Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I have personally completed a development with Hyperledger Fabric for a project that will go live in a few months.
I must say that the main difficulties encountered were:
Very varied technological stack: scripting, dockerization,
cryptography, ...
Conceptually complex technology
Very few resources beyond the official documentation
I would very much like to know what difficulties you have encountered. Which is your top 3 list?
I personally missed hyperledger-composer.
I totally agree with you on the first point, I felt particularly as a chain-code developer frustrated about the variety of technical skills that are supposed to be mastered in order to bootstrap a network to test things like private data collection or programmatic access-control.
I also felt overwhelmed when I was recruited into a company where I was supposed to perform development and operations by myself when these two technical roles are widely different and large to be performed by the same person.
But I don't agree with you for the second point. Distributed systems in general are complex because of the very nature of the problem they are addressing ( Double Spending ) not to mention Distributed Ledger Technology which takes it a step further. Understanding the complex software architecture may help you develop a more sophisticated and strong opinion, particularly when you address fields like software architecture later.
I partially agree with you for the third point because it is a sad truth about any fancy technology related to Open Source Project. (Documentation is good in itself, but lacks a lot of structuring and remain sometimes unclear)
So for me, the first three difficulties would
Technical skills related to DevOps and Security
Unclear Documentations
Confusion of Recruiter about the different technical roles needed to build and maintain a HyperLedger Fabric Project
I faced difficulties due to:
They mentioned some architectural procedures on their documents, but they did not implemented those security related issues on version 1.x where they implemented most of those on version 2.x. They just hide their lacking on version 1.x but at least they may mentioned those as their future implementation. They may do this for marketing purpose but I faced tough situations to handle those.
Lack of proper official documentations, very few resources beyond the official documentation
My knowledge gap on DevOps and public key cryptography
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
I've never tried to hack sites. I've just followed security guidelines. Now I want to try to develop more safety.
Is there are any "training sites" with holes and "exercises", with SQL injections, redefining global variables, XSS and other kind of holes. Kind of hacker sandbox.
Pop across to this question on vulnerable Operating Systems at Security Stack Exchange or this one on vulnerable servers for penetration testing (especially this answer which has an awesome list)
We have a few questions around this topic or Security Education in general, adn as a growing resource for IT and Information Security it could be well worth you popping over.
Snippet of content from over there:
http://www.irongeek.com/i.php?page=security/wargames
WebGoat. WebGoat is a set of
deliberately insecure Java server
pages
http://www.hackthissite.org/
http://www.smashthestack.org/wargames.php
from their FAQ
The Smash the Stack Wargaming Network hosts several Wargames. A
Wargame in our context can be
described as an ethical hacking
environment that supports the
simulation of real world software
vulnerability theories or concepts and
allows for the legal execution of
exploitation techniques. Software can
be an Operating System, network
protocol, or any userland application.
Blockquote
http://www.astalavista.com/page/wargames.html
http://www.governmentsecurity.org/forum/index.php?showtopic=15442
http://www.overthewire.org/wargames/
the list is long... some are up, some
not...
Update 26 Feb 2011, i found a nice
post from
http://r00tsec.blogspot.com/2011/02/pentest-lab-vulnerable-servers.html
. Some links might be broken. I copy
from there:
Holynix Similar to the de-ice Cd’s and
pWnOS, holynix is an ubuntu server
vmware image that was deliberately
built to have security holes for the
purposes of penetration testing. More
of an obstacle course than a real
world example.
http://pynstrom.net/index.php?page=holynix.php
WackoPicko WackoPicko is a website
that contains known vulnerabilities.
It was first used for the paper Why
Johnny Can’t Pentest: An Analysis of
Black-box Web Vulnerability Scanners
found:
http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf
https://github.com/adamdoupe/WackoPicko
De-ICE PenTest LiveCDs The PenTest
LiveCDs are the creation of Thomas
Wilhelm, who was transferred to a
penetration test team at the company
he worked for. Needing to learn as
much about penetration testing as
quickly as possible, Thomas began
looking for both tools and targets. He
found a number of tools, but no usable
targets to practice against.
Eventually, in an attempt to narrow
the learning gap, Thomas created
PenTest scenarios using LiveCDs.
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks
Metasploitable Metasploitable is an
Ubuntu 8.04 server install on a VMWare
6.5 image. A number of vulnerable packages are included, including an
install of tomcat 5.5 (with weak
credentials), distcc, tikiwiki, twiki,
and an older mysql.
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Owaspbwa Open Web Application Security
Project (OWASP) Broken Web
Applications Project, a collection of
vulnerable web applications.
http://code.google.com/p/owaspbwa/
Web Security Dojo A free open-source
self-contained training environment
for Web Application Security
penetration testing. Tools + Targets =
Dojo
http://www.mavensecurity.com/web_security_dojo/
Lampsecurity LAMPSecurity training is
designed to be a series of vunlerable
virtual machine images along with
complementary documentation designed
to teach linux,apache,php,mysql
security.
http://sourceforge.net/projects/lampsecurity/files/
Damn Vulnerable Web App (DVWA) Damn
Vulnerable Web App is a PHP/MySQL web
application that is damn vulnerable.
Its main goals are to be an aid for
security professionals to test their
skills and tools in a legal
environment, help web developers
better understand the processes of
securing web applications and aid
teachers/students to teach/learn web
application security in a class room
environment. www.dvwa.co.uk/
Hacking-Lab This is the Hacking-Lab
LiveCD project. It is currently in
beta stadium. The live-cd is a
standardized client environment for
solving our Hacking-Lab wargame
challenges from remote.
http://www.hacking-lab.com/hl_livecd/
Moth Moth is a VMware image with a set
of vulnerable Web Applications and
scripts, that you may use for:
http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Linux (DVL) Damn
Vulnerable Linux is everything a good
Linux distribution isn’t. Its
developers have spent hours stuffing
it with broken, ill-configured,
outdated, and exploitable software
that makes it vulnerable to attacks.
DVL isn’t built to run on your desktop
– it’s a learning tool for security
students.
http://www.damnvulnerablelinux.org
pWnOS pWnOS is on a “VM Image”, that
creates a target on which to practice
penetration testing; with the “end
goal” is to get root. It was designed
to practice using exploits, with
multiple entry points
http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html
http://www.krash.in/bond00/pWnOS%20v1.0.zip
Virtual Hacking Lab A mirror of
deliberately insecure applications and
old softwares with known
vulnerabilities. Used for
proof-of-concept /security
training/learning purposes. Available
in either virtual images or live iso
or standalone formats.
http://sourceforge.net/projects/virtualhacking/files/
Badstore Badstore.net is dedicated to
helping you understand how hackers
prey on Web application
vulnerabilities, and to showing you
how to reduce your exposure.
http://www.badstore.net/
Katana Katana is a portable multi-boot
security suite which brings together
many of today’s best security
distributions and portable
applications to run off a single Flash
Drive. It includes distributions which
focus on Pen-Testing, Auditing,
Forensics, System Recovery, Network
Analysis, and Malware Removal. Katana
also comes with over 100 portable
Windows applications; such as
Wireshark, Metasploit, NMAP, Cain &
Able, and many more.
www.hackfromacave.com/katana.html
Google has just the thing, try Gruyere
This codelab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.
If you're a Java man you should take a look at WebGoat:
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
If you're more into MySQL/PHP have a look at HackThisSite:
http://www.hackthissite.org/
I've always had a lot of fun with HackThisSite.
Acunetix provides several sites that demonstrate vulnerabilities in various technologies:
http://testphp.vulnweb.com/
http://testaspnet.vulnweb.com
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
in these days, i'm interested in software security. As i'm reading papers i see that there are many attacks and researchers are trying to invent new methods for softwares to get more secure systems.
this question can be a general including all types of attacks.There are many experienced programmers in SO, i just want to learn what are using to check your code against these attacks ? Is there any tools you use or you don't care ?
For example i heard about static/dynamic code analysis and fuzz testing.
SQL injection attacks
Cross Site Scripting
Bufferoverflow attacks
Logic errors
Any kind of Malwares
Covert Channels
... ...
thanks
I'm going to focus on web application security here...
Really you want to get used to manually trawling through a website/application and playing with various parameters etc. so proxy tools are of great help (they allow you to capture and interact with forms, before they reach the server):
LiveHTTPHeaders - FireFox plugin.
Burp Proxy - Java based.
Obviously there becomes a point where manually crawling a whole website becomes rather time consuming/tedious and this is where automated scanning tools can be of help.
Black box:
WebSecurify - not used it but it's been created by a well known web app security guy.
Skipfish - Google released this recently so it's probably worth a look.
And there are many other commercial tools: WhiteHat Sentinel, HP Web Inspect and probably many others I can't remember.
White box:
A lot of the academic research I've seen is related to static code analysis tools; I've not used any because they all focused on PHP only and had some limitations.
Other resources:
ha.ckers.org - great blog, with an active forum related to web app sec.
OWASP - as perviously mentioned, there are lots of insightful articles/guides/tutorials here.
If you want to learn more about manually attacking sites yourself the Damn Vulnerable Web App is a nice learning project. By that I mean, it's a web application that is written to be deliberately insecure, so you can test your knowledge of web application security vulnerabilities legally.
I wrote a black box scanner in Perl for my third year dissertation which was quite an interesting project. If you wanted to build something yourself it really just consisted of:
crawler
parser
attacker
Something that you haven't mentioned but I think is important: code reviews.
When you're just trying to implement something as fast as you can it is easy to overlook a security issue. A second pair of eyes can pick up many problems or potential problems, especially if the reviewer is experienced at spotting typical security holes.
I believe that it is possible in many cases to do manual code reviews without special tools. Just sit together at the same computer or even print out the code and do the review on the paper copy. But since you specifically asked for tools, a tool to help with manual code review is Rietveld. I haven't used it myself, but it is based on the same ideas used internally at Google (and written by the same guy, who also happens to be the author of Python).
Security is definitely a concern and developers should at least be aware of common vulnerabilities (and how to avoid them). Here are some resources that I find interesting:
OWASP Top 10 for 2010
OWASP Guide for Secure Web Applications
OWASP Testing Guide v3
There are 2 types of software defects that can cause security problems: implementation bugs and design flaws.
Implementation bugs usually appear in a specific area in the code, they are relatively easy to detect and (usually) not too complicated to fix. You can detect (most) of these with automated tools that do static code analysis (tools like Fortify or Ounce) although these tools are expensive. With that said, you still have to remember that there are no "silver bullets" and you cannot not blindly rely only on the tool output without some sort of manual code review to confirm/understand the real risk behind the issues the tool reports.
The other problem is design flaws, that's another story. They are usually complex issues that are not consequence of a mistake in the code but poor choice in the design or architecture of the application. Those cannot be identified by an automated tool and really can only be detected manually, by a code/design/architecture review. They are usually very hard and expensive to fix passed the design phase.
So I recommend, reviewing your code for implementation bugs that can have impact on security (code review using automated tools like Fortify/Ounce + manual review of tool results) and reviewing your design for security flaws (no tools for this, has to be done by someone who knows about security).
For a good read on software security and the complexity behind designing secure software, check Software Security: Building Security In, by Gary McGraw (amazon link)
I use tools to aid in the hunt for vulnerabilities, but you can't just fire off some test and assume everything is okay. When I am auditing a project I look at the code and I try and get a feel for the programmers style and skill level. If the code looks messy then chances are they are a novice and they will probably make novice mistakes.
It is important to identify security related functions in a project and manually audit them. Tamperdata is very helpful for manual auditing and exploit development because you can build custom http requests. A good example for manual auditing for PHP is: Are they using mysql_real_escape_string($var) or are they using htmlspecialchars($var,ENT_QUOTES) to stop sql injection? (ENT_QUOTES doesn't stop backslashes which is just as dangerous as quote marks for mysql, mssql is a different story.) Security functions are also places for "Logic errors" to crop up, and no tool is going to be able to detect this, this requires manual auditing.
If you are doing web application testing then Acunetix is the best testing tool you can use. Wapiti is a very good open source alternative. Although any tool can be used improperly. Before you do a web application test make sure error reporting is turned on, and also make sure you aren't suppressing sql errors, such as with a try/catch.
If you are doing Automated Static Code Analysis for vulnerabilities such as Buffer Overflows then Coverity is the best tool you can use(Fortify is nearly identical to Coverity). Coverity costs tens of thousands of dollars, but big names like the Department Of Homeland Security uses it. RATS is a open source alternative, although Coverity is far more complex of a tool. Both of these tools will produce a lot of false positives and false negatives. RATS looks for nasty function calls, but doesn't see if its still safe. So RATS will report every call to strcpy() strcat() sprintf(), but these can be safe if for instance you are just copying static text. This means you will have to dig though a lot of crap, but if you are doing a peer review then RATS helps a lot by narrowing the manual search. If you are trying to find a single exploitable vulnerability in a large code base, like Linux, then Rats isn't going to help much.
I have used Coverity and their sales team will claim it will "detect ****ALL**** vulnerabilities in your code base." But I can tell you from first hand experience that I found vanilla stack based buffer overflows with peach that Coverity didn't detect. (RATS did however pick up these issues, along with 1,000+ other function calls that where safe...) If you want a secure application or you want to find an exploitable buffer overflow then Peach is the platform tool you can use to build the tools you need.
If you are looking for more exotic memory corruption issues such as Dangling Pointers then Valgrind will help.
There's bunch of web application security scanners in the market
Take a look at this list:
WASC - Web application security scanner list and Netsparker Community Edition : which is the free version of Netsparker.
A tool doesn't know if your code is insecure.
Only you do (and the attackers).
At best the tool will spot a few vulnerabilities of one type in your code and make you realize you never protected against that type of vulnerability, but you will still have to go clean up all the instances the tool missed.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
We are developing a web application using Spring framework and Hibernate ORM. As far as application security is concerned we are using acegi to provide authentication and authorization support.
Now about user input sanitation, we have tried to take take care about attacks like XSS and sql injections. We have tried to use as much as prepared statements and hibernate criteria for database updates and queries. Inputs are sanitized for javascript also.
For testing these we have tried to use tools like Firebug, Tamper IEand Fiddler2 etc.
We have also used tools like Watch Mouse to do vulnerability tests.
What are the other tools available for web application security and what are the things to be considered before starting a web applications security testing.
Thanks you
HP has a security assessment tool called Webinspect, but it not free and I wouldn't recommend it. Either my company doesn't know how to use it, or the tool has no consistency in finding vulnerabilities.
You're better off hiring an actual pen-testing contracting agency to look for vulnerabilities in your site. Sure, you could run automated scanners, but they can only do so much. You'll probably waste more money and resources attempting to learn and implement proper pen testing then you would just hiring someone else to do it.
The fact that you're asking this question means that you are not qualified to give the kind of confidence or complete coverage a commercial application would need before launch.
You can use AppScan, but its not free.
Burpsuite is an amazing tool for web application testing.
I do agree with hiring an outside team however, but if your company cannot/will-not, put a weekend into getting familiar with BurpSuite and you will undoubtedly find some bugs.
I agree with those who have encouraged you to look to an outside pen testing firm, if you want the best results now.
That said, one of the best all-around web app pen testing tools I have used is Burp Suite (portswigger.net). There is a free version that gives you most of the functionality, but investing $400 in the Pro version, which adds a vulnerability scanner and the ability to save state, is well worth it.
In addition, you should become very familiar with the OWASP organization (owasp.org), and the information/tools they make available for web app security. The Cheat Sheets and the Testing Guides can be very helpful, if you know how to use them.
Finally, if you are determined to build up your own application security team, then you should consider hiring some folks with extensive application security experience as well as a background in software development. There is more to application security than security testing. Static security code analysis and threat modeling are just two of the other areas you should be thinking about.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I have a team of developers distributed Globally over different time zones.
what are the best tools to achieve maximum productivity in such a team?
I am looking for:
Source Control
Bug Tracking
Build Management
Any other thing that may help
Thanks
For the first two:
Distributed source control, like git
A good issue tracking tool, like Jira
This question is underspecified. Many packages exist for each category that you list, all designed to support collaboration across people distributed globally over different time zones.
So I can make a recommendation, based on open-source tools that have worked for me in the past. You may have specific needs that require more specific solutions, but you didn't mention them. Also, for productivity, it is useful if people can continue to use tools they are familiar with, and you didn't explain what tools your people already know.
In any case, here is my recommendation:
use Subversion for source control
use Roundup as the bug tracker
use make for the build management, use Buildbot for automated, distributed builds
use mailing lists, based on Mailman
For .NET environment:
SVN server: VisualSVN server (free)
SVN client: AnkhSVN 2.0 (open-source)
Continuous Integration: CruiseControl.Net (open-source)
Bug tracker: BugTracker.NET (open-source). But if you can, i would recommend Trac.
I am very satisfied with Assembla - they host SVN server and Trac for your projects for very reasonable prices (or for free if the oproject is public).
Consider Fogbugz for bug tracking. It's helpful.
As source control: why not a distributed system, like git (if you are not using Windows), Mercurial or Bazaar?
For bug tracking, I would go on Trac - it has also an integrated Wiki, that is always useful for project documentation.
As for build management, you could go on cruise control, or ant - I am not really expert on this side.
However, there is something you should really take into consideration: the main issue for distributed teams is not the toolset, is communication.
This is even more important in an "agile" setup, as suggested by your tag.
The best mitigation I have ever seen for this issue is videoconferencing. It is very effective for enhancing communication bandwidth in distributed teams, and with GTalk and Skype is now really inexpensive.
When you say "open source" do you just mean free software, or do you mean "I need/prefer to be able to see the source"?
Note that your decision will be influenced by the nature of your project. There are many free development/project hosting sites that require that your project must be an open source project and free/open to the public.
You may also choose to go with a particular hosting platform based on the language you are using to develop the project. For example, CodePlex (http://www.codeplex.com/) is a site that hosts open source .Net based projects, and Java.Net (http://community.java.net/projects/) hosts Java projects.
The other answers given to your question are solid, here is what I currently use or have used in the past:
A great continuous build tool JetBrains TeamCity. (http://www.jetbrains.com/teamcity/) The tool has out of the box support for many build tools as well as for building Visual Studio solutions out of the box. It is free for teams of 20 or less developers. It also has loads of functionality out of the box, and can be up and running for you in minutes - a remarkably low learning curve without cutting back on features.
A useful SVN repository which is free for two developers, and will save you the time of setting up and administering your own SVN repository is Unfuddle. (http://www.unfuddle.com) Unfuddle also has extra paid-for features and basic task tracking.
Another paid source repository is ProjectLocker (http://www.projectlocker.com) which has low priced SVN repositories and Trac integration for task management.
A useful task tracking tool is Remember The Milk (http://www.rememberthemilk.com) - it does not work on "tickets" like Trac, it is not only for tracking projects, but it does allow you to email each other tasks, and to have shared task lists. I also point them out because the product itself is developed by a distributed development team and you might want to try mail them for advice. :-)
All the best to your team!
A wiki is a must.
It helps as an asynchronous communication media between ans inside the teams. People can share their tips (eg how do I compile this, how to activate traces ... ). It can be used to gather design decisions or changes...
People can ask questions to the whole team without clobbering other mailboxes.
It can also be used to grow the documentation.
There is a gazillion of wiki's, pick one depending on what you plan to do with it.
I think you'll need a few more things to help out with this project than what you've asked.
First, I'll give my recommendations for your list:
Source control: git or svn, if yu use either of these, you'll need a way to let your developers know who checked in what and when, Trac is good for this for svn
Bug tracking: Trac (not Bugzilla), Mantis, FogBuz
Build Management: CruiseControl is great for continuous integration; if you need build scripts try Ant or Maven
Other things you will probably need:
Collaboration tool: Trac has a wiki or pick a wiki of your choice
Chat tools: Even though they are across timezones, instant communication will be needed. IRC, Jabber, Skype, which is great for video or audio calls over the internet.
Project management: you'll need a way to setup your releases (sprints if using Scrum) and your backlog. My favorite tool for this is Acunote: (http://www.acunote.com). There are some other out there but they are more expensive and you get all of the features that you probable don't need.
I hope this helps.
Yes I strongly believe that in distributed teams a tool is important. Communication is hard enough if you are not working locally together. A tool like e.g Agilo for Scrum that is based on trac offers you with a wiki, a planning board (online whiteboard) and supports you in this way to improve the communication with your colleagues.