Data loss protection for source code

Scopes of Data loss in SDLC
In a post Wikileaks age the software engineering companies should probably start sniffing their development artifacts to protect the customer’s interest. From requirement analysis document to the source code and beyond, different the software artifacts contain information that the clients will consider sensitive. The traditional development process has multiple points for potential data loss – external testing agencies, other software vendors, consulting agencies etc. Most software companies have security experts and/or business analysts redacting sensitive information from documents written in natural language. Source code is a bit different though.

A lot companies do have people looking into the source code for trademark infringements, copyright statements that do not adhere to established patterns, checking if previous copyright/credits are maintained, when applicable. Blackduck or, Coverity are nice tools to help you with that.

Ambitious goal

I am trying to do a study on data loss protection in source code – sensitive information or and quasi-identifiers that might have seeped into the code in the form of comments, variable names etc. The ambitious goal is detection of such leaks and automatically sanitize (probably replace all is enough) such source code and retain code comprehensibility at the same time.

To formulate a convincing case study with motivating examples I need to mine considerable code base and requirement specifications. But no software company would actually give you access to such artifacts. Moreover (academic) people who would evaluate the study are also expected to be lacking such facilities for reproducibility. So we turn towards Free/Open source softwares. Sourceforge.net, Github, Bitbucket, Google code – huge archives of robust softwares written by sharpest minds all over the globe. However there are two significant issues with using FOSS for such a study.

Sensitive information in FOSS code?

Firstly, what can be confidential in open source code? Majority of FOSS projects develop and thrive outside the corporate firewalls with out the need for hiding anything. So we might be looking for the needle in the wrong haystack. However, being able to define WHAT sensitive information is we can probably get around with it.

There are commercial products like Identity Finder that detect information like Social Security Numbers (SSNs), Credit/Debit Card Information (CCNs), Bank Account Information, any Custom Pattern or Sensitive Data in documents. Some more regex foo or should be good enough for detecting all such stuff …

#/bin/sh
SRC_DIR=$1
for i in `cat sensitive_terms_list.txt`;do
        for j in `ls $SRC_DIR`; do cat $SRC_DIR$j | grep -EHn --color=always $i ; done
done

Documentation in FOSS

Secondly, the ‘release early, release often’ bits of FOSS make a structured software development model somewhat redundant. Who would want to write requirements docs, design docs when you just want to scratch the itch? The nearest in terms of design or, specification documentation would be projects which have adopted the Agile model (or, Scrum, say) of development. In other words, a model that mandates extensive requirements documentation be drawn up in the form of user stories and their ilk. being a trivial example.

Still Looking
What are some of the famous Free/Open Source projects that have considerable documentation closely resembling a traditional development model (or models accepted in closed source development)? I plan to build a catalog of such software projects so that it can serve as a reference for similar work that involve traceability in source code and requirements.

Possible places to look into: (WIP)
* Repositories mentioned above
* ACM/IEEE
* NSA, NASA, CERN

Would sincerely appreciate if you leave your thoughts, comments, poison fangs in the comments section … 🙂

Pesky tasks with batch scripts

Scripting is an art. Nifty and subtle, wicked cool scripts can weave magic, and startle compiled languages. When it comes to getting yet-another-pesky-job done, that scripting languages are your friend.

The batch scripting language, is one of the ways Windows operating system offers for writing small scripts without the need of installing any additional language support. It is somewhat limited with multiple short comings that does not make it fun. However you can still get some interesting stuff done with it. Below are some pesky jobs that can still be done with batch scripts.

Pesky job 1 : Map a network drive

net use N:| find “OK”
if errorlevel 1 net use N: \servernamepath$ ******** /user:******* /persistent:yes

This will check if the drive N is mapped or not; in case there is an error, it will map servernamepath with proper username/password values and keep this map persistent across reboots.

Pesky job 2 : Copying files with a time stamp
Say we want to copy a few files from one directory to another file to another with the current date stamp, it could be a simple
copy help.txt Desktop%date:~10,4%%date:~7,2%%date:~4,2%-chgs-1.txt

Truly ugly? Quite right.

Normally the date command would output

C:Documents and SettingsTatha>date
The current date is: Mon 11/17/2008
Enter the new date: (mm-dd-yy)

To use the date-stamp say in an echo statement, put the command with in percentage signs. to extract part of the time stamp, the command should be followed with a “:~offset, number_of_characters”. For example

C:Documents and SettingsTatha>echo %date:~0,14%
Mon 11/17/2008

So, the copy command above would create a copy the help.txt to the path C:Documents and SettingsTathaDesktop with a name 20081711-chgs-1.txt, on 17th November 2008.

But wait, this wont work in a Windows NT box. Seems like the automatic variables DATE and TIME were not implemented until windows 2000, so if you want a time stamp in an NT box you should

time /t >> file.txt

Pesky job 3 : Starting and stopping windows services gracefully
Another glitch when running newer bat scripts in Windows NT, that I came across is controlling Windows services. Consider the following snippet to stop a service named SomeAppServer or someappserver in a Windows Xp box.

net start | find “SomeAppServer”
if errorlevel 1 goto STOPPED
if errorlevel 0 echo %date% %time% Attempting to Stop SomeAppServer >> log.txt
start /wait net stop “SomeAppServer” >> log.txt 2>&1
if errorlevel 1 echo %date% %time% SomeAppServer could not be stopped >>log.txt
:STOPPED
echo %date% %time% SomeAppServer is stopped >> log.txt
echo — >> log.txt

However, in case the name of the service is someappserver, instead of SomeAppServer as written in the script, it would fail to stop the service in a Windows NT box. NT treats the service names as case sensitive and you need to supply exactly as it is listed.

Here are some good resources for batch scripting
http://www.robvanderwoude.com/batchcommands.html
http://weblogs.asp.net/jgalloway/archive/2006/11/20/top-10-dos-batch-tips-yes-dos-batch.aspx

Moving on

Life has not been that interesting to produce further gibberish adage for the last few months. At work I’m looking into a plethora of antediluvian technologies – but still putting up to learn the new ones.

My white paper titled Security Concerns with Web Services was warmly appreciated and got published our internal knowledge net. Though, I cannot publish it anywhere else … I surely can share the helpful tools that I used to detect web service vulnerabilities.

With the tools listed below, some imaginations and a desire to have fun – you can really have a good idea about web services security.

Tools for studying Web Services Security

  • WebGoat is an insecure J2EE application that provides a number of lessons for practicing commonly known security exploits.
  • Soap UI is a popular SOA and Web Services testing tool with a number offeatures like web service client code generation, mock serviceimplementation, and groovy scripting.
  • WS Fuzzer is a fuzzing penetration testing tool used against HTTP SOAP based web services. It tests numerous aspects (input validation, XML Parser, etc) of the SOAP target.
  • WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.
  • LiveHTTPHeader is a mozilla plugin that provides all the information about the browser traffic.
  • Cryptcat is a lightweight version of netcat with integrated transport encryption capabilities.
  • Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and “fiddle” with incoming or outgoing data.
  • TcpMon is a utility that allows the user to monitor the messages passed along in TCP based conversation.
  • cURL is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). The command is designed to work without user interaction.

Most of the above tools comes with neat documentation, so have fun!

On loss and new beginning

“How does it feel
How does it feel

To be on your own

With no direction home

Like a complete unknown

Like a rolling stone?”

I lost it. I lost it all.
Three years of electronic ranting, tales of code, help, pride, use, abuse, love, hate, lies, videos, pdfs, – fuck, the list is endless! It surely justifies taking a sick leave …
Andrew Grove says Only the paranoid survives. But he never says getting hyper-paranoid for survival. Well, no regrets brother – just lessons.
If you happen to have no clue which loss I’m talking about – you hardly know me. Its my google account – I forgot the password for it. The big G is the spinal cord of your online existence – once you snap from it your gmail, blog, orkut, notebook, reader, docs everything refuses you as if you are some sort of a beguiler trying to steal the free services and be the next spam superstar!

Every loss makes you wiser. Its like a tool that refreshes the the old, and paves the way for the new change. So …

Turn the clock to zero, boss
The river’s wide, we’ll swim across
Started up a brand new day

It could happen to you – just like it happened to me
There’s simply no immunity – there’s no guarantee
I say love’s such a force – if you find yourself in it
And sometimes no reflection is there“