Threats , Risks, Security – OWASP ?

For those who are newbie to security — and by security i dont mean authentication and authorization alone,this maybe an eye opener.Heard about CRSF and XSS- they are more in case you read on? Read this for an eye opener about some crazy stuff(http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html).Troy has done some great stuff and sure you can check out his pluralsight video as well.But there is something that we all realise that we hardly give too much importance to security until the shit hits the fan.There have been more and more cases of hackers stealing credit cards from retail merchants and publishing them ,but we should all understand that he was able to do because “Developers were ignorant” .Not that i want to run away- I AM A DEV GUY too! But off late there is this new heat being generated that we are not giving adequate importance to these risks or vulnerabilities which can be exploited and these security threats can soon be a nightmare you dont want to take! Ok enuf said now what ? where do I start?
Simple — heard of OWASP ? You need to make sure that you pass these top 10 security risks. You can also go to owasp.org to learn more about it.Every year they publish the latest threats and for different platforms as well.The top 10 threats of mobility are
https://www.owasp.org/index.php/Mobile_Top_10_2014-M10

Ok now that i know what my vulnerabilities are ,how do i resolve it or how to i include it in SDL(software development lifecycle).First as a part of the process you can use Thread Modeling Tool from Microsoft(its free in case you thought $$$ just now 🙂 ) ,which is basically a modeling tool like visio but where you can see the vulnerable areas in design phase itself so that you are aware of your attack surface area and try eliminating vulnerable ones.You can download it from here .
http://www.microsoft.com/en-us/download/details.aspx?id=42518
Now to fix these issues in code you can either do google which by the way gives you lot more options or you can use a tool called Fortify from HP which plugs into you Visual Studio and gives you recommendations based on OWASP rules and severity and other filters as well.But sadly its paid and so are tools like Checkmarz and Klockwork. Ok so thats bad news, but sure enough i can guarantee you that if you have the patience google has the answers to most of the OWASP risks that your application has. So secure coding then 🙂

Run Unit Tests in Visual Studio after locally building your Solution !

Ever felt the need to run unit tests as a part of building your solution locally?Yeah,that sounds like you can do fix/break solution immediately 🙂 Ok,s before we jump to conclusions and go overboard, let us see how we can do this in VS2010.Like you would have already guessed there is an extension called “Continuous Testing for Visual Studio 2010“. Download it from here.Since its free and from Visual Studio Gallery ,I was tempted to install it.So just build it and saw that all my tests were failing as usual! Also in case you are pissed off that your test cases failed and dont want this feature you can always disable it from the Extension Manager from Tools Menu in Visual Studio.Here is the output post building locally,not great though 🙂

unittest

BTW i had read posts that you can execute MSTest.exe from build events using commands,but i was facing some issue with it .So do let me know if you work with that as well.Anyways Continous Testing works great.So let me build and break with more abandon!

DotNet Decompiler dotPeek

Ever since Reflector became paid from free, dotNet developers have been searching for a good alternative.They even said till version 6.0 the Reflector would still work,but for some reason it never used to for me,even if i would never upgrade my reflector.Anyways i found a good one called dotPeek from the JetBrains(yeah the same guys who have that wonder tool called ReSharper).You can download from here.And you can decompile from .NET versions 1 to 4.5 . Good luck reengineering !

COPS….FxCop..!

This is going to be a small introduction to FxCop(FxCop is an application that looks into assemblies and recommends changes in design, localization, performance, and security improvements .Professionals who already know it,can please move over!When i first used this tool i didnt know that it would exist in the Microsoft Visual Studio tools.Now though it does ,thought it doesnt come installed and you would need to install it.It is located in Its located in  C:\Program Files\Microsoft SDKs\Windows\v6.0A\FXCop.(alternatively you can download from here..download).Once you have download it its pretty easy to start off.

Click on new project like shown below

image

Click on add target for analysis, and add the assembly you want to test for static code analysis.

clip_image002

And then click on Analyse button ..that it..over!You can see myriad rules which play havoc over your seemingly robust and secure code.This tool is meant for people who live the doctrine of MS rules and are ready to give their right hand for it!You can play with the various rules and ignore them if you want them.You can even create your own rules and analyse your code based on it.

image

But then we have the code analysis tool also!For the less informed,you can configure it when you click project properties and we have a tab for it which deals with it.

image

So whats the difference?They each have the same basic subset of rules they cover; but, each has some distinct rules that the other doesn’t catch.