[Owasp-appsensor-project] Some hacking for the weekend (with an AppSensor and O2 Platform flavour)

Dinis Cruz dinis.cruz at owasp.org
Fri May 2 22:08:28 UTC 2014


Hi AppSensor list

I sent the email below to the OWASP leaders list. Since all of you are
interested in AppSensor and security, here is a copy for the ones who
didn't received it.

---------- ---------- ---------- ---------- ---------- ----------
----------

As you can see on Please hack TeamMentor 3.4.1 (learn, maybe be paid or
even get a job)<http://blog.diniscruz.com/2014/05/please-hack-teammentor-341-learn-maybe.html>
I'm
inviting the world to hack the app I'm been working for the past years.

You can either do a pure black-box (on
https://tm-appsensor.azurewebsites.net ) or look at the source code (clone
from https://github.com/TeamMentor/Dev and run locally or in Azure (only
needs .NET 4.0, no DB install required)

There is quite a lot of OWASP influence in this release of TeamMentor, from
the O2 Platform FluentSharp libraries (which make me a lot more productive
as a developer), to the AppSensor-like features (see below) and the
multiple OWASP-inspired coding strategies used to keep the app secure (look
for example at the ASMX and WCF security tests or the .NET Security
Demands).

What is really cool and I'm very excited about, is the first pass at adding
AppSensor capabilities to this app.

Like I mentioned many times when talking about AppSensor, my main issue
with the original model was that it pushed apps to add too much behaviour
to the application in order be 'Appsensor-ready' (which could affect the
application's performance/behaviour).  My preferred approach (which I've
implemented now) is to first really improve the ability of an application
to 'report and visualise' what is going on. This is done by pushing that
info to 'somewhere' outside the app, then start thinking about how to
detect malicious activity (from the point of view of that app) and finally
what should be done about it.

For the real-time data distribution (user activities, debug logs and
request urls) I used Firebase mapped to an AngularJS UI, which really rocks
(the firebase 'websockets content push' fells like magic). You can read
most details about it in the 7 posts at
http://blog.diniscruz.com/search/label/Firebase and if you want to see it
action, create an account and let me know (i'll give you admin access to
that Azure box if you promise to behave :)  )

So have a go, and please share that blog post (and the server details) to
others who you think might be interested (note that the last guy who
reported a bunch of security issues with TM got a job out of it).

The other area that I'm really interested in, is to have a couple threads
on important security topics like: Data Encoding, Authentication,
Authorisation, OWASP Top 10 issues, Application self-defence, Unit-Test
driven development (with a security focus), Continuous
Integration/Deployment (with security embedded in it) and
static-code/dynamic analysis of multi-tear webservices+jquery based apps
like this.

Those are all things I worry daily, and as you can see, SI (Security
Innovation) is pretty good sport at having this type of open discussion
about their product (which has its code available in a public GitHub
repository (it's not Open Source, but at least the code is all there)).

A lot of the times we (the appsec guys/gals) are accused of talking in
vacuum or providing security guidance on demo/simple apps. OK, here is a
real-world app, with real-world complexity and compromises. Ideally OWASP
should be able to help developers like me and protect these apps users.

I know that sometimes it feels that OWASP is stuck and doesn't really
connect with developers, but I have to say that as a developer I benefit
tremendously from the knowledge shared by OWASP (for example the
cheat-sheets), its projects (for example AppSensor or ESAPI (from which I
took the 'concepts' not the code)) and chapters/conferences.

Thanks

Dinis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20140502/66badd5b/attachment.html>


More information about the Owasp-appsensor-project mailing list