Monday, August 1, 2016

Why it's time for a new approach to agile security Q&A with @MeeraSRao via @BetaNews

I did a Q&A with BetaNews about "Why it's time for a new approach to agile security Q&A".

Take a look at the same at the following link:

Link for Q&A

Defensive Programming for JavaEE Web Applications - Workshop in Kerala 18-Aug-2016

If you are in or around Kerala, come join me for a day long workshop on " Defensive Programming for JavaEE Web Applications".

You can find all details about the workshop on the conference page located here:

http://is-ra.org/c0c0n/workshops#WS1

Monday, July 11, 2016

Overcoming the 6 Most Common Threat Modeling Misconceptions

Threat modeling promotes the idea of thinking like an attacker. It enables organizations to build software with security considerations, rather than addressing security as an afterthought. However, there are some very common misconceptions that can cause firms to lose their grip around the threat modeling process. This eBook shines a bright light onto the essentials and helps to get your bearings straight with all things related to threat modeling.

Download the complete eBook to:

  • Learn about the most common threat modeling misconceptions
  • Discover the 5 pillars of a successful threat model
  • Determine how to take control of your risk management process
The eBook is published on my company's website, you can download the same from here:

Wednesday, June 15, 2016

How to Build Security Into Your Software Development Process

An amazing ebook. Download and let us know your thoughts!



To standardize the software development life cycle (SDLC), organizations implement development methodologies to fulfill their objectives in a way that best suits their organizational goals. Whether you use Agile, Waterfall, or something in between, building security into your SDLC can improve efficiency and reduce costs if it’s done the right way.
Download the complete eBook to:
  1. Learn how to add security to the various phases of your SDLC
  2. Understand how secure software development works in theory and in the real world
  3. Examine how to implement security activities with purpose
  4. See how to get started

Friday, May 20, 2016

Speaking @ Jenkins World 2016

I am excited and honored to be speaking at this years Jenkins World 2016 Conference to be held in SANTA CLARA CONVENTION CENTER, CALIFORNIA from SEPTEMBER 13 - 15, 2016.

If you are passionate about Security, Jenkins than come see me talk at the conference.

I am giving a talk on "The Three Pillars Behind Continuous Security".

I have been using Jenkins from the day it was made public and was called Hudson. No matter what you are using Jenkins or Hudson or Bamboo or any other CI tool, this talk is definitely going to help you Build Security In.

Saturday, May 14, 2016

SECOND ANNUAL CYBERSECURITY WORKSHOP FOR WOMEN AND MINORITIES!

I am excited to be part of the panel and contributing to the"
SECOND ANNUAL CYBERSECURITY WORKSHOP FOR WOMEN AND MINORITIES!" conference in Huntsville, Alabama.



The link to the page is attached below:

Conference Page

If you are in and around Huntsville, come join us.

Saturday, April 4, 2015

Women in Cyber Security

Last week, Friday and Saturday I attended and spoke at the Women in Cyber Security Conference (WiCyS). The Conference took place in Atlanta, USA on March 27th and 28th. The main goals of the conference was:
  • Security professionals worldwide are expected to increase to nearly 4.2 million by 2015.
  • Women’s representation in this male-dominated field of security is alarmingly low.
  • WiCyS expects to raise awareness about the importance and nature of cyber security career .
  • Hopes to generate interest among students to consider cyber security as a viable and promising career option.
All of the keynote speakers were women in top positions in Cyber Security.
  • Jenn Lesser Henley, Facebook
  • Sherri Ramsay, CyberPoint
  • Phyllis Schneck, Department of Homeland Security
  • Angela Kay, Microsoft
I gave a Technical Presentation on "Know Your Enemy, and Yourself: Demystifying Threat Modeling".
I was amazed to see so many women and young college girls attend the conference. This being just the second year of the conference there were 500 security professionals who attended. It was an interesting mix of students, professors and security professionals who attended.


I am glad I was able to find the Job which is my passion, I work like crazy, never complain, except for the traffic when I go to work.

If you have anyone who is interested to join this profession, either here in the United States or in Bangalore, India leave a comment and send me your resume.

Yes, you read it correct. My Company Cigital has a branch in Bangalore, India. 

Friday, December 19, 2014

Getting All Maven Dependencies

If you are running any static analysis tool for Java, you know how hard it is to get all dependencies from a client. This is especially true if the application uses Maven build. Most clients use Nexus, which makes it even harder to get libraries to compile.

During one such engagement, one of my team members was struggling to compile the code. And anytime you have compilation errors, many of the static analysis tools produce 0 findings.

That's when I sent this simple command line option to my team member, who in turn was able to ask the client to send them all the dependencies using this command. And this worked like a charm, we had all libraries required to compile the code, the tool was happy, we were happy and the client was happy as well.

So, here it is. Make sure you can compile the code without any errors.

From a command line within your project, run "mvn clean compile"


Next, once you have a clean compilation, run the command "mvn dependency:copy-dependencies". This will copy all the dependencies into the target\dependency folder.


Take a look at the target\dependency folder, you have all the libraries to compile and can now configure any tool to scan your code successfully.






Sunday, October 12, 2014

Apache Commons CLI - A Simple Example

As the saying goes " Out of Sight, Out of Mind", I was unable to remember how often I had used the Apache Commons CLI API in my Developer days. Now that I mostly work on Security engagements, when I was reminding one of our Consultants to use command line options, I couldn't remember the name of Commons CLI.

As soon as I got back home from the client site, I fired up my laptop, and there it was the code written almost several years back which used the Apache Commons CLI API.

The best way to get access to these code examples is to blog here, and you have it handy anywhere in the world, right?

The Commons CLI has great documentation on its website. Take a look:

http://commons.apache.org/proper/commons-cli/

Follow the steps below to get it up and running in a few mins:

1. Download Commons CLI from here:
http://commons.apache.org/proper/commons-cli/download_cli.cgi

2. Create a simple Main class:

3. As seen in the above screen shot, use the org.apache.commons.cli.Options to specify the command line options. For mandatory options, use the .isRequired().

4. Add descriptions to each command line option.

5. Next, parse command line input with set options as shown below:


6. Finally, get the individual command line options using the CommandLine object. For the ones which are optional, check if the argument is available using the .hasOption method.

7. Now run the jar file from the command line and you are all set. If an an option which is required is not set, it will print the help message as shown below:



8. If all the required options are specified, you see a message as such:


That's all it is for using the Apache Commons CLI. Happy Coding.

Wednesday, August 27, 2014

Failed to execute goal com.github.searls:jasmine-maven-plugin

When you are running any Static Analysis tool for Security such as IBM's AppScan Source and HP's Fortify SCA, and you notice errors such as the following, the simplest way to solve this is to disable running your unit tests.

 [ERROR] Failed to execute goal com.github.searls:jasmine-maven-plugin:1.3.1.3:test (run-jasmine-unit-tests-external-min) on project your-project-name: There were Jasmine spec failures. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]

The code needs to be compiled and packaged, however there is no need for unit tests to run successfully for getting good results. So, at this point to get the static analysis tool running, use one of the following commands and you should be up and running.

To skip running tests, use one of the below commands:
 
mvn clean compile package –DskipTests or
mvn package –Dmaven.test.skip=true

Monday, July 21, 2014

Unrecognized or invalid command line argument '-disable-sourcerendering'


If you are seeing the following error while scanning your projects using Fortify Maven plugin, there is a simple fix.

[error]: Unrecognized or invalid command line argument '-disable-sourcerendering'
Fortify Static Code Analyzer 5.16.0.0042
Copyright (c) 2003-2013 Fortify Software

For command-line help, type 'sourceanalyzer -h'

[ERROR] Error invoking sourceanalyzer. Exit code: 1.
Verify your project settings and your SCA installation.

Open the file com.fortify.ps.maven.plugin.sca.ScanMojo.java, and replace the following code:

com.fortify.ps.maven.plugin.sca.ScanMojo

If (!renderSources) {
addArg(“-disable-sourcerendering");
}

With the following lines

If (!renderSources) {
addArg(“-disable-source-rendering");
}

Recompile, package, and install using:

mvn compile package install.

And rerun your scans.



Tuesday, January 7, 2014

Installing Maven Fortify Plugin

The Maven Fortify Plugin supports Maven 2.0.X, 2.2.X and 3.0.X versions. The Plugin provides functionality to translate, scan and upload using Fortify's Source Code Analyzer or SCA as it is commonly called.

The source code of the plug-in is available within the Samples folder of the fortify installation as shown below.



Make sure you have Maven installed.

If the Maven Fortify Plugin has never been installed, run the Maven clean package and install commands as shown below:


 Once the commands run, you should be able to see the jar successfully built.


At this point, you can browse the .m2 folder and see that the plugin has been installed in your local Maven repository.


Now that the plugin is installed, you can easily translate, and scan using Fortify on all your Maven projects. 

A few other posts on Fortify can be found here:

Wednesday, August 21, 2013

Job Openings @ Cigital




Cigital currently has 29 different openings across different locations.  We are actively recruiting for, with critical needs in Texas, London,  and Managing Consultant areas.  You’ll find detailed descriptions for these on our website. Leave a comment here, and I can send you an email to get your resume.



Technical Manager -  Santa Clara
 

Managing Consultant Chicago, Dallas, London, New York, Santa Clara, Toronto

Sales Director – Houston

Associate Consultants - Bloomington, Boston, Dulles and New York

Interns - Bloomington, Boston, Dulles and New York

Security Consultants - Boston, Dulles, London, Minneapolis

Sr. Security Consultant  - Dulles, London and Santa Clara