Curphey

Category: Practical Software Security

Contributing Authors to the Practical Software Security Book

By Mark Curphey, January 24, 2012

If you are a regular reader of this blog you should know I am working on a book for O’Reilly called Practical Software Security. It’s in the early stages and evolving as we start to get into the details. You can sign up to get notifications of progress here.

There are five main sections:

Introduction
Security Concepts
Languages & Frameworks (was called Tools & Technologies)
Building a Software Security Program
Engineering Scenarios

In the Security Concepts section we will introduce developers to things like cryptography, authentication, authorization and then in the Languages & Frameworks sections we will cover the security features available and how to use them properly for the popular development technologies. In the engineering scenarios well get to code level guidance of how to pull it all together to solve real world problems that all developers face like securing a REST API or creating a federated authentication system.

I am delighted that we have been able to recruit a fantastic list of subject matter experts to write and review the Languages & Frameworks section of the book. I will be writing the Security Concepts section (and the Ruby on Rails section) and the following folks will be writing or reviewing:

HTML5 (and friends) – Mark Curphey
Java – Pravir Chandra
.NET – David Rook (Security Ninja + Microsoft MVP for Developer Security)
JavaScript (Client + Node) – Gareth Heyes (The Spanner) with Rey Bango as a core reviewer (JQuery Core Team Member)
Ruby on Rails – Mark Curphey with Heiko Webers (wrote the official Rails security guide) as a core reviewer
PHP – Mike DeLibero with Chris Shiflett (wrote the O’Reilly PHP Security book) as a core reviewer
iOS & Android – Dan Cornell
Identity – Gunnar Peterson

Note: we will be doing C / C++ as there is still so much being produced but haven’t yet locked on that author and we will be figuring out how to deal with things like Spring or Cake (and where to draw the line).

In the Building a Software Security Program section we organize the section into People, Process & Tools. Justin Collins (author of Brakeman Scanner) is going to write the static code analysis section in Tools and Tasos Laskos (author of Arachni) will write about how dynamic web application scanners work. Many other tools will of course be covered! I will be writing extensively about integrating Agile practices and using TDD / BDD techniques and tools. I probably won’t start on this section until March / April. I am hoping we will have the Security Concepts section and the Languages & Frameworks section complete by the end of February so we can open up a site for a much broader set of reviewers (invite only but register to get on the invite request list here) around March.

OK, now to set up the git repo for the contributing authors, create a README.md for them and kick off the discussion about we want to structure things. Gentlemen start your engines!

Edits : 1/25 – Added HTML5 (and friends), 1/25 – Added Gunnar Peterson to Identity

Agile Software, Practical Software Security, Software Design, Software Security, Web Development

Kudos for guard-brakeman

Comments (0)

By Mark Curphey, January 18, 2012

Kudos to Niel Matatall for writing guard-brakeman. Neil has taken an open source static analysis tool, brakeman scanner and integrated it with the guard framework, a Ruby DSL for creating file-change events. Guard is typically used to automatically run the test suite as soon as a developer modifies any source code files and provides visual notifications on pass or fail conditions. What Neil has done is simple but I think very powerful which is why I think he deserves public kudos. When a developer adds guard-brakeman to his guard configuration any time he/she makes a change to his application the security tests will automatically run. TDD developers don’t commit code until all tests pass and so he has effectively provided an easy way to push security back up the chain for developers following TDD. It’s that one stage further back than running static analysis before a commit. The only place further back up the chain left to explore is intelli-sense type security advice in the editor.

We need more people doing more things like this in my opinion. Simple, elegant and effective. Kudos to Neil!

Practical Software Security, Software Security, Web Development

Git Cheat Sheet

Comments (3)

By Mark Curphey, January 17, 2012

I have started making some developer cheat sheets for my own personal use using EverNote. There is so much to remember and I am often reminded that the goal is to develop good software and not to remember thousands of commands (as big and superior as doing that makes some people feel). I need cheat sheets! I am working on my own cheat-sheets for git, zsh, rvm, aws and heroku as well as some language ones. A few folks asked me to share them so here goes starting with my git cheat sheet . Given they are primarily for myself they won’t contain all commands you may want to use so feel free to copy and modify (this is all copied from others in the first place). For instance in this git cheat sheet there is no rebasing and very little about resetting your local repository when things go horribly wrong. I am sure I will update it in due course. You can subscribe to the shared Evernote file if you are an EverNote user here. I will try and keep this page updated but that EverNote will be my source of truth!

If you do find mistakes, have smarter ways of doing things or can’t figure out why something is missing do let me know. I would love to make it better for me and anyone who is using it.

Useful Resources

http://gitref.org/

http://help.github.com/git-cheat-sheets/

http://progit.org/book/

(see shell customization cheat sheet for adding a good git prompt in the shell)

Global Settings

git config [--global]

User Details

user.name $name i.e git config –global user.name Mark Curphey

user.email $email i.e git config –global user.email mark@curphey.com

Github

github.user $user

github.token $token

or just edit the ~/.gitconfig file !

Creating Repositories

Create Local Repository from an Existing Local Project

cd ~/project_dir

git init

git add .

Clone Remote Repository

git clone git://github.com/user/repo.git

git clone https://github.com/user/repo.git

Clone a Local Repository

git clone ~/existing/repo ~/new/repo

git clone you@host.org:dir/project.git

Local Repositories

List Changes in Working Directory

git status

Add Files to Repository

git add [filename1] [filename2]

git add .

Delete Files in Repository

git rm [filename1] [filename2]

List Changes to Tracked Files

git diff

Commit Changes

git commit -am “commit message”

(-a is all files that are tracked, NOT all files, so you still need to add filename or add .)

(-m is with a commit message)

Return to Last Committed State

git reset –hard HEAD

Remote Repositories (Github)

List Remote Repositories Aliased

git remote

Add Remote Repository

git remote add [alias] [location] i.e. git remote add origin git://github.com/curphey/repo.git

Remove Remote Repository

git remote rm [alias] i.e. git remote rm origin

Pull from Remote Repository and Merge into Current Branch

git pull [alias] [location] i.e. git pull origin master

(once you have pulled once the alias and remote branch are no longer needed)

git fetch from Remote Repository is same as pull but without auto-merging

Push Local Changes to Remote

git push [alias] [branch]

If the server rejects your push, always try a git pull and then retry as 99 times out of 100 you didn’t have the latest remote!

Branching and Merging

List Available Branches

git branch

Create a Branch

git branch [branch name] i.e git branch [experimental]

Switch to Work in a Branch

git checkout [branch name] i.e git checkout experimental

Create and Immediately Switch to New Branch (i.e both of last two steps)

git checkout -b [branch name]

Merge Branch

git merge [branch to merge] i.e. git merge experimental will merge experimental back into working branch

Track Original Repository of an Open Source Project on Github

Fork repository, create an upstream remote, fetch and merge (or pull) changes into your fork.

git remote add upstream https://github.com/rails/rails.git

git fetch upstream

git merge upstream/master

Show Log of Activity

git log

Tag a Commit i.e. v.0_beta1

git tag [note]

Agile Software, git, Practical Software Security, Software Security, Web Development

Solid Application Security Frame ?

Comments (6)

By Mark Curphey, January 16, 2012

The Practical Software Security book will have five main sections *subject to change and a work in progress of course*. To recap the book is being aimed at pure developers (not security people) and aiming to be a single book developers and development teams need for their security knowledge. Those five main sections are:

Introduction
Security Concepts
Tools & Technologies
Building a Software Security Program
Engineering Scenarios

I want to syncronize the book so that the generic security advice in the security concepts section is then made specific in the tools & technologies section and then further builds with code level samples in the engineering scenarios section. For example in the “Security Concepts” section there is a sub-section on cryptography in which we describe the key concepts and types of cryptography, how those types of cryptography works and when certain types of cryptography can and should be used. In the “Tools & Technologies” and technologies section we will cover a security overview of major development frameworks such as Java, JavaScript and PHP in which I want help the developers know how to implement those cryptographic concepts described earlier in their scoped framework and describe important cryptographic libraries and what they support.

I would love to hear peoples opinions about the “security frame” I plan to use (see below). The frame will be used to tie together the sections of the book. I have been using this (or a variant of it) for many years and it has always worked for me. J.D.Meier used a similar one in Building Secure ASP.NET Applications (I was a reviewer of this back in 2006).

Cryptography
Authentication
User Management
Authorization
Configuration Management
Audit and Logging
Data Validation
Data Security (in transport & storage)
Session Management
Error Handling

Does it work for you?

Is it missing any sections?

Would you add any sections?

At the end of the day it is just a taxonomy and over the years doing things like OASIS WAS and similar projects, I have concluded that more important than the taxonomy is using any taxonomy consistently. No taxonomy will ever work for everyone, I just want to make sure this works for the majority. Please throw darts at this. Ask me where I would put x or y or z. If I don’t have a good answer I have a problem!

Cheers!

Mark