The Curious Case of Insecure Software : Who Are The Hackers

I am going to start to publish early drafts of some material for the book in the hope of feedback, criticism or maybe even words of encouragement. The books introduction is currently called “The Curious Case of Insecure Software” and has five sub-sections (all subject to change of course). Its targeting 20,000 words or around 50 pages.

• Introduction
• A Brief History of Information & Computer Security (a timeline)
• Who Are The Hackers
• The Economics of Insecure Software
• A Call To Action

The who are the Hackers section is setting out to describe the threat sources to developers so they understand what hackers will do to insecure software. In this section I cover six groups:

• Hacktivists
• Computer Criminals
• Terrorists
• Industrial Espionage
• Insiders
• Security Vigilantes

The draft text for the Hacktivists can be found below.

Who Are the Hackers?

Wether you get your news from the Internet, the television, newspapers or the local water-cooler it’s hard to imagine anyone that hasn’t heard stories of the chaos caused by computer hackers. When talking about hackers I am of course referring to the type of person generally considered to be ‘bad’ but the term hacker has several meanings. The Internet Request For Comments (RFC) numbered 1392 published by the Internet Engineering Task Force in 1983 defines a glossary of computing terms in which it lists the term hacker:

A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.  The term is often misused in a pejorative context, where “cracker” would be the correct term.  See also: cracker.

The same document defines a cracker as:

A cracker is an individual who attempts to access computer systems without authorization.  These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system. 

Technically I should probably use the term crackers to describe ‘bad’ hackers but the term hacker is so pervasive in modern vocabulary that I am going to use it casually throughout this book. That might upset the purists who I am sure will point out that the worlds most famous hacker today is in-fact Mark Zuckerberg but I don’t think it’s important to obsess over titles. What is important however is understanding who the hackers are, what motivates them and how they do what they do. While it is true that few people have the ability to influence their adversaries and change their behavior, understanding them allows you to be prepared and design systems that are resistant to their ‘modus-operandi’.

The US National Institute of Standards publishes the Risk Management Guide for Information Technology Systems (800-30) in which they provide an excellent taxonomy of hackers that  has worked well or me in many situations.  I have extend it here to include a group of people that I feel can’t or at least shouldn’t be ignored that I call Security Vigilantes. As we will see they have a different profile that other groups but can inflict an equal negative impact on a business. In the following sections we will explore each group diving beneath the surface of who they are, what motivates them and how they typically operate. For each group I will highlight a case study to make it real.

The groups are:

• Hacktivists
• Computer Criminals
• Terrorists
• Industrial Espionage
• Insiders
• Security Vigilantes

Hacktivists

It seems fitting that the first group we examine are probably the closest group to the classical definition of a hacker. The term Hacktivists describe a group of people that are motivated by ego and rebellion and who generally unite behind political ideologies. Those ideologies were traditionally focused around free speech, freedom of information and human rights but in recent years have been driven by a backlash to the challenges in the worlds financial systems. The term hacktivist was first coined in 1996 by a person with the online handle “Omega”, a member of the hacktivist group the Cult of the Dead Cow.  Based in rural Texas the Cult of the Dead Cow or ‘cDc’ were themselves active in releasing tools used to bypass Windows security and in politically motivated campaigns against China. In my college days I confess to having played harmless havoc with some of my fellow students using a cDc tool called Back Orifice or BO. BO was essentially a remote control agent that when installed on a Windows computer allowed the human controller to issues commands as if you were sat at the keyboard.  Early in the morning on the way back from drunken nights in the student bar I used to backdoor machines in the college lab environment, hide in the corner and amuse myself opening and closing the CD tray or logging keystrokes of innocent victims working late into the night on their dissertations. BO could be used to stop and start Windows processes, redirect TCP/IP and in many more malicious ways than my innocent fun and can be considered as an early example of what we have now come to know as bot nets!

While the Cult of the Dead Cow were revered in their day, their prevalence and impact has been surpassed en-mass by a modern hacktivist group calling themselves Anonymous. Anonymous have become such as force to be reckoned with that books have been written about them, documentaries made about them and Google returns news about them as the first hit for an Internet search query for the term Anonymous.  The prowess of a number one search ranking on Google is however nothing compared to the impact they have had on the world. Anonymous are believed to have originated in 2003 from the image board 4Chan and polarize the Internet with some calling them modern day Robin Hoods and others labeling them as pure criminals. To understand Anonymous is probably to understand the cosmos of of how users form social relationships on the Internet but its certainly fair to say that Anonymous aren’t like groups we have seen before. Anonymous can’t really be described as a group in the traditional sense; it’s a flock, a loose collective or perhaps even better described as a concept.  There is no membership, if you want to be apart of Anonymous you are simply considered a member by your desire, there is no joining per se. There is no leadership although there is believed to be a high council that makes decisions.

Anonymous generally rally against Internet censorship and Internet surveillance but have engaged in campaigns against governments, the Church of Scientology and on behalf of the Lesbian, Gay, Bi-Sexual and Transexual communities. In an interview called the Face of Anonymous on the Internet radio show “Search Engine” they described themselves in the following way.

We [Anonymous] just happen to be a group of people on the internet who need—just kind of an outlet to do as we wish, that we wouldn’t be able to do in regular society. …That’s more or less the point of it. Do as you wish. … There’s a common phrase: ‘we are doing it for the lulz.’ 

The Lulz moniker, a corruption of the Internet acronym LOL (Laugh Out Loud) coined on the Encyclopedia Dramatica has become a calling card in online postings and wether you despise or secretly approve of Anonymous it is hard not to snigger at some of the college humor used in their messages. Humorous or not, Anonymous and their offshoots like the LulzSec group that splintered off in 2010 are very serious. When Aaron Barr, the CEO of computer security company HB Gary claimed to have infiltrated Anonymous and threatened to identify a member called Commander X as a San Francisco gardener, HB Gary found 70,00 of their corporate emails dumped unceremoniously online along with a their entire company document repository. They even took over Aaron Barr’s Twitter account and published his home address and social security number and published a report implicating HB Gary in a plot to take down the Wikileaks site. For a computer security company being hacked and humiliated in public is the biggest black-eye you can get. I hope the majority of readers of this book are not security companies and therefore you may not be able to directly relate to the HB Gary saga. Kicking the hornets nest after all is rarely good business unless it is your business but hopefully most readers will relate to what happened to Sony.

Sony started to catch the attention of activists when one of their music divisions decided to add additional copy protection measures to compact disks as early as 2005. Sony BMG added software called Extend Copy Protection (XCP) and MediaMax CD-3 to around 100 music titles that automatically installed when the CD was played in Windows operating systems. Not only was the software itself considered to be a root kit that circumvented the way the Windows kernel enforced security, the software itself contained critical vulnerabilities that allowed malware and viruses to attack the system. Sony had effectively silently installed a vulnerable backdoor for the bad guys to use on their legitimate customers machines.  On the 4^th of April 2011 Anonymous put Sony on notice:

Dear Greedy Motherfuckers SONY,

Congratulations! You are now receiving the attention of Anonymous. Your recent legal actions against fellow internet citizens, GeoHot and Graf_Chokolo have been deemed an unforgivable offense against free speech and internet freedom, primary sources of free lulz (and you know how we feel about lulz.)

You have abused the judicial system in an attempt to censor information about how your products work. You have victimized your own customers merely for possessing and sharing  information, and continue to target those who seek this information. In doing so you have violated the privacy of thousands of innocent people who only sought the free distribution of information. Your suppression of this information is motivated by corporate greed and the desire for complete control over the actions of individuals who purchase and use your products, at least when those actions threaten to undermine the corrupt stranglehold you seek to maintain over copywrong, oops, “copyright”.

Your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for, and rightfully own, in the manner of their choosing. Perhaps you should alert your customers to the fact that they are apparently only renting your products? In light of this assault on both rights and free expression, Anonymous, the notoriously handsome rulers of the internet, would like to inform you that you have only been “renting” your web domains. Having trodden upon Anonymous’ rights, you must now be trodden on.

If you disagree with the disciplinary actions against your private parts domains, then we trust you can also understand our motivations for these actions. You own your domains. You paid for them with your own money. Now Anonymous is attacking your private property because we disagree with your actions. And that seems, dare we say it, “wrong.” Sound familiar?

Let Anonymous teach you a few important lessons that your mother forgot:

1. Don’t do it to someone else if you don’t want it to be done to you.

2. Information is free.

3. We own this. Forever.

As for the “judges” and complicit legal entities who have enabled these cowards: You are no better than SONY itself in our eyes and remain guilty of undermining the well-being of the populace and subverting your judicial mandate.

We are Anonymous.

We are Legion.

We do not Forgive.

We do not Forget.

Expect us.

Immediately Sony started experiencing Distributed Denial of Service (DDoS) attacks on the Sony Playstation Network where malicious users were flooding the system with seemingly legitimate traffic that saturated the systems capacity to serve its legitimate users. Later in this book well explain why application level denial of service attacks are a complicated problem to deal with effectively and describe approaches to creating DDoS resistance in your systems. On April 26th Sony took the PlayStation Network offline among rumors of piracy but within days it emerged that a major hack had occurred and 77 million names, addresses, email addresses, birth-dates, usernames and passwords, profile data and credit cards had been stolen. Sony  publicly blamed Anonymous  who denied the breach. Within 24 hours Sony customers were complaining online of credit card fraud and very publicly blaming Sony. On April 27^th staff from the Sony Online Entertainment division were actively informing people that “We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons”, but a week later it was a very different story when it was reported that 25 million customer dates of births, email addresses, phone numbers, 13,000 credit card and 10,000 direct debit banking records had been stolen.

The Sony Playstation Network and Online Entertainment businesses were offline for 24 days and on May 24^th Sony posted a loss of $3.1 BN for the year 2011 quoting the earthquake and the PlayStation network failure. In their statement Sony made a provision of $171M for the associated costs of dealing with the PlayStation breach and if you think thats bad things weren’t over yet. Regional sites and Sony divisions were being hacked on a seemingly daily basis and then on June 2^nd over 1,000,000 users passwords, email addresses, dates of birth and more were stolen from the Sony Pictures systems. The attackers had used a SQL Injection vulnerability something well cover in detail later in the book. LulzSec published the following statement online:

“Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith  in a company that allows itself to become open to these simple attacks? What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”

In the time that has passed since the initial assaults over the summer of 2011 Sony has continued to be under constant attacks across many areas of their business; more user accounts have been compromised, hackers have posted fake celebrity stories on Sony entertainment web sites and stolen intellectual property. Legal class actions by Sony customers are in full flow.

As you can see by the actions of one hacktivist group against one companies systems the impact can be dramatic. Hacktivists use a range of techniques from social engineering to simple and sophisticated technical attacks to get their message across however they can.

</end of draft>

I will post the drafts for the others groups (Computer Criminals, Terrorists, Industrial Espionage, Insiders & Security Vigilantes) in the coming week but as always feedback is always appreciated.

Help Needed : Information & Computer Security Timeline

I need your help. In the introduction section of my book “Practical Software Security” I am creating a timeline of important information & computer security events. It is not designed to be a definitive list but to provide an interesting timeline for the readers (that will hopefully be mainly developers) of important milestones. I have compiled my first draft below but I know it’s missing important events and milestones, so I need your help. Focusing on the last 20 years tell me whats missing! When did we see the first commercial code scanning tools, when did we see the first WAF, when were important books or speeches made. I promise to list everyones name in print that provides an event or milestone that is used.

Feedback via blog comments, email (mark at curphey dot com) and Twitter (@curphey)

Please help, whats missing ?

——–start of draft ———

A Brief History of Information & Computer Security

When I was at college one of my Professors called Dieter Gollman used to start his lecture series about operating system security with a phrase that I remember to this day: “To understand operating system security we have to first go back to when Unix was first created and understand it”. This book is about how to create secure software today but a brief review of milestone events in the history protecting information and computer security helps provide context that this is not a new problem. Unlike Dieter I am going to start a long time before 1969.

This timeline is available as an interactive timeline online at <Insert URL when done>

1500 BC : The first signs of cryptography are thought to date back to Mesopotamia when a clay tablet is believed to have contained an encrypted recipe for the glaze used in pottery.

700 BC : A Scytale device was used by the Spartan military to protect communications during battles using a cylinder and a strip of parchment on which the message was written. There are modern theories that the Scytale was actually used to provide message authentication and not message protection.

600 − 500 BC : Hebrew scholars use a substitution cipher called the Atabash cipher to protect religious texts.100 BC – 40 AD : The Roman Emperor Julius Caesar used a substitution cipher in military communications. You often find childrens toys use a Caesar cipher today!

800 AD : Al-Kindi and Arab mathematician wrote the book Risalah fi Istikhraj al-Mu’amma which translated in to english is the Manuscript for the Deciphering of Cryptographic Messages.

1939 − 1945 AD : The Enigma Machine plays a significant role in the Second World War with Alan Turing and the code-breaking team decrypting Nazi messages at Bletchley Park in the UK.

1947 AD: Rear Admiral Grace Hopper discovers a Moth in the back on a computer and the term computer bug is coined.

1969 AD : Ken Thompson and engineers at ATT&T and Bell labs Unix create Unix and ARPANET widely credited as the early Internet is developed.

1972 AD : John Draper discovers that the toy whistle in Cap’N’Crunch breakfast cereal emits the same 2600 Hz frequency used by long distance truck lines and creates the first “blue box” or phone phreaking system. In the same year Steve Wozniak of Apple fame creates his own Blue box and sells it to his fellow Berkeley students.

1983 AD : The movie Wargames is released in which a young hacker accesses a government computer system to play war simulations and causes a national nuclear missile scare nearly starting World War III.

1986 AD : Robert Shiffren becomes the first person charged and convicted in the UK for hacking after accessing the Telecom accounts of Prince Phillip.

1988 AD : Robert Morris Junior unleashes a worm that crashes 6,000 computers on the ARPANET. Morris becomes the first person charged and convicted under the US Computer Fraud and Misuse Act receiving three years in jail.

1986 AD : Clifford Stoll published the Cuckoos Egg, a first hand account of how he chased a hacker through the Lawrence Livermore systems in 1986.

1990 AD : The British Computer Misuse Act is Passed.

1992 AD : The Sneakers movie is released.

1994 AD : Russian hackers siphons $10M from CitiBank accounts and transfer it to accounts all over the world. The ringleader Vladimir Levin is extradited to the US and convicted to three years in jail. [Funny side-story : John Austin set up the Computer Crime Unit at Scotland Yard and was the first Chair of the Interpol Computer Crime Committee. John was my computer crime lecturer at college and used to tell a funny story as part of his lecture on the Citi Bank case. During the extradition process Levin claimed he spoke no English, presumably as a defense against evidence of transfers being made in English. When John handed Levin over the Americans he turned to John and swore at him in perfect English!]

1995 AD : The Net and Hackers movies are released as computer security firms gets the attention of Hollywood.

1996 AD : The Computer Emergency Response Team (CERT) at Carnegie Mellon advises (CA-1996-06) that a sample CGI program installed with the Apache web server allows attackers to gain remote access. The US Department of Justice, Air force and CIA sites are all defaced.

1998 AD : The L0pht testifies in front of congress on “Weak Computer Security in Government”. [Chris Wysopal (Weld Pond) is now the CTO of application security company Veracode.] Rain Forest Puppy first describes the SQL Injection vulnerability in Phrack Magazine.

2000 AD : CERT publishes the first advisory for Cross Site Scripting (XSS) in CERT 2000-02.

2001 AD : The Open Web Application Security Project is formed in response to sensational vendor claims and misinformation.

2002 AD : After commercial pressure Bill Gates sends a company wide memo to all employes at MSFT instructing the entire company to immediately stop what they are doing and focus on security issues. The Department of Homeland Security responsible for protecting critical national infrastructure is formed

2003 AD : The hacktivist group Anonymous are formed.

2007 AD : Estonia is knocked off the Internet after DDoS Attacks cripple national infrastructure. The attacks are believed to have originated from Russia and in retaliation to the removal of a Soviet era second world war statue.

2010 AD : Google reveals that attackers in China have stolen intellectual property in operations that have become to be known as Operation Aurora. A worm called Stuxnet is discovered that targets SCADA (Supervisory Computer and Data Acquisition) systems used in industrial control and believed to be specifically created to target the Iranian nuclear industry.

2011 AD : Sony become the victims of hacktivists and the Playstation network is offline for 24 days. Sony estimates the breach will cost $171M to remediate.

 

[CHANGELOG]

– Added PCI Security Council formation in 2006 (Curphey)

– Added Writing Secure Code Book in 2001 (Curphey)

– Added Building Secure Software Book in 2001 (Curphey)

 

Is Threat Modeling Overrated ?

I few weeks ago I posted “Is Threat Modeling Overrated? I think so….” on Twitter. It was piggybacking on this blog post and my bait was a combination of a few glasses of red wine (aka “Dutch courage”) and less than 140 chars of expressiveness but I have come to think that despite the potential high value in analyzing an applications architecture from a security view point that threat modeling as generally practiced is not delivering on it’s potential.

[For full disclosure I owned the engineering of one of Microsofts Threat Modeling tools called TAM while I was there. I will talk about tools later but the short story is that many people have seen the MSFT org charts (which are very accurate) and despite lots of feedback to me and my personal belief that TAM was a superior tool, I deprecated it to avoid the continued bun-fight and make it easier for customers to get behind a common message from MSFT. I was also involved in writing and reviewing the Threat Modeling Developer Guidance in 2005.]

Let me be crystal clear up-front: I think looking at a systems software architecture (reviewing the design, user stories & specs, visual models (whiteboard, napkins etc.), talking to the architects and developers etc.) upfront can be one of the highest value (low effort and high reward) security assessment activities that anyone can do. Pound for pound I reckon it’s right up there with anything, period. It is of course a totally different beast of an assessment technique that doesn’t replace static or dynamic analysis or pen testing but in the past I have been involved in assessment projects where we were quickly able to determine that we could shut down a service or lock out users or determine that the system wasn’t doing I/O validation and so was highly likely to have a lot of related issues. The issues identified typically don’t require proof or to be exhaustively pin-pointed for the development team to go back to the drawing board and redesign or re-implement.

So if this type of analysis is such a high value exercise then where does Threat Modeling break down?

-Why Just Threats?

-Models That Aren’t Really Models

-Retrofitting Analysis

-Tools

Why Just Threats?

I openly confess I have a very limited personal interest in what seems like an ongoing and never-ending debate about “what is risk?”. The GRC / compliance market surge of a few years ago just sucked any interest right out of me but it makes common sense (to me at least) that if we are looking to determine the potential security posture of a software design then you have to ground your analysis in more than just threats. Now I am about to enter the slippery slope of taxonomy and definition but if Risk is a function of the Vulnerabilities and the Threats.

NIST SP 800-30: Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

Obsessing over Threats is only part of the job. Sadly in my experience it’s also the part that seems to be most open to subjective discussions of “this could happen” or “I don’t think that will ever happen”. It’s certainly helpful to think about the ways people will attack software but one part of the jigsaw. Then there is STRIDE. I don’t know about you but whenever I have sat with a developer and starting reading the acronyms I usefully get to Spoofing or Tampering before the eye-brows start to raise. It’s just not a clear set of definitions in my opinion to anyone but security people and if you have to explain it then I think something is wrong. What’s the difference between spoofing a user account by tampering with the URL? Some folks may say it doesn’t matter because you list the attack.

It would seem that an alternative approach would be to do Security Risk Analysis of Software where you look at potential Vulnerabilities, potential Threats and therefore determine the potential Risk. Based on that potential Risk you can make decisions on what to do or not to do.

Models That Aren’t Really Models

Most threat models I have seen aren’t models at all, at least not as in software models. They are diagrams and or lists. If we had security models that were derived from the code or code that was derived from the model then we would have a way to maintain a different representation of the application. When changes to the code were made, the model could change and the analysis updated. If the model was changed perhaps via modeling activity (trying different things is surely what modeling is all about after-all) then you could create code stubs for the new design or even refactor (although I suspect that is a long way off). This is the way UML works for instance. Yes people use UML as a diagramming language as well and yes UML is best in big water-fall like projects, but SecureUML was a promising modeling language for modeling authorization.

Retrofitting Analysis

I have heard from several big companies where threat modeling is prevalent that internal studies have shown that many models are simply retrofitted to meet a step in their security process. The developers or project leads take what has been built and create an artifact to meet the step required in the process. This of course defeats the purpose but I have had heard this several times which seems to indicate that many developers just don’t see the value in the process.

Tools

Despite several threat modeling tool projects like Threat Modeler and Trike) the MSFT SDL threat modeling tool seems to be the only serious option. That tool is designed to work at MSFT which is a unique beast and no one builds software like MSFT. You can take that as a compliment or a jab, I’ll let you decide as it was intended as both but what works for MSFT is unlikely to work for most companies as few people build OS’s that ship every 3 years. The reality for me is that if threat modeling was such a high value activity for security people or developers, then market forces would have figured out how to monetize it and the big security tools vendors or IDE vendors would have options. It would be an option in IDE’s, built-in like static analysis is to Visual Studio or it would be available as value-added plugins like HP WebInspect, Fortify or IBM AppScan.

Summary

It’s easy to throw stones and without a better proposal this is hardly my most constructive post, but given the high value I see in Security Risk Analysis of Software I think it’s time to think again about how to analyze software designs and I think Threat Modeling is Overrated.

Contributing Authors to the Practical Software Security Book

If you are a regular reader of this blog you should know I am working on a book for O’Reilly called Practical Software Security. It’s in the early stages and evolving as we start to get into the details. You can sign up to get notifications of progress here.

There are five main sections:

• Introduction
• Security Concepts
• Languages & Frameworks (was called Tools & Technologies)
• Building a Software Security Program
• Engineering Scenarios

In the Security Concepts section we will introduce developers to things like cryptography, authentication, authorization and then in the Languages & Frameworks sections we will cover the security features available and how to use them properly for the popular development technologies. In the engineering scenarios well get to code level guidance of how to pull it all together to solve real world problems that all developers face like securing a REST API or creating a federated authentication system.

I am delighted that we have been able to recruit a fantastic list of subject matter experts to write and review the Languages & Frameworks section of the book. I will be writing the Security Concepts section (and the Ruby on Rails section) and the following folks will be writing or reviewing:

• HTML5 (and friends) – Mark Curphey
• Java – Pravir Chandra
• .NET – David Rook (Security Ninja + Microsoft MVP for Developer Security)
• JavaScript (Client + Node) – Gareth Heyes (The Spanner) with Rey Bango as a core reviewer (JQuery Core Team Member)
• Ruby on Rails – Mark Curphey with Heiko Webers (wrote the official Rails security guide) as a core reviewer
• PHP – Mike DeLibero with Chris Shiflett (wrote the O’Reilly PHP Security book) as a core reviewer
• iOS & Android – Dan Cornell
• Identity – Gunnar Peterson

Note: we will be doing C / C++ as there is still so much being produced but haven’t yet locked on that author and we will be figuring out how to deal with things like Spring or Cake (and where to draw the line).

In the Building a Software Security Program section we organize the section into People, Process & Tools. Justin Collins (author of Brakeman Scanner) is going to write the static code analysis section in Tools and Tasos Laskos (author of Arachni) will write about how dynamic web application scanners work. Many other tools will of course be covered! I will be writing extensively about integrating Agile practices and using TDD / BDD techniques and tools. I probably won’t start on this section until March / April. I am hoping we will have the Security Concepts section and the Languages & Frameworks section complete by the end of February so we can open up a site for a much broader set of reviewers (invite only but register to get on the invite request list here) around March.

OK, now to set up the git repo for the contributing authors, create a README.md for them and kick off the discussion about we want to structure things. Gentlemen start your engines!

 

Edits : 1/25 – Added HTML5 (and friends), 1/25 – Added Gunnar Peterson to Identity

Kudos for guard-brakeman

Kudos to Niel Matatall for writing guard-brakeman. Neil has taken an open source static analysis tool, brakeman scanner and integrated it with the guard framework, a Ruby DSL for creating file-change events. Guard is typically used to automatically run the test suite as soon as a developer modifies any source code files and provides visual notifications on pass or fail conditions. What Neil has done is simple but I think very powerful which is why I think he deserves public kudos. When a developer adds guard-brakeman to his guard configuration any time he/she makes a change to his application the security tests will automatically run. TDD developers don’t commit code until all tests pass and so he has effectively provided an easy way to push security back up the chain for developers following TDD. It’s that one stage further back than running static analysis before a commit. The only place further back up the chain left to explore is intelli-sense type security advice in the editor.

We need more people doing more things like this in my opinion. Simple, elegant and effective. Kudos to Neil!

Git Cheat Sheet

 

I have started making some developer cheat sheets for my own personal use using EverNote. There is so much to remember and I am often reminded that the goal is to develop good software and not to remember thousands of commands (as big and superior as doing that makes some people feel). I need cheat sheets! I am working on my own cheat-sheets for git, zsh, rvm, aws and heroku as well as some language ones.  A few folks asked me to share them so here goes starting with my git cheat sheet . Given they are primarily for myself they won’t contain all commands you may want to use so feel free to copy and modify (this is all copied from others in the first place). For instance in this git cheat sheet there is no rebasing and very little about resetting your local repository when things go horribly wrong. I am sure I will update it in due course. You can subscribe to the shared Evernote file if you are an EverNote user here. I will try and keep this page updated but that EverNote will be my source of truth!

If you do find mistakes, have smarter ways of doing things or can’t figure out why something is missing do let me know. I would love to make it better for me and anyone who is using it.

Useful Resources

http://gitref.org/

http://help.github.com/git-cheat-sheets/

http://progit.org/book/

(see shell customization cheat sheet for adding a good git prompt in the shell)

---

Global Settings

git config [–global]

User Details

user.name $name i.e git config –global user.name Mark Curphey

user.email $email i.e git config –global user.email mark@curphey.com

Github

github.user $user

github.token $token

or just edit the ~/.gitconfig file !

---

 

Creating Repositories

Create Local Repository from an Existing Local Project

cd ~/project_dir

git init

git add .

Clone Remote Repository

git clone git://github.com/user/repo.git

git clone https://github.com/user/repo.git

Clone a Local Repository

git clone ~/existing/repo ~/new/repo

git clone you@host.org:dir/project.git

---

Local Repositories

List Changes in Working Directory

git status

Add Files to Repository

git add [filename1] [filename2]

git add .

Delete Files in Repository

git rm [filename1] [filename2]

List Changes to Tracked Files

git diff

Commit Changes

git commit -am “commit message”

(-a is all files that are tracked, NOT all files, so you still need to add filename or add .)

(-m is with a commit message)

Return to Last Committed State

git reset –hard HEAD

---

Remote Repositories (Github)

List Remote Repositories Aliased

git remote

Add Remote Repository

git remote add [alias] [location] i.e. git remote add origin git://github.com/curphey/repo.git

Remove Remote Repository

git remote rm [alias] i.e. git remote rm origin

Pull from Remote Repository and Merge into Current Branch

git pull [alias] [location] i.e. git pull origin master

(once you have pulled once the alias and remote branch are no longer needed)

git fetch from Remote Repository is same as pull but without auto-merging

Push Local Changes to Remote

git push [alias] [branch]

If the server rejects your push, always try a git pull and then retry as 99 times out of 100 you didn’t have the latest remote!

---

Branching and Merging

List Available Branches

git branch

Create a Branch

git branch [branch name] i.e git branch [experimental]

Switch to Work in a Branch

git checkout [branch name] i.e git checkout experimental

Create and Immediately Switch to New Branch (i.e both of last two steps)

git checkout -b [branch name]

Merge Branch

git merge [branch to merge] i.e. git merge experimental will merge experimental back into working branch

Track Original Repository of an Open Source Project on Github

Fork repository, create an upstream remote, fetch and merge (or pull) changes into your fork.

git remote add upstream https://github.com/rails/rails.git

git fetch upstream

git merge upstream/master

Show Log of Activity

git log

Tag a Commit i.e. v.0_beta1

git tag [note]

Solid Application Security Frame ?

The Practical Software Security book will have five main sections *subject to change and a work in progress of course*. To recap the book is being aimed at pure developers (not security people) and aiming to be a single book developers and development teams need for their security knowledge. Those five main sections are:

• Introduction
• Security Concepts
• Tools & Technologies
• Building a Software Security Program
• Engineering Scenarios

I want to syncronize the book so that the generic security advice in the security concepts section is then made specific in the tools & technologies section and then further builds with code level samples in the engineering scenarios section. For example in the “Security Concepts” section there is a sub-section on cryptography in which we describe the key concepts and types of cryptography, how those types of cryptography works and when certain types of cryptography can and should be used. In the “Tools & Technologies” and technologies section we will cover a security overview of major development frameworks such as Java, JavaScript and PHP in which I want help the developers know how to implement those cryptographic concepts described earlier in their scoped framework and describe important cryptographic libraries and what they support.

I would love to hear peoples opinions about the “security frame” I plan to use (see below). The frame will be used to tie together the sections of the book. I have been using this (or a variant of it) for many years and it has always worked for me. J.D.Meier used a similar one in Building Secure ASP.NET Applications (I was a reviewer of this back in 2006).

• Cryptography
• Authentication
• User Management
• Authorization
• Configuration Management
• Audit and Logging
• Data Validation
• Data Security (in transport & storage)
• Session Management
• Error Handling

Does it work for you?

Is it missing any sections?

Would you add any sections?

At the end of the day it is just a taxonomy and over the years doing things like OASIS WAS and similar projects, I have concluded that more important than the taxonomy is using any taxonomy consistently. No taxonomy will ever work for everyone, I just want to make sure this works for the majority. Please throw darts at this. Ask me where I would put x or y or z. If I don’t have a good answer I have a problem!

Cheers!

 

Mark