Threats , Risks, Security – OWASP ?

For those who are newbie to security — and by security i dont mean authentication and authorization alone,this maybe an eye opener.Heard about CRSF and XSS- they are more in case you read on? Read this for an eye opener about some crazy stuff(http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html).Troy has done some great stuff and sure you can check out his pluralsight video as well.But there is something that we all realise that we hardly give too much importance to security until the shit hits the fan.There have been more and more cases of hackers stealing credit cards from retail merchants and publishing them ,but we should all understand that he was able to do because “Developers were ignorant” .Not that i want to run away- I AM A DEV GUY too! But off late there is this new heat being generated that we are not giving adequate importance to these risks or vulnerabilities which can be exploited and these security threats can soon be a nightmare you dont want to take! Ok enuf said now what ? where do I start?
Simple — heard of OWASP ? You need to make sure that you pass these top 10 security risks. You can also go to owasp.org to learn more about it.Every year they publish the latest threats and for different platforms as well.The top 10 threats of mobility are
https://www.owasp.org/index.php/Mobile_Top_10_2014-M10

Ok now that i know what my vulnerabilities are ,how do i resolve it or how to i include it in SDL(software development lifecycle).First as a part of the process you can use Thread Modeling Tool from Microsoft(its free in case you thought $$$ just now 🙂 ) ,which is basically a modeling tool like visio but where you can see the vulnerable areas in design phase itself so that you are aware of your attack surface area and try eliminating vulnerable ones.You can download it from here .
http://www.microsoft.com/en-us/download/details.aspx?id=42518
Now to fix these issues in code you can either do google which by the way gives you lot more options or you can use a tool called Fortify from HP which plugs into you Visual Studio and gives you recommendations based on OWASP rules and severity and other filters as well.But sadly its paid and so are tools like Checkmarz and Klockwork. Ok so thats bad news, but sure enough i can guarantee you that if you have the patience google has the answers to most of the OWASP risks that your application has. So secure coding then 🙂

Visual Studio Productivity Power Tools for VS 2012

Well for starters let me assume you are a poor dev like me and don’t have access to Resharper! Well in case you do they have a lot of these features that are now available free of cost in Productivity Tools in VisualStudioGallery.msdn.microsoft.com.

Let me quickly show you some of the features that stand out pretty instantaneously .

1.PresentOn/Off – type this into the quick launch and lo you get the power of zoomit 🙂

2.You can now edit a project file by right clicking on the project.

3.Browse to definition by pressing on control and left mouse click.

4.Email code snippets by using the same option in context menu.

5.Now you can find duplicate code snippets by selecting the option “Find Matching clones in solution” in context menu.

Also there are other features like Auto Brace Completion,Open Command Prompt and HTML copy.
So go ahead and give it a download!!

XML Diff – Compare XML Tool

Well off late i have been having a torrid affair with XML as the data that flows across into my modules is xml. And so I had to do a series of tests on them to validate the modifications we were doing on the input xml. So hence started my hun t for xml related tool to compare two xmls .After searching for sometime i understood that the overwhelming favourite was XMLDiff.So here goes the simplest of all tools.All you need to do is

1)Download the tool from here.
2)Install the xmldiffpatch.exe
3) Go to $:\Program Files (x86)\XmlDiffPatch\Bin where you will find xmldiffpatch.dll
4)Include in your project as a assembly reference and you are ready to code.

A basic simple one that i used is the following overload of Compare in public bool Compare(XmlNode sourceNode, XmlNode changedNode) for the XmlDiff tool.The code for the same goes as follows.


string original =
@"SHERLOCK HOLMESCONAN DYLEWILEY";
String modified = @" CONAN DYLE WILEY SHERLOCK HOLMES ";
XmlDocument document = new XmlDocument();
document.LoadXml(modified);
XmlNode newNode = ((document).DocumentElement).ParentNode;

XmlDocument document1 = new XmlDocument();
document1.LoadXml(original);
XmlNode originalNode = ((document1).DocumentElement).ParentNode;

XmlDiff xmldiff = new XmlDiff(XmlDiffOptions.IgnoreChildOrder |XmlDiffOptions.IgnoreNamespaces |XmlDiffOptions.IgnorePrefixes);
bool bIdentical = xmldiff.Compare(originalNode, newNode);


As you can notice i have spaces in between tags and the ordering of the child elements is not correct ,but still they will compare and return TRUE.
There is another overload of Compare() method,which takes in two file locations.But i didnt like to pass ,paths of two different files as I thought it was cumbersome,hence i took the overload with XNode as parameters.
There are several other overloads to try out as well as Diffgram, the changes between two XML documents are described in a document called an XDL Diffgram. Yet to try that out but looks like lot of fun with Diffgram.