Notes from Owasp Helsinki Chapter Meeting 27

Security is important part of software development and often it doesn’t get enough attention or developers don’t know enough about it. I have been following Troy Hunt on Twitter for some time and as he was coming to Owasp Helsinki Chapter Meeting #27 it was great opportunity to hear about application security at first hand. Especially about hacking yourself first. The event was held at Life Science Center in Keilaranta and although it didnt’ provide much new information about security and how to protect against hackers, it was nice event. The event consisted talks presented by Troy Hunt: 50 Shades of AppSec and Hack yourself first.

50 Shades of AppSec

50 Shades of AppSec

The first talk was “50 shades of appsec” which covered a broad spectrum of what’s happening in our industry and how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy covered everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.

There was some nice bad examples how not to do things and hilarious examples how even criminal masterminds are fallible. Asking questions in StackOverflow with an account tied to your real identity, take a photo with iPhone and not clearing the EXIF data (which has location info).

“50 Shades of AppSec” talk didn’t provide much new information which I wouldn’t have read from Twitter or other news sources but was entertaining anyways. Good presentation matters.

Hack yourself first

If you’re protecting applications against attacks it’s good to know how attackers can exploit your application’s security holes. The online attacks against websites has accelerated quickly and the same risks continue to be exploited. These are often easily identified directly within the browser; it’s just a matter of understanding the vulnerable patterns to look for.

Troy Hunt’s “Hack Yourself First” talk was about developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does. It looked at website security from the attacker’s perspective and how to exploit common risks in a vulnerable web application. As usual the issues were quite basic information and could be easily identified and fixed with right knowledge and tools like Havij and Fiddler.

One interesting example was to use Fiddler to proxy your device’s traffic and look how remote server communicates with it and even decrypt HTTPS. You can e.g. edit request and response and change values sent to mobile. One example is to change the value for admin and see if the mobile application validates it on every request or do you really get admin rights to the application or service. Practical example was capture the traffic sent to British Airways mobile app and see the WiFi password list for free WiFi.

Or is it?

Second interesting example was about using WiFi Pineapple. To trick devices to connect with “known” wireless network, capture and circumvent it’s traffic. You did know that devices broadcasts the SSIDs they have previously connected and with devices like Pineapple you can easily see it and then do some magic.

WiFi Pineapple and captured SSIDs.

Q & A and afterwords

Views from Life Science Center Sauna

The questions and answers section was quite active as security is an interesting topic. There were good questions like how do you verify companies you use, like you’re using Freedome from F-Secure? It’s about choosing the least risky option. Better than WiFi at airport without VPN. You don’t really know.

Other interesting topic was about how security people don’t understand development and developers don’t understand security. It’s about working together and not just security people saying “There are vulnerabilities, fix those.” More cooperation would be better and it needs support from higher up to work together.

Afterwards the event had reserved the sauna on the 7th floor which provided also nice views over Laajalahti and some refreshments. Time to network and try to do small talk although I’m not the most social person. I wasn’t surprised that Troy didn’t join us to the sauna but it was nice that he had some time to talk in the lounge.

I didn’t get the Owasp sticker but I got some crafty swag from Nixu and Troy also provided one month free pass for Pluralsight which has courses to educate yourself

One of the crafty takeouts from the event camera cover sticker for laptop. Who is paranoid about infosec?
Will be busy month after to see all Pluralsight courses

Thanks to the organizers and event sponsor Nixu. Nicely noticed that Hunt is in Europe and to get him to talk about security. I also got a ride home with some good tips about restaurants in Tallinn which was nice. Thumbs up.

Getting Git Right in Helsinki

Software development is fun if you have tools which work great and support what you’re doing. So it was finally great to get hear Sven Peters talking about better software development in teams as Atlassian’s Getting Git Right landed to Helsinki (24.11.2014). Event about Git and of course about Atlassian’s tools.

Getting Git right by svenpet and durdn

Getting Git Right’s main theme was about happy developers, productive teams and how Git and Atlassian’s tools help to achieve that. Sven Peters and Nicola Paolucci presented how to be a happier developer with Git, and how to ship software faster and smarter. It’s good to remember that developing software is after all a social challenge, not a technical one. And Git helps you with it. The presentation slides are available at SlideShare and you can also watch it on Youtube (different event).

Git: You can rewrite history. Timemachine without paradoxes

Nicola Paolucci gave a nice and 5 minute talk about Git and it’s internals. Lot’s of technical details. The main points were “Fast and compact”, “Freedom and safety”, “Explore and understand”, “Control and assemble”. With Git you can rewrite the history safely to e.g. clean commits. Paolucci showed also some tools to help working with Git on the command line like hooks they use and using “better” prompt like liquid-prompt. For GUI you can use Atlassian’s SourceTree.

Git datamodel

Merging

Interesting part of the event was talk about what is efficient and the best Git workflow? The answer is “we don’t know”. It depends as there are different cultures, different products and different teams. There’s no right way but there are some good workflows which might work for you.

One is to use branch per issue, e.g. hot-fix/jira-30-user-avatars, feature/jira-27-user-sign. The simplest workflow is to use feature branches with develop branch. Then the master is very stable. If you have multiple product versions then release branches are good and bug fixes are done to separate branch and merged to other branches.

They also presented how Atlassian’s Stash can help you to work with Git and branches. Like merging changes to branches can be done automatically with hooks or by using Stash. Stash looked nice for controlling and managing your repository with visual interface.

Code reviews: do they feel like this?

Git also helps you to improve code quality with e.g. code reviews. Code reviews shouldn’t be painful as it’s about team ownership, shared knowledge and aim for better code but often there’s developer guilt. It can be made easier by making code reviews part of your daily work by doing it in small patches like pull requests.

Development is also about communication and for that Atlassian presented HipChat. It looked quite nice tool for following what’s happening in a project with aggregating team chat and information from different tools. Following commits and continuous information brings you clear view what’s happening. There are also alternatives to HipChat like Slack or just basic IRC.

But why should you use Git? Benefits like more time to code, better collaboration, dev productivity and it’s the future doesn’t convince everyone. Like pointy haired bosses. So it’s good to remember that Git is also about economics. Delivering software faster, having less bugs and thus having happy customers. Shipping software faster and smarter.

Why Git? from Peters’ slides:

Why Git?

It’s also about economics

In Questions and Answers session there was talk about Atlassian’s strategy with Bitbucket and Stash. They said that both are going strong as they have different use cases. Stash has more enterprise features and you can have the repository on your own premises. Bitbucket is about hosting the repository in Atlassian’s platform and for small and medium team. What I have used Bitbucket it’s nice service but not as user friendly as GitHub. Another interesting question was about storing binary files in Git. There’s no optimal solution yet but just some workarounds like git-annex and git-media which allows managing files with git, without checking the file contents into git. In practice you shouldn’t store binary files in Git and you should separate product to code and assets.

Summary

Atlassians Getting Git Right was nice event and gave good overview about Git and how to use it in software development team. It would have been nice to hear something about the alternatives to Atlassian’s tools (BitBucket, Stash, SourceTree and HipChat) which helps you to do better software development. I can’t deny that Atlassian’s tools work nicely together but sometimes the price is just too high.

Now it’s time to start using Git also on work projects and as all participants got “Just do Git” T-shirt it’s easier :) Thanks to Atlassian and Ambientia for arranging this event.

Insights to future workplace from Fujitsu Forum 2012

This year my Autumn holiday was a bit different as I was one of the four bloggers who were invited by Fujitsu’s LIFEBOOK4Life campaign to visit Fujitsu Forum 2012 in Munich to hear about how the future workplace might look like and to experience new technologies to support that. We also got a tour at Fujitsu’s factory in Augsburg which provided some views how computers are made from mainboards to final product. The three days in Germany were insightful and fun. How can you not like to hear about new ideas, see innovative things, meet new people and of course experience the excellent German food and beer.

Fujitsu Forum is the largest IT-event in Europe which is visited by professional users and IT decision-makers, as well as Fujitsu channel and technology partners. In 2012 more than 12,000 IT experts from around the world attended the Fujitsu Forum in Munich. And I was one of them invited by Fujitsu LIFEBOOK4Life campaign with three other bloggers (called Insiders). The chance I wrote last time came true. Our trip to Fujitsu Forum 2012 was scheduled to contain breakout sessions and keynotes on Wednesday and a tour at the Fujitsu factory in Augsburg on Thursday.

This year the Forum’s motto was “Reshaping ICT – Reshaping Business”: How to combine business processes and IT to form a stable basis that will ensure growth and success in the future. Kind of redefinition of last year’s “Reshaping IT” theme. In short some buzzwords I heard most were: consumerization, BYOD, tablets, virtualization, in-sync, cloud and win 8. “One workplace – on any device”.

First day, Wednesday 7.11


photo by Kim Ekman, Vision 51

The first day at the Forum was full of exciting breakout sessions and keynotes and the exhibition area provided some innovative ideas and services from Fujitsu and technology partners. And of course you got to test new devices like Windows 8 enabled STYLISTIC Q572 -tablet with AMD Hondo platform and STYLISTIC Q702 hybrid tablet with Intel Core i3/i5. There were also some prototypes of future Fujitsu products.

The breakout sessions and keynotes provided some good insights about how the future workplace might look like, which decisions and technologies are needed to support that and what kind of tools are we using in the future. In short the three breakout sessions I listened “Has the Post-Pc Era Begun – What will be on your desktop tomorrow”, “The War Between Enduser Devices” and “Tablets & More – Cool scenarios for hot devices” can be summed to words: consumerization, byod, tablets, virtualization, in-sync, cloud and win 8. “One workplace – on any device”. The materials for all sessions can be found at Fujitsu Forum 2012 documentation page.

The three breakout sessions’ ideas about the future of workplace and tools were similar what I think about the issue: the work and workplace is changing to support mobility and working anywhere anytime. Some of the driving actors for this is that the borders between business and private life are blurring, consumerization (same devices home and work) and BYOD (bring your own device) are coming more common. We should think more about user-oriented workplace. Although the mobile computing is big the traditional desktop computing model isn’t going anywhere as there is always need for more computing power, larger screen, data protection and security.

In the future the devices we use will be more diverse and we have more of them. Thus there will be need for virtualization, syncing data and support for “One workplace – on any device” ideology. Different tasks have different needs for the device so we need a dynamic desktop experience. The sessions also provided some views about the tablets’ platforms and in Western Europe Windows, iOS and Android will be about equals in strength. It will be seen. It was said about Windows 8 that there will be a challenge with transition and touch monitors are needed to deliver significant impact on Win 8.

There were also some suggestions about the devices which can support our future workplace needs. At the desktop we could find the ESPRIMO X -series which has integrated desktop computer at the base of the monitor and the same form factor works in multiple use cases. And with the integrated Web camera with presence sensor you can lock the screen when leaving and login with face detection. Crafty. For the mobility aspects there are STYLISTIC Q572 and Q702 tablets and for laptop needs you have Ultrabooks LIFEBOOK U772 and more traditional LIFEBOOK T902.

After the day at the sessions and exhibition area it was time for lunch. A nice buffet with currywurst, burger and Weissbier. The final event for the day was Celebration Night with some comedians with guitars and then the stage was open for Amy McDonald. It was a nice gig by Amy but last year’s Anastacia was better :)

Second day, Thursday 8.11

The second day for us at the Fujitsu Forum 2012 was dedicated to for a tour at Fujitsu’s factory in Augsburg. It was kind of surprising to see how many workers there are although the automation percent was something like 85-90. Some mainboard components and checking is more easy to do by humans. Also the storage and putting things together were done manually.


After the visit to the factory it was more or less free time to roam the exhibition area because we didn’t have time for anymore sessions or keynotes. At the exhibition we found about Fraunhofer’s nLightened workplace with touch, rotate, scan, change light, adjust hight features and which runs on top of Linux. Again we saw the Made4You customization service which engraves with laser any product you want. Like my Twitter name and Fujitsu Forum 2012 hashtag to a metal cased pen.

The second day was interesting and it looked like there was some party starting when the Insiders and moderators had to head back home. It would have been fun to spend some more days in Munich but as usual the work calls.

Summary

Fujitsu Forum 2012 provided insights and ideas about how the future workplace might look like and we got to experience new technologies to support that. The three days in Munich went (too) fast and it was again great to visit Fujitsu Forum and to see other Insiders and LIFEBOOK4Life crew. Thanks LIFEBOOK4Life and Fujitsu.

If you want to read more check out what Antonia wrote about our trip to campaign site and Aba from FujitsuFans.com has made some previews and reports from the Forum.