Saturday, 23 August 2014

Friday, 15 August 2014

OWASP O2 Platform 5.5 - RC1 , please give it a test drive

Just pushed to bintray the latest version of the O2 Platform (v5.5).

I'm calling it RC1 (Release Candidate 1) so that it can be given a good test drive before I update the main O2 Platform download and links.

This version is distributed as a zip, since there were a couple issues with the auto-extraction of the stand-alone exe version (used in the 5.3 version).

So please download the 16Mb ,  unzip it into a local folder, and execute the O2 Platform 5.5 - RC1.exe file:

Sunday, 10 August 2014

Just used to publish a number of O2Platform/FluentSharp stand-alone exes

I just tried BinTray (see as a platform to host exe/binaries/release files, and I have to say that it was a great experience.

Ever since I added to the O2 Platform and FluentSharp the ability/feature to package O2/H2 scripts as stand-alone exes, I've been trying to find a nice place to host them (since there are dozens, if not hundreds, of mini-tools that I want to publish).

For a while I used DropBox, but not only that was not THAT practical, DropBox never gave me any stats. Even worse, DropBox started blocking the downloads (saying 'too much traffic on this account') but was not able to tell me which files were causing the problem!!

The good news is that seem to work perfectly for publishing these O2 Platform created tools.

To see this in action and download one or more of these tools, open

Extract from my SANS Interview on Application Security (in 2007)

While trying to find a link to the SANS What Works 2007 conference (where I presented Inconvenient Truth(s) on Application Security) I found this Interview on the Interweb which contains a number of responses that I want to capture on this blog. That page might disappear one day (just like the SANS conference page form 2007), and most comments are still relevant today (Oct 2014)

Here is an extract of the of interview I did with Stephen Northcutt in June 11th 2007 (see full version here):

Inconvenient Truth(s) on Application Security (presented in 2007 and still relevant in 2014)

Here and embedded below is a presentation that I did in 2007 at an SANS conference when I was working for OunceLabs.

Here are the 13 Inconvenient Truth(s) mentioned on that presentation (I'm not sure if I should be encouraged that I made some good points, or depressed on how little progress we have done in Application security over the past 7 years)
  • #1 There are no metrics!
  • #2 Global Warming ~ Software InSecurity
  • #3 Secure software doesn’t make business sense
  • #4 Our systems are safe today
  • #5 We will be doomed!
  • #6 The attacker's business model is still immature
  • #7 Physical Extremism doesn't scale (but Digital Extremism does)
  • #8 We need better engineering
  • #9 We need containment
  • #10 Open Source security is a myth
  • #11 Most Source Code must be disclosed
  • #12 Most IT Security products have negative ROI
  • #13 The 'digital Armageddon' will never happen

Can you spot the vulnerabilities? (6 code snippets in C# and Java)

I was cleaning up a bit one of my laptops and I found these 6 code snippets that (I think) we used for one of the conferences I participated with SI (on some marketing materials with a question like 'Spot the vuln and get a free beer at our booth').

So ...  can you spot the 6 vulnerabilities on the code snippets below? (some of these are from HacmeBank v2):

Monday, 4 August 2014

The 4 components of the new TeamMentor 4.0 design (and IE support)

Thinking at the new TeamMentor 4.0 design from a technical, implementation and shipping point of view, there are 4 kinda-separate parts of the new design.

1) the 4.0 look and feel + basic use (simple navigation, basic search and article viewing)
2) the 4.0 ' search driven functionality'
3) the 4.0 design with full article (and library / metadata) editing capabilities
4) the 4.0 design on TBot/Admin features

For the 1st one, we should aim to have a full-backwards compatible version of TM. Note that this version would also be the 'TM Mobile' version (i.e. the default way to consume TM on a mobile, or in a small window space like what we get inside an IDE plugin (bootstrap has a 'responsive, mobile first fluid grid system' which makes this easier))

For the 2nd, this is where the main UE and UI thinking/experimentation needs to occur.

Search feedback loop and other TeamMentor 4.0 Search related topics

While thinking and researching how to do the search on TeamMentor 4.0 (next version of TM), one of the key workflows that I kept coming back into are:
  • need to have feedback loop on the search results (this is really what makes Google Google), which can be be captured: 
    • explicitly: via the user clicking on the + or - sign close to each search)
    • implicitly: via detecting which search result the user clicks (and which rank that search had)
    • by mapping: where the user (or TM admin/editor) is able to provide feedback on a particular search. For example saying that the search results for 'X' should be the search results for 'Y'
  • need to learn: this is connected to the feedback loop mentioned above and is based on the idea that the TM search results should become better with time
  • need to start collecting data as soon as possible (ideally leveraging the current hundreds or thousands of Application security searches SI employees already do every day
  • need to explain how we calculated a particular search result (of course that this needs to be hidden to normal users (unless they want it to), but we really need to show TM Editors/Admins the logic behind the search formula (and data) used to create those results, and reach the conclusion that 'article X' should be shown before 'article Y' (or folder/view/category 'X' should be shown before folder/view/category 'y')
  • Provide links to other search engines and application security websites (like google, StackOverflow, OWASP, Wikipedia, etc...). this would allow us to make the case 'first search in TM and then go into Google' (I think google used to do this with other search engines (in a long distant past)):
    • If fact, this could also allow use to 'fix' Google queries, since we could say "Hey you searched for XSS but what you probably want (from google) is 'How to fix XSS vulnerabilities in .NET" (assuming we had detected that that user was looking at .NET results
  • Provide recommended searches based on past searches: the typical "users that searched/bought this item also searched/bought this ones"