Introducing FuzzDB

FuzzDB is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. It’s most often used testing the security of web applications but can be useful for many other things. FuzzDB started off as years of my own personal documentation and research notes and gradually evolved into its current form.

Thinking About Test Cases

A lot of attention has been paid to identifying attackable surface areas, but less to the development of attack pattern libraries. When we dynamically test web applications for security vulnerabilities, how good are the test cases we’re using?

Commercial web scanning tool vendors put significant research effort into this problem, but the product of this research is considered intellectual property and locked up inside the application. As users, in order to learn what kinds of test cases are being generated we would need to painstakingly record and analyze its traffic. At the time I initially released FuzzDB, most open source web fault injection tools had sets of test cases which were woefully incomplete and inadequate. There are too many permutations of symbols and encodings used in web protocols for anyone to reliably and repeatably recall all of them. As for the commercial tools, how complete are their sets of test cases, anyway? It’s not always easy to tell. What were they actually testing for? These tools aren’t just test case lists, they’re lists wrapped in complex sets of rules that determine which test cases to use when and where. After considering these details, I had some doubts about the effectiveness of the typical application testing process.

Introducing FuzzDB | Mozilla Security Blog
Published at 1 comment:
Labels: , ,

Webflow - Design Responsive Websites Visually

Webflow is an online responsive website builder that empowers designers to develop their own websites without depending on a web developer.

Instead of typing HTML & CSS into a text editor and checking it in a browser, designers can now build their custom website designs using a familiar interface. It's simply faster and easier than coding.

Webflow Screenshot
Screenshot of Webflow

The designers out there that are tired of bashing their head against a text editor, trying to get their designs work on the web. Webflow doesn't require to know how to code to build fully-custom responsive websites. It's also great for web designers that do know their way around code but want to speed up their workflows.

Responsive layouts
Easy interface to create responsive layouts


Main features of Webflow:
  • Drag & drop interface to create responsive layouts
  • All the styling properties from native web
  • CSS selectors and style cascading, allowing to create shared styles and sophisticated layouts
  • Clean, production-ready HTML & CSS
  • Full website exports
Published at 1 comment:
Labels: ,

7 Unlikely Recommendations for Startups & Entrepreneurs

Recommendations for Startups and Entrepreneurs
#1: Marketing First; Product Second

This goes against every piece of wisdom you’ll find in the startup world, but I’ve seen it work and lived the experience at Moz.

If you build a great product and find that the market you thought would love it isn’t biting, you’re up a creek. You’ve invested valuable time, emotional energy, and likely financial resources to build something that isn’t getting traction, and even if you’re following lean startup principles, the real market often behaves very differently than your early adopter test customers.

But, if you build a marketing machine first, you are in an enviable position. Even if your early products don’t take off, you have a captive audience that’s returning again and again because you’re producing something of value (usually content, thought leadership, educational resources, unique data, or free tools). You can literally create wireframes or a slide deck-based product and see how your audience reacts.

Moz was built on the back of a blog. For the first 18 months of our “product,” we had very little except a few tools (many of which were available in free versions elsewhere on the web) and some guides I wrote. But, because we had a large audience – 10,000 marketers a day read the blog when we started our subscription in 2007 – we could iterate, grow, and learn with their help. By late 2008, we had a unique product that was pulling in subscribers far beyond just our community of blog readers. Without that “marketing first” approach, I’m skeptical if we ever could have gotten a product off the ground.

#2: Lean Development is Good, But MVPs Kinda Suck
The process of building something small and minimal, then iterating on it is a really good one. We’ve actually gotten away from that at Moz over the last couple years and are trying to reign it back in. But, there’s a big caveat.

Published at No comments:
Labels: , , ,

Computer scientists develop 'mathematical jigsaw puzzles' to encrypt software

Computer scientists develop 'mathematical jigsaw puzzles' to encrypt software
Concept illustration of mathematical jigsaw puzzle
UCLA computer science professor Amit Sahai and a team of researchers have designed a system to encrypt software so that it only allows someone to use a program as intended while preventing any deciphering of the code behind it. This is known in computer science as "software obfuscation," and it is the first time it has been accomplished. 

Sahai, who specializes in cryptography at UCLA's Henry Samueli School of Engineering and Applied Science, collaborated with Sanjam Garg, who recently earned his doctorate at UCLA and is now at IBM Research; Craig Gentry, Shai Halevi and Mariana Raykova of IBM Research; and Brent Waters, an assistant professor of computer science at the University of Texas at Austin. Garg worked with Sahai as a student when the research was done.

Published at No comments:
Labels: , , , ,

LESS – The Dynamic Stylesheet

LESS – The Dynamic Stylesheet
LESS
You might have heard until now of LESS and you might know it has something to do with CSS and styling websites, but I am quite sure that not many people really know what LESS actually is and why is it so special that it got its own name.

Unlike CSS, LESS is an open-source dynamic stylesheet language, with its first version being written in Ruby, but replaced by JavaScript later on. LESS is more complex than CSS is, providing variables, nesting, mixins (reusable classes), operators and functions and allows real-time compilation via LESS.js by the browser in use. LESS can run on both client- and server-side and can even be compiled into normal, plain CSS.

Published at No comments:
Labels: , , ,

Meet lld - The LLVM Linker

lld is a new set of modular code for creating linker tools.

                   End-User Features:
  • Compatible with existing linker options
  • Reads standard Object Files (e.g. ELF, Mach-O, PE/COFF)
  • Writes standard Executable Files (e.g. ELF, Mach-O, PE)
  • Fast link times
  • Minimal memory use
  • Remove clang’s reliance on “the system linker”
  • Uses the LLVM “UIUC” BSD-Style license.

      Applications:

  • Modular design
  • Support cross linking
  • Easy to add new CPU support
  • Can be built as static tool or library
                  Design and Implementation:
  • Extensive unit tests
  • Internal linker model can be dumped/read to textual format
  • Internal linker model can be dumped/read to a new native format
  • Native format designed to be fast to read and write
  • Additional linking features can be plugged in as “passes”
  • OS specific and CPU specific code factored out
Meet lld - The LLVM Linker | /lld.llvm.org
Published at No comments:
Labels:

Zipkin, from Twitter

A distributed tracing system

Zipkin is a distributed tracing system that helps us gather timing data for all the disparate services at Twitter. It manages both the collection and lookup of this data through a Collector and a Query service. We closely modelled Zipkin after the Google Dapper paper. Follow @ZipkinProject for updates.


Why distributed tracing?

Collecting traces helps developers gain deeper knowledge about how certain requests perform in a distributed system. Let's say we're having problems with user requests timing out. We can look up traced requests that timed out and display it in the web UI. We'll be able to quickly find the service responsible for adding the unexpected response time. If the service has been annotated adequately we can also find out where in that service the issue is happening.

Zipkin, from Twitter  | twitter.github.com
Published at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)