Nelz's Blog

Mah blogginess

Velocity 2014 - Day 1 - Tuesday

“Battle Tested Code Without the Battle – Security Testing and Continuous Integration”

@garethr & @wickett

Slides: https://speakerdeck.com/garethr/battle-tested-code-without-the-battle

Resources of note:

GAUNTLT.org:

  • F/OSS
  • I like the tag line: “Be mean to your code and like it.” ;–)
  • There’s a free book under development, you can get it from: book@gauntlt.org

Use real people (pen testers) for difficult/non-automatable things like Attack Simulation. Security should be less about FUD, more about creating value.

Known vulnerability applications are available in most programming languages. Some examples can be found here: http://github.com/OWASP

Other tools mentioned:

  • bundler audit (Ruby) – scans your dependencies for known vulnerable dependencies
  • Gemnasium – SaaS dependency scan; multi-lang
  • ClamAV – virus scanning for virus signatures in your source files
  • GIT Signing – Tag your checkins with your GPG keys
  • ZAPR – active security scanner; command-line wrapper around OWASP ZAP

Basic Security Testing is now very easy

FYI – The slides walk you through a tutorial showing you how to run a bunch of security tests against a reference implementation site

“Debugging & Tuning Mobile Web Sites w/ Modern Web Browsers”

Slides are here

FYI – Opera is now WebKit as well

weinre
  • (WEb INspector REmote) – sounds like “winery”
  • Like Firebug, but for WebKit browsers
  • NPM module
  • Not necessary to put into your own code, can inject it to your page
Network Link Conditioner !!!
  • Purposefully slow down your access to the Network!
  • free add­on to the Mac’s System Preference panel
  • It is only available to registered Apple developers
    • Go to https://developer.apple.com/downloads/index.action
    • In the search box enter: Hardware IO Tools for Xcode
    • Download the Hardware IO Tools for Xcode ­June 2014
    • Once downloaded, double click the file, hardwareiotools_june_2014.dmg to open it
    • Double click the icon, Network Link Conditioner.prefPane, to install it to the preferences
    • While you have the System Preferences panel open, click Show All in the upper left corner
    • Click on the Network icon
    • Take note of your IP address
Burp – http://www.portswigger.net/burp/download.html
  • Network Proxy
  • FREE alternative to Charles
  • “This is not an app for amateurs. It is intended for security checking. Most of its features go well beyond the needs of this session.”

“Building a Device Lab”

Slides: http://laraswanson.com/devicelab/

Used/refurbed devices better replicate battery usage

Possibly: Get data plan if testing vs battery usage

Adobe Edge Inspect
  • Currently, for web only…
  • Support for driving Apps may be coming ???

All phones use the same App Store account & email address & password, etc

MDM (“Mobile Device Management”)
  • Etsy hasn’t yet rolled this out, still in research phase
The Lab
  • Make it ‘welcoming & inviting’ (couches,etc) in the device lab, so people can test right there.
  • Different lab for Apps and/or automated testing
  • Reverting versions is REALLY difficult. (Re-iterate the notes on the desktop/wallpaper/background, etc.)
  • How do you handle users on unsupported devices? Documented list of supported versions/devices/etc, otherwise “Sorry”
  • Some OS have no VPN ability, so just set up a Subnet specifically for device testing, with access to the correct boxes
  • Cables & hubs marked by powerstrip

RFID “Card Clash” possible

“Source of Truth: Using Open Source Tools to Manage and Monitor Large Deployments”

Slides are here

Resources

This presentation was probably really rich in info for the bare-metal geeks, but was outside of my direct interests

Ignite Velocity

David Schepper (Box) – Isn’t That Code Dead?

  • Video
  • “Tombstone” – Pretty cool technique marking/detecting code as being ‘possibly dead’
  • Addresses the weaknesses in static analysis
  • Can even build removals into an automated process