Thursday, December 18, 2014

How to SVN diff local agaist newer revision of item

From command line I would expect that a simple 'svn diff local/path/to/resource' will provide differences between local copy and subversion server copy. However that is not a case as a spacial '-r HEAD' needs to be added to the command instead:

Tuesday, December 16, 2014

NodeJS https to https proxy for transitions to Single Page applications like AngularJS SPA

If you are working on a migration from classical web sites to Single Page Applications (SPA) you will find yourself dealing with a domain where all the code lives, mixed technologies for which you are forced to run the backend server and bunch of inconveniences like applying database migrations or redeploying backend code.

You should be able to develop the SPA locally though and consume the APIs remotely but you probably do not want to allow cross domain requests or even separate the application in two different domains.

A reverse proxy should help you big time. With a reverse proxy you can concentrate on just developing your SPA bits locally while hitting the existing API remotely and yet being able to remotely deploy the app when ready. All you need to do is detect where the SPA is running and route through the local proxy the API requests.

Node http-proxy can be used to create an https-to-https proxy as presented below:

Wednesday, December 10, 2014

Adding ppid to ps aux

The usual way BSD style ps command is used does not return the parent process id (ppid). To add it you need to use the "o" option as follows:

Tuesday, December 09, 2014

Is your bank of favorite online shop insecure? You are entitled to act as a conscious user

Is your bank of favorite online shop insecure? You are entitled to act as a conscious user. How?

The first thing any company out there should do with their systems is to make sure that traffic between the customer and the service provider is strongly encrypted. All you need to do is to visit this SSL Server Test, insert the URL for the site and expect the results.

If you do not get an A (right now *everybody* is vulnerable to latest Poodle strike so expect to see a B as the best case scenario) you should be concerned. If you get a C or lower please immediately contact the service provider demanding they correct their encryption problems.

Monday, December 08, 2014

Libreoffice and default Microsoft Excel 1900 Date System

The custom date in format m/d/yy is not formatted in libreoffice but instead a number is shown. This number corresponds to the serial day starting at January, 1 1900. So 5 will correspond to 1905. But there is a leap year bug for which a correction needs to be made (if (serialNumber > 59) serialNumber -= 1) as you can see in action in this runnable.

So if you convert excel to CSV for example and you get a number instead of an expected date, go to that Excel file from the libreoffice GUI and convert a cell to Date to see if the output makes sense as a date. At that point, convinced that those are indeed dates all you need to do is apply the algorithm to the numbers to convert them to dates in the resulting CSV.

Sunday, December 07, 2014

On Strict-Transport-Security: Protecting your app starts by protecting your users

Protecting your app starts by protecting your users. There are several HTTP headers you should already be using in your web apps but one usually overlooked is Strict-Transport-Security

This header ensures that the browser will refuse to connect if there is a certificate problem like in an invalid certificate presented by a MIM attack coming from a malware in a user's computer. Without this header the user will be giving away absolutely all "secure" traffic to the attacker. Additionally this header will make sure the browser uses only https protocol which means no insecure/unencrypted/plain text communication happens with the server.

The motivation for not using this header could be to allow mixing insecure content in your pages or to allow using self signed certificates in non production servers. I believe such motivation is dangerous when you consider the risk. Your application will be more secure if you address security in the backend and in the front end, the same way you should do validations in the front end and the backend.

Friday, December 05, 2014

On risk management: Do you practice Continuous Web Application Security?

Do you practice Continuous Web Application Security? We have learned how to continuously deliver software and of course that means that anything you do as part of the SDLC should be done continuously including security. Just like with backup-restore tests this is a hot topic. As usual there is no simple answer about what we should all do because we should all do different things depending on our budget.

Here is though an affordable practical proposal for continuous web application security:
  1. Have a Ubuntu Desktop (I personally like to see what is going on when it comes to the UI related testing) with Selenium server running and at least chrome diver available.
  2. From Jenkins hit (remotely) a local runner that triggers locally running automated E2E tests against your application URL (I personally believe that E2E concerns belongs to developers, whether you have full stack engineers of dedicated front end engineers and I stringly believe that they belong to whoever is in charge of the UX/UI)
  3. The tests normally will open chrome instances where you can see UI tests in action if you like (Did I say that when it comes to UX/UI I like to *see* what is going on in the browser?)
  4. A proxy based passive scanner like zaproxy is installed as well. You can install it easily using a plain old bash (POB) recipe I created here BTW.
  5. If you want to start the proxy with a user interface so you can look into the history of found vulnerabilities through a nice user interface and assuming you installed it from the recipe then run it as '/opt/zap/' or if you get issues with your display like it happened to me while using xrdp with 'ssh -X localhost /opt/zap/'.
  6. For the proxy to get the traffic from chrome you need to configure the ubuntu system proxy with the commands below. All traffic will now go through the zaproxy. If you want to turn the proxy off just run the first command below. To turn it on run just the second but run them all if you are unsure about the current configuration. This is a machine where you just run automated tests so it is expected that you run no browser manually there BTW and that is the reason I forward all the http traffic through the proxy:
  7. Every time your tests run you will be collecting data about possible vulnerabilities
  8. You could go further now and inspect the zaproxy results via the REST API consuming JSON or XML in your jenkins pipeline in fact stopping whole deployments from happening. You can take a less radical approach and get the information in plain HTML. Below for example we extract all the alerts in HTML for (none ;-). It is assumed that you have run '/opt/zap/ -daemon' which allows to access from http:/zap base URL the REST API:
  9. If you want to access this API from outside the box you will need to run '/opt/zap/ -daemon -host -p 8080' however keep in mind the poor security available for this api.
  10. Do not forget to restart the proxy after vulnerabilities are fixed or stop and start it automatically before the tests are run so you effectively collect the latest vulnerabilities only
  11. Provide active scanning as well: See
Congratulations. You have just added continuous web application security to your SDLC.

How to parse any valid date format in Talend?

How to parse any valid date format in Talend? This is a question that comes up every so often and the simple answer is that there is not plain simple way that will work for everybody. Valid dates format depend on locale and if you are in the middle of a project supporting multiple countries and languages YMMV.

You will need to use Talend routines. For example you can create a stringToDate() custom method. In its simpler form (considering you are tackling just one locale) you will pass just a String a parameter (not the locale). You will need to add the formats you will allow like you see in the function below. The class and the main method are just for testing purposes and you can see it in action here. These days is so much easier to share snippets of code that actually run ;-)