WebApp Sec mailing list archives
Re: Foundstone Hacme Books and .NET Security Toolkit
From: <dotnetdeveloper () hushmail com>
Date: Thu, 10 Mar 2005 11:48:17 -0800
Nice. Another nice approach of an HTTP Module versus a proxy is that you can re-write stuff in the fly. OWASP Bad crypto as an example. Trap the CAPI calls made by a bad app and replace the crypto with a better version. Nice ! Smart thinking, good R&D.
-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Tuesday, March 08, 2005 12:08 PM To: webappsec () securityfocus com Subject: Foundstone Hacme Books and .NET Security Toolkit Just to let you know we have released some more free tools this morning. Hacme Books is a full Java bookstore similar to Hacme Bank but this time built like a real application. Full source code will be available (released next week) and all code includes unit tests etc. It's not a vanilla JSP type app that are so often used when demonstrating security. It follows an MVC with an Inversion of Control design pattern. You can get the solution guide in PDF with screen shots here; http://www.foundstone.com/resources/whitepapers/hacmebooks_userguid e.pdf We will be integrating this with the Hacme Bank V2 (using web services) at some point soon. Hacme Books was written by Dave Raphael this lists moderator. We also released part of the Foundstone S3i .NET Security Toolkit. The two components this week are the Validator.NET and the Visio SecureUML template. Validator.NET is a proof of concept tool to explore better ways to do validation than the HTTP proxy approach (aka web app firewall) for apps where you can't modify the code. It provides a GUI to point to an assembly and uses the reflection API to determine the web controls and subsequent forms. It then provides a GUI to build contextual validation rules that can be saved as an XML rules file. We then provide an HTTP module to load the rules into. It is proof of concept and is not a production ready tool. It doesn't look at cookies and other key things for instance. "The Foundstone Validator.NET tool is an important resource for malicious input testing for ASP.NET Web applications," said Michael Howard, senior security program manager at Microsoft Corp., and co-author of Writing Secure Code. http://www.foundstone.com/resources/termsofuse.htm?file=validator.z ip SecureUML is a Visio template to do SecureUML Roles Bases Access Control Modeling. The whitepaper that comes with the tool has some examples. http://www.foundstone.com/resources/termsofuse.htm?file=secureuml.z ip Next week well add to the toolkit the .NET Mon which is to the .NET CLR what filemon or regmon is to windows. This tool is very powerful for code reviews watching the CLR to see how it really enforces the security restrictions. We have a few more coming in the next few weeks, one to do cookie analysis using 2nd order phase state analysis and a web services version of a fuzzer like SPIKE. Enjoy.
Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Current thread:
- Foundstone Hacme Books and .NET Security Toolkit Mark Curphey (Mar 09)
- <Possible follow-ups>
- Re: Foundstone Hacme Books and .NET Security Toolkit dotnetdeveloper (Mar 13)