WebApp Sec mailing list archives
Foundstone Hacme Books and .NET Security Toolkit
From: "Mark Curphey" <mark () curphey com>
Date: Tue, 8 Mar 2005 12:08:23 -0800
Just to let you know we have released some more free tools this morning. Hacme Books is a full Java bookstore similar to Hacme Bank but this time built like a real application. Full source code will be available (released next week) and all code includes unit tests etc. It's not a vanilla JSP type app that are so often used when demonstrating security. It follows an MVC with an Inversion of Control design pattern. You can get the solution guide in PDF with screen shots here; http://www.foundstone.com/resources/whitepapers/hacmebooks_userguide.pdf We will be integrating this with the Hacme Bank V2 (using web services) at some point soon. Hacme Books was written by Dave Raphael this lists moderator. We also released part of the Foundstone S3i .NET Security Toolkit. The two components this week are the Validator.NET and the Visio SecureUML template. Validator.NET is a proof of concept tool to explore better ways to do validation than the HTTP proxy approach (aka web app firewall) for apps where you can't modify the code. It provides a GUI to point to an assembly and uses the reflection API to determine the web controls and subsequent forms. It then provides a GUI to build contextual validation rules that can be saved as an XML rules file. We then provide an HTTP module to load the rules into. It is proof of concept and is not a production ready tool. It doesn't look at cookies and other key things for instance. "The Foundstone Validator.NET tool is an important resource for malicious input testing for ASP.NET Web applications," said Michael Howard, senior security program manager at Microsoft Corp., and co-author of Writing Secure Code. http://www.foundstone.com/resources/termsofuse.htm?file=validator.zip SecureUML is a Visio template to do SecureUML Roles Bases Access Control Modeling. The whitepaper that comes with the tool has some examples. http://www.foundstone.com/resources/termsofuse.htm?file=secureuml.zip Next week well add to the toolkit the .NET Mon which is to the .NET CLR what filemon or regmon is to windows. This tool is very powerful for code reviews watching the CLR to see how it really enforces the security restrictions. We have a few more coming in the next few weeks, one to do cookie analysis using 2nd order phase state analysis and a web services version of a fuzzer like SPIKE. Enjoy.
Current thread:
- Foundstone Hacme Books and .NET Security Toolkit Mark Curphey (Mar 09)
- <Possible follow-ups>
- Re: Foundstone Hacme Books and .NET Security Toolkit dotnetdeveloper (Mar 13)