Archive for the ‘Uncategorized’ Category
That roasted lamb’s a delicacy
It’s parents would have made it with love
Well, they made love, hence the meat
And that exotic sauce on ’em for your taste buds
The chef should have made it with love
Well, he made love, hence the sauce
Leveraging Open Source for Continuous Application Security at Agile Continuous Integration and Continuous Delivery environments
This post is an abstract of my submission to nullcon 2015.
With more and more web applications enabling us to converse, communicate, conspire, collaborate, contribute, capture, compute, credit, conjure, and even keeping us content; more and more trivially insecure vulnerabilities are left to be exploited. With development teams always confronted with deliverables and ever faster imminent deadlines, they always see penetration testers as blockers because when a developed application is penetrated and vulnerabilities are identified the effort to fix them surges and it just would have been downright child’s play, had those bugs been identified early in development cycle when features of the application were being built and tested. As deployment dates near, most raised security bugs still remain raised, the critical and some lucky high risk bugs are fixed, but stakeholders accept medium and low risk bugs as technical debt, our vulnerable application meets the world wild web.
The early feedback cycles introduced by Continuous Integration systems have proven that when software development teams are faced with bugs, and build failures, they have always stepped up with early fixes. In the same way a system with Continuous Security aims at a transparent security governance of application development, making security visible at all levels – development, quality, compliance. As ‘tools in the market can’t oust human intelligence at penetration tests’ stands as an immutable fact ‘tools are used to automate and identify recurring and routine security bugs and complement manual audits’ also stands true. Sure, there are security wary development firms that use penetration testing tools, part of their development cycles. However, there hasn’t been a rapid adoption of automated tools in the rapid and agile application development processes. The primary answer could be cost, time, effort, lack of security awareness, fear of introducing more bugs trying to fix an existing bug, habit of responding to latest threats instead of proactive measures. Even some of the free and open source offerings lack support, active development community, documentation, usability, scripting support.
Bugs are something that frightens every developer and tester. Working with development teams of various sizes it is evident that the earlier the bugs are identified the easier they are to fix. While the proposed idea might look familiar or said before or may be even some of the organizations have expensive tools deployed to identify bugs every night, they are no extra steps taken to get a developer’s attention. Nothing could be more embarrassing for a developer to have broken a build and notified about the bugs. Getting a developer’s attention with build notifications and failures, getting the identified bugs fixed, keeping the source control free of the common security vulnerabilities at the cost of free and open source software with a generic platform agnostic approach is different and innovative about this paper. Also the sample source that accompanies this abstract would help many needy security analysts and developers to understand how Continuous Application Security could be done, and actually implement Continuous Application Security for their web applications.
This paper proposes a generic framework/approach with open source options to integrate vulnerability analysis as a daily chore during web application development and maintenance. The fundamental idea is to integrate a custom pipeline build script or use the boilerplate code accompanying this paper into the build system; the custom pipeline build script henceforth referred to as the CPBS. Based on the vulnerabilities found the CPBS would update the build system for success or failure. Conditional action should be taken to keep the new checked in code into the version control system or discard it or to stop a production deployment for continuous integration or continuous deployment setup respectively. The CPBS sequence follows a work-flow of starting our security tools on a port to listen; attempts a health check on the website Url and keep polling until the website services are up; excludes urls that destroy active sessions; if a functional test suite is available, monitors and waits for the functional tests to complete; lets the security tool analyze the traffic and sense vulnerabilities based on passive scanning; starts a webdriver script to create an active session for the application; apart from the urls obtained while the functional tests were running, fires up the spiders to crawl for more resources; sets the desired scan policies and starts the scan; sends success or failure code based on the results.
Embracing automated functional tests within the Vulnerability Analysis process, handling authenticated resources and login protected websites, handling intensive client side scripts with JSON or single page web applications, handling CSRF tokens, handling iterative and incremental scans, false positive management, promoting security culture and governance in the organization, managing identified bugs in tracking systems, keeping the code in version control systems free of security bugs are some of the key areas of focus.
Process Explorer the tool we’ve all come to love as “Task Manager on Steroids” has been for many IT pros one of the essential tools in their troubleshooting toolkit. Process Explorer was originally released in 1998 under the name NTHandlEx. Here is a screenshot of version 1.22. Notice the lack of processes in Windows NT 4.0!
By version 2.01 it had been renamed to HandleEx added some more process properties and kill feature.
It wasn’t until 16 June 2001 when Version 5.0 came out that it got renamed to Process Explorer. ( I was hoping to have a screenshot of this version as well but couldn’t find it anywhere…) In any case as of May 2011 with version 14.12 the tool has come a long way to be one of the most advanced “task manager” tools available:
However an open source project has been working on a competing product since…
View original post 1,637 more words
Continuing from Part 1 here http://chentiangemalc.wordpress.com/2011/06/13/process-explorer-vs-process-hackerpart-1-of-2/ we will now compare more advanced features of Process Explorer & Process Hacker.
Run As Options
Both Process Explorer and Process Hacker have “Run” options. Process Explorer has “Run” and “Run As Limited User”.While Process Hacker has “Run”, “Run As Limited User”, and “Run As”
In both programs “Run As Limited User” will launch the process with “Low” integrity security level on Vista and higher.
However Process Hacker’s Run As is the most powerful with many special options…
User name can be any standard user name but also can include special accounts such as:
We can also select what “type”
Specific sessions can be targeted
as well as Desktops…
Finding Open Handles/DLLs
In Process Hacker this is found via Hacker | Find Handles or DLLs menu option, in Process Explorer it is via Find | Find Handle or DLL
The main difference here is…
View original post 757 more words
I have been working on a Dutch software for quite sometime now. A few of those source code translation worries lead to write TranslateMaid for Visual Studio. However on a day to day basis, we spend a lot of time on the web pages and documents. http://translate.google.com/ is always open at one of our browser tabs.
All of a sudden one day when we tried to translate Resterend budget per afdeling what we got is Rest Fuck budget per department. See it for yourself below. I don’t really know where the Rest Fuck came from. Some developer put in in there or the translation service was perplexed by itself.
However the Microsoft translator service was pretty ingenue in this case. It actually gave the correct translation.
You may also like Gimmick free Freebie from Microsoft Translator Preview service.
One of my colleague called and told me that he has something with my name showing up on his “My computer/ Computer”. The moment I saw, I was shocked. First things first, google brought me, http://forum.vuze.com/thread.jspa?threadID=85963, no avail.
When you have vuze installed, it might show up in your Network or Computer as Vuze on <<computername>> under Media Devices. Who needs it? btw, when you are using a torrent client on a intranet, and you don’t want people to know that you are using a torrent client, guess what Vuze shows shows up on other computers on the network, with your PC name.
Here’s how you disable it. In the Vuze menu at top, Tools –> Options –> Plugins –> uncheck azupnpav plugin. Hit save (I don’t know if hitting save is required). Restart Vuze.
So security is two different things: it’s a feeling, and it’s a reality. And they’re different. You could feel secure even if you’re not. And you can be secure even if you don’t feel it. Really, we have two separate concepts mapped onto the same word. …
…Every species does it. Imagine a rabbit in a field, eating grass, and the rabbit’s going to see a fox. That rabbit will make a security trade-off: "Should I stay, or should I flee?" And if you think about it, the rabbits that are good at making that trade-off will tend to live and reproduce, and the rabbits that are bad at it will get eaten or starve. So you’d think that us, as a successful species on the planet — you, me, everybody — would be really good at making these trade-offs. Yet it seems, again and again, that we’re hopelessly bad at it. And I think that’s a fundamentally interesting question. …
…We tend to exaggerate spectacular and rare risks and downplay common risks — so flying versus driving. The unknown is perceived to be riskier than the familiar. One example would be, people fear kidnapping by strangers when the data supports kidnapping by relatives is much more common. This is for children. Third, personified risks are perceived to be greater than anonymous risks — so Bin Laden is scarier because he has a name. And the fourth is people underestimate risks in situations they do control and overestimate them in situations they don’t control. So once you take up skydiving or smoking, you downplay the risks. If a risk is thrust upon you — terrorism was a good example — you’ll overplay it because you don’t feel like it’s in your control….
I was busy writing the TranslateMaid Addin for Visual Studio and learned so many things in so many ways. One of the many quirks I noticed with the Microsoft Translator Preview service was, when you send an XML element or simply put some text or character enclosed with < and > and some text or character following it, you get a freebie. And what’s that?
For instance, when you send <summary>a as the sourceText parameter to be translated, then the result you yield is <summary>a</summary>. And that’s the freebie.
If this was an expected behaviour, then there is a mistake. If this was a mistake, then there is a mistake in that mistake! I will explain why.
You try with <summary>a, <seealso>a, <returns>a, <Jey>a, <maran>a, <a>a, <sometext>a and for almost everything it returns a free end tag. But when you pass <param>a or <input>a, you don’t get a freebie. They may be many more such examples.
In the below samples, %3C and %3E denote < and > in when URL encoded.
and you don’t get the freebie for
You may also like Gimmick free Fuck from Google translate.