agree with Scoot that the .Net community is not as healthy as it could be, and that Microsoft should Open Source .NET (see some of the comments)

Of course that I'm biased, but I think that the fact that Microsoft (and the .NET community) keeps ignoring all the .Net innovation and ideas that I have been publishing on the O2 Platform (see all these blog posts) speaks volumes for the lack of adoption of new ideas.

For example, at the moment the O2 C# REPL and the FluentSharp APIs, actually allow faster and more efficient development than VisualStudio (you can also use O2+FluentSharp inside VisualStudio)

Yes, I know that I don't play Microsoft's game of singing NDAs and be part of their MVPs club, but that is no reason to ignore what is going on.

And yes there are still tons of usability problems in the current version of the O2 Platform (not that VisualStudio can really claim that mantra), BUT, the point of innovation is that it is rough around the edges.

Offline backup of DropBox data, is it possible?

Ideally I would like to buy the DVDs (or other storage medium) with all my data.

I just asked this on DropBox contact us form :

Thursday, 16 May 2013

First execution of ESAPI.jar Encoder methods from O2's C# REPL

Last month (when I was preparing to do the OWASP AppSensor and O2 Platform at Security B-Sides London workshop with colin), I achieved something that I have been trying to do for a while:

Use the O2 Platform's C# REPL environment to programatically access (in real time) the ESAPI jar apis and methods. (see prob described at the end of Loading OWASP ESAPI jar and its dependencies from C# (using jni4net) for my last attempt)

And I'm happy to say that 'consuming the ESAPI jar from .Net', is exactly what I was able to achieve last month :)

I was also able to consume AppSensor's jar directly from a .NET app (in that case TeamMentor) and I have a lot more blog posts to write up on that topic.

This current post,  is the one I wrote at the time of the breakthrough (last month), which got stuck in the drafts folder and remained unpublished (until now)


Question on

I just heard good things about this community (specially on great book reviews and knowledge sharing)

Are you there?

If so, is it any good?

It looks like a closed community, so I'm curious on what is on the other side :)

Creating an API to create the WebServices Proxy Wrapper classes/asmx files

Following from Running the Asmx WebServices WebMethod invocation wrapper on a local WebServer (i.e Hacmebank UserManagement.asmx) the next step is to wrap this code in an easy to consume API.

So let’s open the O2 Development Environment tool (available from the main O2 platform menu)

Creating an Lambda Method that creates an Asmx WebServices WebMethod invocation wrapper

After the Using AST to programmatically create an Asmx WebServices WebMethod invocation wrapper post, the next step is to create an API that helps in the creation of such ‘WebServices proxies’

Using the same technique described on the Creating a REPL editor that is linked to a Code editor post , here is a first code snippet with:
  • An WSDL generated C# file is loaded and assigned into the object fileAst
  • The type/class with the base class of System.Web.Services.Protocols.SoapHttpClientProtocol was assigned to the object wsClass
  • The Login WebService’s WebMethod was assigned to the object loginMethod
  • A new Ast Type (based on name of the wsClass) was added to the compilationUnit object, and assigned to the object wrapperType
  • The loginMethod was added to the wrapperType object
  • The CSharp representation of the compilationUnit object was created and showed in the codeEditor (with *.cs syntax colouring)

Using AST to programmatically create an Asmx WebServices WebMethod invocation wrapper (for HacmeBank)

Following the Creating a REPL editor that is linked to a Code editor and a Using AST technology (from ICSharpCode.NRefactory) to script the creation of a C# file  posts, here is how use AST technology to create a wrapper for HacmeBank web services:

Using AST technology (from ICSharpCode.NRefactory) to script the creation of a C# file (using O2's C# REPL editor)

Sometimes the best/only way to create a script is to codify it (i.e with another script).

In this post I’m going to show how the O2’s FluentSharp APIs can be used to create valid C# code that can then be compiled and executed.

There is already a huge amount of C# AST APIs and extension methods in the FluentSharp.REPL which we will use to dynamically create a C# script (i.e. we are going to create an AST object which will then create a C# source code file)

Here are some of the APIs we are going to use:

Creating a REPL editor that is linked to a Code editor (with detailed step-by-step description of how I use O2 to 'evolve an C# UI via quick REPL')

Today I needed to script the creation of a C# script needed a C# REPL that was linked into a Code Editor (to make code development faster).

Since there wasn’t such script in the O2.Platform.Scripts library, I quickly created one.

This post shows how I created this script

Adding O2's CSharp REPL to the Checkmarx main WebService

I’m working on the integration of TeamMentor with Checkmarx and needed to have some control on how the data the WebServices returns.

The previous version of this integration made direct changes to the Checkmarx content database, but this time around that will not work, since for example CheckMarx maps it’s guidance to CWE_ID and we want to map the guidance to the Checkmarx’ Query_ID (TeamMentor has technology/application specific guidance, so we can show an SQL Injection article for Java and a different article for .NET (both have the same CWE_ID, but have different Query_ID)

Initially I was going to use PostSharp to add the TM specific code ‘on top’ of Checkmarx dlls, but since in effect this would mean the modification of CheckMarx dlls (to insert PostSharp aspects), I went for an hook on Http Pipeline instead :)

Wednesday, 15 May 2013

Implementing a Simple SSO solution for TeamMentor (based on long MD5 shared key)

For one of the 3rd party apps we are integrating TM with (lets call it app XYZ),  there is a requirement to have the users from those websites to be able to automatically login into TeamMentor (TM).

Note that the solution I implemented is based on a variation of that 3rd party application SSO solution, which allows the login into their application using this worklow:
  • There is a SharedKey between both services (TM and XYZ)
  • TM redirects to XYZ with a special token which is made of MD5 of 'SharedKey +email' and the actual email. This is a GET request that looks like: /sso?requestToken=[md5({SharedKey}+{email})]&email={email}
  • XYZ app checks that the email value received matches the MD5 provided in the requestToken value, and if it does, and it is a valid user in their system, XYZ will redirect to TM with an unique token called responseToken
  • the TM server should reply back to XYZ server with an MD5 of the  responseToken + SharedKey. This is a GET request that looks lke: /sso?confirmToken=[md5(responseToken +SharedKey)] 
  • if confirmToken is good, then the user will be logged in into XYZ system

Monday, 13 May 2013

On John Wilander....

John asked me this today via linkedIn to write a recommendation for him:
    Dear Dinis, 
    As I wrote on the leaders list I'm no longer co-leader of OWASP Sweden as of this week's chapter meeting in Stockholm. Hopefully you can help to briefly summarize/recommend my OWASP work 2007 till now.

    Thanks in advance!

    -John Wilander

Which of course I was happy to do.

Friday, 3 May 2013

Fixing bug in TBot user editor via Git merge of fix developed on another repo's branch

Here is an example of how I just created a HotFix branch to address an issue we want to push to our live servers asap, and how the fix was developed by Ian in one of this dev branches.

First I created HotFix Branch at a (freshly baked) local clone of the TeamMentor/Dev repository:

Decrypting AES strings sent from server to an 'client-side browser based' Flash swf (using Javascript and C#)

So I was looking at this Flash-based website which used a really good security measure: it encrypted all GET and POST data using AES. 

This creates a ‘couple’ probs when testing/understanding how the app works, since we can’t easily see what is being sent to/from the server (by/to the flash swf running in the browser).

Ironically, because it is hard to see and change these values, apps that protect the client/server traffic this way usually have tons of server-side vulnerabilities, since it is easy to assume (by the devs and QA) that those values will never be changed (and it also makes it very hard to do any testing outside what the normal UI allows).

For example if we look at the login sequence, we will see that when the user submits its login details (entered via the Flash GUI), there is a request to /post.ashx that looks like this:

TraceGL (and the failure of the OpenSource commercial model)

After seeing on reddit (I think) a thread about TraceGL, I decided to try it on TM SSO integration I’m working on (where I really need to take a look at what is happening with a website’s javascript traffic).

Thursday, 2 May 2013

Great presentation on Git Branching (very similar to the model we are using in TeamMentor)

Just saw this presentation on Git Branching (embedded below) which is really close to the model we are currently using to manage TeamMentor's app development.

I really agree with just about everything Lemi Ergin says and this is a great description of the power of Git for branching

AzureGate - how Azure's 'subscription upgrade' crazy mode caused us to stop using Azure for VM Hosting (and Git+GitHub saved the day)

Late last night all the main TM hosted sites went down!

The reason is Azure's crazy 'subscription expired' workflow which  you can read what other Azure users had to say about it when I happened to them on and Microsoft's view on it (note how the crowd in the comments are not happy with it)

Below is the email I sent internally at SI, with my debrief on what happened:

Still trying to find a way to get in trouble at SI :)

Humm, even with my constant leak of internal threads, push TeamMentor deadlines/releases (just to squeeze in features that I really believe are important for SI/TM) and a really strong push to 'open anything that moves' at SI, I still get this quote from Ed Adams (answering a question from an ex-boss of mine)

Ex-boss question: how is that "Crazy cowboy" doing at SI? 

(Crazy Cowboy = me)

Ed's answer: "...he's not crazy and he's no cowboy. he's a developer with seemingly boundless passion and energy who pushes us on the topic of openess beyond our comfort zone.... but we find our comfort zone ever expanding with his influence..."

I guess I need to try harder :)

(btw: if you are curious about SI's work environment take a look at Question about SI's level of openness and empowerment)

Wednesday, 1 May 2013

Example of two TeamMentor sites using the same GitHub Content Library

Now that we TeamMentor 3.3. is able to automatically commit, pull and push from live GitHub repositories, we are able to support quite interesting set-up and workflows.

For example at the moment there are two live TM4TM sites:
Both are configured to consume data from the repository: