[Owasp-appsensor-project] Some hacking for the weekend (with an AppSensor and O2 Platform flavour)

John Melton jtmelton at gmail.com
Sun May 4 01:25:06 UTC 2014


Dinis,
Very cool - thanks for sharing. This will help shape some of the ideas
going into V2. Very nice work.

Thanks,
John


On Fri, May 2, 2014 at 6:08 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Hi AppSensor list
>
> I sent the email below to the OWASP leaders list. Since all of you are
> interested in AppSensor and security, here is a copy for the ones who
> didn't received it.
>
> ---------- ---------- ---------- ---------- ---------- ----------
> ----------
>
> As you can see on Please hack TeamMentor 3.4.1 (learn, maybe be paid or
> even get a job)<http://blog.diniscruz.com/2014/05/please-hack-teammentor-341-learn-maybe.html> I'm
> inviting the world to hack the app I'm been working for the past years.
>
> You can either do a pure black-box (on
> https://tm-appsensor.azurewebsites.net ) or look at the source code
> (clone from https://github.com/TeamMentor/Dev and run locally or in Azure
> (only needs .NET 4.0, no DB install required)
>
> There is quite a lot of OWASP influence in this release of TeamMentor,
> from the O2 Platform FluentSharp libraries (which make me a lot more
> productive as a developer), to the AppSensor-like features (see below) and
> the multiple OWASP-inspired coding strategies used to keep the app secure
> (look for example at the ASMX and WCF security tests or the .NET Security
> Demands).
>
> What is really cool and I'm very excited about, is the first pass at
> adding AppSensor capabilities to this app.
>
> Like I mentioned many times when talking about AppSensor, my main issue
> with the original model was that it pushed apps to add too much behaviour
> to the application in order be 'Appsensor-ready' (which could affect the
> application's performance/behaviour).  My preferred approach (which I've
> implemented now) is to first really improve the ability of an application
> to 'report and visualise' what is going on. This is done by pushing that
> info to 'somewhere' outside the app, then start thinking about how to
> detect malicious activity (from the point of view of that app) and finally
> what should be done about it.
>
> For the real-time data distribution (user activities, debug logs and
> request urls) I used Firebase mapped to an AngularJS UI, which really rocks
> (the firebase 'websockets content push' fells like magic). You can read
> most details about it in the 7 posts at
> http://blog.diniscruz.com/search/label/Firebase and if you want to see it
> action, create an account and let me know (i'll give you admin access to
> that Azure box if you promise to behave :)  )
>
> So have a go, and please share that blog post (and the server details) to
> others who you think might be interested (note that the last guy who
> reported a bunch of security issues with TM got a job out of it).
>
> The other area that I'm really interested in, is to have a couple threads
> on important security topics like: Data Encoding, Authentication,
> Authorisation, OWASP Top 10 issues, Application self-defence, Unit-Test
> driven development (with a security focus), Continuous
> Integration/Deployment (with security embedded in it) and
> static-code/dynamic analysis of multi-tear webservices+jquery based apps
> like this.
>
> Those are all things I worry daily, and as you can see, SI (Security
> Innovation) is pretty good sport at having this type of open discussion
> about their product (which has its code available in a public GitHub
> repository (it's not Open Source, but at least the code is all there)).
>
> A lot of the times we (the appsec guys/gals) are accused of talking in
> vacuum or providing security guidance on demo/simple apps. OK, here is a
> real-world app, with real-world complexity and compromises. Ideally OWASP
> should be able to help developers like me and protect these apps users.
>
> I know that sometimes it feels that OWASP is stuck and doesn't really
> connect with developers, but I have to say that as a developer I benefit
> tremendously from the knowledge shared by OWASP (for example the
> cheat-sheets), its projects (for example AppSensor or ESAPI (from which I
> took the 'concepts' not the code)) and chapters/conferences.
>
> Thanks
>
> Dinis
>
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20140503/ff9251e2/attachment.html>


More information about the Owasp-appsensor-project mailing list