Appsec

gethead released

Friend, and colleague Nathan LaFollette has released a new tool to analyse http headers for security vulnerabilities. It is called get head. Here is the info from the github page

gethead

HTTP Header Analysis Vulnerability Tool

View the Project on GitHubhttphacker/gethead

gethead.py is a Python HTTP Header Analysis Vulnerability Tool. It identifies security vulnerabilities and the lack of protection in HTTP Headers.

Usage:

$ python gethead.py http://domain.com

Changelog

Version 0.1 – Initial Release 

  • Written in Python 2.7.5
  • Performs HTTP Header Analysis
  • Reports Header Vulnerabilities

 

Features in Development

Version 0.2 – Next Release (November 2013 Release) 

  • Support for git updates
  • Support for Python 3.3
  • Complete Header Analysis
  • Additional Logic for Severity Classifications
  • Rank Vulnerabilities by Severity
  • Export Findings with Description, Impact, Execution, Fix, and References
  • Export with multi-format options (XML, HTML, TXT)

 

Python for beginners

What does SQLMap, pypcap, uhooker, diStorm64, and powerfuzzer all have in common. They were written in python. So if you want to extend them, logically you are going to have to know some python. Here is a great site to begin learning python basics

http://www.pythonforbeginners.com/python-overview-start-here/

Posts like this show everything that is wrong with modern developers

So this is a clip from an article on ARSTECHNICA

The entire article can be found here!

 

dev

 

 

 

The short answer to this persons question is no, it is not okay to develop in production.

The reason I got out of the SDLC world was this kind of thinking. People claim they are Agile/RAD shops but have never implemented a methodology. Agile is a framework, SCRUM is a methodology within the framework. You do not implement a framework without implementing a methodology to accompany it. There are other agile methodologies besides SCRUM. Here is a short list

  • Agile Modeling
  • Agile Unified Process (AUP)
  • Crystal Clear
  • Crystal Methods
  • Dynamic Systems Development Method (DSDM)
  • Extreme Programming (XP)
  • Feature Driven Development (FDD)
  • GSD
  • Kanban (development)
  • Lean software development
  • Velocity tracking

 

I do not care what methodology you use, or even what framework (waterfall/agile).  You never touch production. I can’t tell you how many times in my career I have been asked to debug a production software issue. Only to find some rouge instance from a dev running on the box with a memory leak,  sql blocking/locking, thread locking/collisions, or some other issue that dorks up the server. In the world of virtual machines it is very tempting to develop on prod box, because we can revert to a snapshot. But very few times have a seen a plan outlining a method for recovery. This is generally cowboy coding mentality. No matter what you choose for methodology, you should dev locally, and push to a duplicate box for your QA team to test before pushing to production. While we are at it, lets look at some steps you should be following no matter what framework/methodology you are using.

 

  1. Dev Locally
  2. Unit Test (NUnit/Xunit is unit testing, not functional testing)
  3. Commit to CVS
  4. Push to testing ( No, we do not test in production either)
  5. Properly Functionally Test Application (I would suggest using something like HP’s UFT (Unified Functional Test, or if your broke, Selinium)
  6. Track testing in repository like HP ALM/QC, or Rational Clearquest
  7. Performance Test Application (LoadRunner/Performance Center or NeoLoad)
  8. Security Test Application (Web Inspect or AppScan)
  9. Repeat steps 2-8 till application is production ready
  10. Push to production

If you are not properly testing your application. Then all you are doing is making your clients your testers. This never ends well.

 

If you would like to read a great series of blogs on agile testing, go here

i-dont-always-test-my-code-but-when-i-do-i-do-it-in-production

 

Watch a Chinese hacker in real time!

 

 

 

Image provided by http://www.flickr.com/photos/brianklug/

Think you have great regex chops. Then give this a whirl

This is from the MIT 2013 mystery hunt

The puzzle is here

Hints are here

Interactive hint grid is here

evasi0n – iOS 6.x Jailbreak is live

Let the testing begin

http://evasi0n.com/

New Java Update

Oracle is pushing out an update with over 50 fixes in it. Go get it, and lets hope it does not introduce anymore horrific issues

photo by p!xeltree

 

 

Looks like the offensive security guys have been busy

Check out what is going on Here

So it begins!

Well, registration was supposed to start last night. They had some badge delays, and I just got my badge about 15 minutes ago. So a late start. So far it is typical hacker convention stuff. Basically everyone trying to prove who’s junk is bigger than everyone else’s

 

Ahh BlackHat and Wahh Live!