Coveros

SecureCI: Enforce Formatting On Your SVN Comments

November 8th, 2011

Most of us like things done the right way and (more often than not) our way. Nothing can be more infuriating than looking through poorly documented logs or code, and trying to understand poor documentation and what it was meant to get across.

During development we often look to setting up good coding practices that include documenting and commenting what’s going on and in what format we agree to write comments. And in many organizations, this is where keeping those good practices stop. In most organizations I’ve worked for, developers rarely submit good, formatted notes with their code if they submit documentation at all. So here is a quick and simple method to enforce good commenting standards for your organization using SecureCI. If you haven’t downloaded SecureCI, this is your time to try it out!

Example Development Process

When I’m looking through SVN logs for a specific revision I like to know that the information in the log is going to let me know everything I need to know to successfully revert my repository to the correct revision. I want to know that whenever a developer submits code that it can be tracked back to a specific ticket in Trac. The best way to do this is with a simple Pre-Commit Check.
Read the rest of this entry »

Tags: Alan Crouch, Development, secureci, SVN, Trac
Posted in Agile | Comments Off

Continuous Delivery Means Deployment is a Business Decision

May 26th, 2011

The focus of continuous delivery isn’t just about being quicker when developing and deploying, but rather delivering business value continuously. And we only see business value from software when it is made available to end users.

Read the rest of this entry »

Tags: Agile, continuous delivery, Gene Gotimer
Posted in Agile, Continuous Delivery | Comments Off

Continuous Delivery = Better Software, Faster

May 3rd, 2011

On my current project we have started working on a continuous delivery process. We started moving that direction as a way to improve and extend our development feedback loop, but really ended up with a way to deliver better software and to deliver it faster and more often with less risk.

If you haven’t had the opportunity to read through the Continuous Delivery book by Jez Humble and David Farley, I recommend making the time to do so. We have been proponents of continuous integration (CI) for a long time, and when we started reading the Continuous Delivery book, a lot of the suggestions just seemed like the next logical steps. Many of the pieces of the process were things we had always seen as future improvements, but had never gotten around to them.
Read the rest of this entry »

Tags: Agile, continuous delivery, continuous integration, Gene Gotimer
Posted in Agile, Software Quality | Comments Off

Duplicate Code Detection with PMD CPD

May 20th, 2010

I’ve previously written about PMD, a static code analysis tool that examines Java source files and can detect potential problems. Another significant piece of PMD is called CPD, the copy/paste detector. CPD can look through Java, JSP, C, C++, Fortran, or PHP source code files and find sections of code that are repeated. By using CPD to analyze your source code you can identify duplicate code that might be suitable for refactoring.

CPD can ignore differences in literals (e.g., same method with different hard-coded constants) and differences in identifiers (e.g., same method but different variable names). It can also be configured to ignore duplicated blocks of less than a certain size.

Like PMD, CPD can be run from the command-line, but is more often invoked from Maven, Ant, or by your IDE.
Read the rest of this entry »

Tags: ant, code analysis, Gene Gotimer, maven
Posted in Agile, Software Quality | Comments Off

Building Security In Using Continuous Integration

March 21st, 2010

Coveros recently published an article in the March/April 2010 edition of CrossTalk. The article is entitled “Building Security In Using Continuous Integration.”

Building security into software is harder than it should be. This article explores a way to align application security practices with other software development best practices in order to make building security in easier to manage and more cost effective. In particular, this article looks at combining continuous integration (CI) with security testing and secure static code analysis.

Tags: continuous integration, Gene Gotimer, Tom Steihm
Posted in Agile, Application Security | Comments Off

OWASP Top 10 – SQL Injection

November 19th, 2009

As of my last article on XSS, the OWASP organization has released a new Top 10 for 2010 and has placed injection attacks in the number 1 spot. Now that XSS and SQL injection flaws have flipped spots, I will continue the article series using the new Top 10 list. You can find the new OWASP Top 10 Release Candidate list here.

To begin, SQL injections are a class of injection flaws that use a technique that exploits a security vulnerability in database applications by accepting untrusted data as part of a command or query. The attacker targets the application instead of the server or running services. This vulnerability generally occurs because the database application does not filter user input.
Read the rest of this entry »

Tags: Roger Clayton, sql injection
Posted in Application Security | Comments Off

OWASP Top 10 – Cross-Site Scripting (XSS)

November 13th, 2009

In my introductory article, I discussed explaining each vulnerability in the OWASP Top 10 for you. The first on the list is Cross-Site Scripting (XSS).

Websites today are very advanced and they contain lots of dynamic content. Dynamic content is information on a web site that is generated on the fly. Dynamic content is usually seen on forums, ecommerce sites, and online catalogs. Dynamic websites can be vulnerable to a threat called Cross-Site Scripting (also known as XSS).
Read the rest of this entry »

Tags: Roger Clayton, xss
Posted in Application Security | Comments Off

Three Questions Developers Need To Ask

November 12th, 2009

While performing software security assessments I have all too often run into developers that are constantly trying to explain away vulnerability findings. They spend way too much time trying to justify the code they have written and explain why it doesn’t need to be changed. All kinds of reasons are given. For example, “The access is guarded by a network security device. If an intruder gains access to this we have bigger problems to deal with.”. While this could be true it is a mode of thinking that can lead to disaster when code is not written to be defensive.

I’d like to challenge developers to lay aside the “it can’t happen” attitude and instead have a “what if it does happen” mindset. Use the energy that it takes to explain away a risk to come up with a solution that will avoid the problem should it arise.
Read the rest of this entry »

Tags: Neal Champion, Security, web application security
Posted in Application Security | Comments Off

Web Application Security: OWASP Top 10

October 21st, 2009

The Open Web Application Security Project (OWASP) is a worldwide community focusing on improving the security of web applications. One project developed by OWASP is the OWASP Top 10, which is a list of the most serious web application vulnerabilities. Obviously, there are innumerable ways to hack a web application but this list contains the most common and well known vulnerabilities that you should protect your web applications against. Over the next few weeks, I will break down each vulnerability in the top 10 list to help you understand what they are, how they can be exploited, and what you can do to fix them.
Read the rest of this entry »

Tags: Roger Clayton, web application security
Posted in Application Security | Comments Off