Friday, 2 May 2014

Some hacking for the weekend (with an AppSensor and O2 Platform flavour)

(originally posted to the OWASP leaders list)
---------- ---------- ---------- ---------- ---------- ---------- ---------- 

As you can see on Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job) I'm inviting the world to hack the app I'm been working for the past years.

You can either do a pure black-box (on https://tm-appsensor.azurewebsites.net ) or look at the source code (clone from https://github.com/TeamMentor/Dev and run locally or in Azure (only needs .NET 4.0, no DB install required) 

There is quite a lot of OWASP influence in this release of TeamMentor, from the O2 Platform FluentSharp libraries (which make me a lot more productive as a developer), to the AppSensor-like features (see below) and the multiple OWASP-inspired coding strategies used to keep the app secure (look for example at the ASMX and WCF security tests or the .NET Security Demands).

What is really cool and I'm very excited about, is the first pass at adding AppSensor capabilities to this app. 

Like I mentioned many times when talking about AppSensor, my main issue with the original model was that it pushed apps to add too much behaviour to the application in order be 'Appsensor-ready' (which could affect the application's performance/behaviour).  My preferred approach (which I've implemented now) is to first really improve the ability of an application to 'report and visualise' what is going on. This is done by pushing that info to 'somewhere' outside the app, then start thinking about how to detect malicious activity (from the point of view of that app) and finally what should be done about it.

For the real-time data distribution (user activities, debug logs and request urls) I used Firebase mapped to an AngularJS UI, which really rocks (the firebase 'websockets content push' fells like magic). You can read most details about it in the 7 posts at http://blog.diniscruz.com/search/label/Firebase and if you want to see it action, create an account and let me know (i'll give you admin access to that Azure box if you promise to behave :)  )

So have a go, and please share that blog post (and the server details) to others who you think might be interested (note that the last guy who reported a bunch of security issues with TM got a job out of it).

The other area that I'm really interested in, is to have a couple threads on important security topics like: Data Encoding, Authentication, Authorisation, OWASP Top 10 issues, Application self-defence, Unit-Test driven development (with a security focus), Continuous Integration/Deployment (with security embedded in it) and static-code/dynamic analysis of multi-tier webservices+jquery based apps like this.

Those are all things I worry daily, and as you can see, SI (Security Innovation) is pretty good sport at having this type of open discussion about their product (which has its code available in a public GitHub repository (it's not Open Source, but at least the code is all there)).

A lot of the times we (the AppSec guys/gals) are accused of talking in vacuum or providing security guidance on demo/simple apps. OK, here is a real-world app, with real-world complexity and compromises. Ideally OWASP should be able to help developers like me and protect these apps users.

I know that sometimes it feels that OWASP is stuck and doesn't really connect with developers, but I have to say that as a developer I benefit tremendously from the knowledge shared by OWASP (for example the cheat-sheets), its projects (for example AppSensor or ESAPI (from which I took the 'concepts' not the code)) and chapters/conferences.

Thanks

Post a Comment