Monday, 26 June 2017

My Experience At AfricHackon 2017 #AH2017 #AH4

AfricHackon 2017 #AH2017 #AH4


AfricaHackon is one of the best information security conference in Kenya and every year everyone from the InfoSec community attends it. I have a great interest in Security and hacking ( though software devt is all i do.) and yes I too look forward to the conference. Every year most of my friends who are into security attend AfricaHackon. It has been running the last 4 years and this year it was greater bigger and different.

The Tickets

The getting of tickets wasn't hard .Safaricom ,staunch supporters of AfricaHackon ,were the platinum sponsors and also provided a mobile payment platform ,Paybill which made it easy to pay for the tickets. Jambo pay (a sponsor) provided the ticketing and online purchase of the tickets .Two tickets types were available Corporate and student pass . There was an offer for students to a minimum of 2k. This time tickets were available for purchase  to the last day.Being a Kenyan we love the last minute purchase of tickets.The conference was being hosted in one of the big five hotels in the city under the sun -Nairobi. 5 minutes from the CBD about 3km. The serene was amazing.

Conference


Before the AfricaHackon conference ,there was a conference a week before Organised by CIO Africa and it was more of a talk and presentation Information Security conference, being a techy ,i shifted my focus to AfricaHackon conference.Through the  AfricaHackon website (https://africahackon.com/) the schedule of speakers was available and the topics of discussion were amazing.

Most of the talk in AfricaHackon were great and was very informative;

Day 1


  1. A 13 year old doing a presentation on  Internet Safety from a 13-year-old  -Joseph Kyalo (Moi Education Centre)
  2. A talk by Michael Mbuthia – CIO KBA-IPSL 
  3. PLENARY: Next level of Cyber Security for Africa: Thinking Proactively - this session opened our minds and man did we ask alot of questions regarding the enacted ICT Bill
  4. The Enterprise Immune System – Darktrace: Eleanor Weaver She did the best presentation on the Daktrace system .The use of AI in IDS systems
  5. Phoenix SIEM (Security Information and Event Management) by Samuel Wachira-this is a kenyan home based system by a local enterprenuer and techy who used to work at Rapid7
  6. Naked in Cyberspace: The Corporate CyberSpace Menace you don’t know by Jimmy Wayans- Jimmy as always reminding us how if we dont configure our systems well we gonna cry.
  7. Breaking the Core (The troubles of Mobile Banking) by Charles Muiruri (icrackthecode):well he brought the concept of secure software development of mobile apps.more in case the Banking Mobile Apps.
  8. Fuzzing BaseBand (Trigger Remote Actions on phone within 100m) by Jade Solomon (http://blog.0x7678.com/).jade a firend of many years .he did best at what he does a good engineer in the GSM field he took everything to the next level.He should have been a comedian but well that jade for you.He showcased how  Dynamic Binary Instrumentation can be used to access the memory of an application and get  details of a mobile app user.Will go back to using a scrambler no smart phone hehehehehe.


Day 2

The day to was more of a practical session and without wait the sessions started straight at (.00 am.


  1. Anatomy of a Targeted Attack (Kill-chain From Infection to ExFiltration) by Gabriel Mathenge & Trune
  2. Hiding in Plain Sight: Dropbox Command and Control by Vince Obilo
  3. “HoneyHouse: A Damn Vulnerable Home Automation System” by  Peter Ouma -This dude is one innovative guy. He showcased IOT hacks 
  4. Launching AfricaHackOn SecOps by Sam Gichuru & Dr. Bright G. Mawudor.-- The AHSecOps this will be a platform with meetups where people with interest in infosec will learn and share skills.It will be hosted at Nailab ,an ICT  incubation center.
  5. The Art of Boot-loader Unlocking: Exploiting Samsung Sboot by  Nitay Artenstein
  6. The Making of the AfricaHackon Badge by Chrispus Kamau.A friend who loves network and anything that has waves and bandwidth. His presentation was on use of conference badges and wireless spoofing (mdk)

The AH Badge

Finally met these awesome people

It was a great experience,meeting and networking I met a lot of people whom i earlier met online.like Essenkey ,the guy online he sounds like a mafia but face to face he is a chilled guy,Munir (alien-within),he looks more of a literature professor ,chilled.One john ( @me ) ......that a story for another day.
Joe Wambugu from Hotmall ,that guy is an entrepreneur,the last time i saw him(6 months ago) he was talking he needs to understand info-sec ,now he is working on a DNS tool he want to launch end of July.waiting for the better version.



I did not attend much talks as i was busy meeting new people, networking and eating. A lot of companies who are related to security came to AfricaHackon and it was a great opportunity to know what is the latest things that are going on in security. Also job offers by few of the companies that visited AfricaHackon eg Daktrace are opening an office in Kenya .

I know a lot of people online who are into security and AfricaHackon was the best platform to meet them in person also I made lots of friends there.






Conclusion

It was a great experience. Many people say that we can watch the talk online too why to spend so much money going to conference? the thing is the experience that we get when we visit conferences like is something that cannot be get just by watching the talk videos. I would like to thank all the awesome people of AfricaHackon to make the conference such a success.

THANK YOU

Friday, 26 May 2017

Secure Software Development

Overview

Software development has been a profession taken as just a career but the solutions implimented have a high impact to users and the industry.
Not only should the intended solution be achieved but the new aspect of data security and integrity of the data must be maintained.The value of the solution should be based on Data integrity ,flexibilty,agility ,user confidence et al.
Applications are increasingly targeted by attackers, which demonstrates the need to build security into an application from the very beginning.  Thus the need to forge a secure and reduce risk in approaching a product develooment


Introduction

Developing secure software is critical to a company’s reputation and bottom line. The impact of a software malfunction or security breach can result in a massive recall, millions in lost revenue, the loss of sensitive customer data.
Faced with having to maintain software quality and security while accelerating innovation, companies with internal defined standard code development processes are looking for new ways to further reduce wholesome program risk. Traditionally, companies would perform security testing near the end of the software development lifecycle, before the product release but that process can put release schedules at risk and l defects found cost more to sort them out.
To more effectively address security, some of these companies are now adopting secure development lifecycle initiatives where security deliverables are inserted in all phases of development. As a result, companies are finding that the benefits of fewer security incidents, faster time to sort out issue incidents and earlier visibility into areas of risk far outweigh the costs of implementing these initiatives.

Developing secure software is still a challenge

Developing secure software is a tough challenge that confronts IT teams – both security and development
teams. Traditionally, computer science programs have focused on producing programmers with a foundation to become
good application developers but not necessarily security experts. As a result, developers are unaware
of the different ways they can introduce security problems into their code.


  1. Misaligned priorities - Development teams are focused on product innovation to meet business needs. Vulnerabilities eminating from code defects are seen as potential problems, therefore not a priority compared to feature functionality and on-time delivery. QA teams are concerned about buggy software and customer dissatisfaction. Security teams are focused on the availability and protection of sensitive assets – they are tasked with securing in-house and commercial applications, often having to address vulnerabilities exposed by software code after it is deployed.
  2. Misaligned process - Security audits and QA testing happen at the end of the development cycle where issues are most expensive to fix and when developers are focused on getting the release out and moving on to the next release. Audits are typically done late in the cycle to avoid having security experts review and re-review code that is likely to change before release. Also, security audits typically happen outside the standard development workflow, which means developers are likely to ignore security issues identified during the audit because it is hard to go back and change “working” code without causing an expensive and lengthy testing cycle. Therefore security issues identified late present business stakeholders a difficult decision between time to market and security.
  3. Misaligned tools - Developers resist changes to their workflow and find it difficult to use tools designed for security experts. They require too much security expertise and do not provide directly actionable information for fixing defects. Putting security auditing tools in the hands of a developer is not a practical solution as these tools are designed to find every possible issue resulting in a high false positive rate. Developers will often ignore the tools analysis results if they have to wade through a high volume of noise to identify critical defects that must be fixed.

Unfortunately as we know, all too often defects ignored or overlooked during the development process end up causing major issues down the road. Due to the rapid growth of software based solutions, we are at that uncomfortable stage in the history of software development where we are seeing firms suffer businesses disruption and negative publicity because they failed to manage risks posed by insecure code practices. Attackks as a result of application vulnerabilities have been reported across industry segments and geopolitical boundaries as we have seen recently with the wannacryt ransomware.

Way foward

In software development, security element needs to be brought in from all aspects of the software development process – it is only by pushing past the operational view of security that we can begin to build software systems that can stand up under attack. Security defects can, and should be treated like software defects and managed as part of the development process. A distinction between security and quality can sometimes be put as one; the bug that generates as
a system failure could be exploited by an attacker tomorrow.

For secure solution the important people to be involvd are the builder of the solution/code -the software developers.

Wednesday, 1 February 2017

Things I Wish I Would Have Known When I Started My Software Development Career


I well started my career in ICT over 7+ years ago.

The experience and change of specialization has taught me alot. As a software engineer (what i believe i am) i have come to know that 


1.There is no “right way” in software development


Most Developers fresh from university will argue that this-way-that-way is the best approach. Patterns and the logic -which is which-, collections vs array list ,when to implement threads vs asynchronous io et al.

i have spent time trying to convince my workmates that my approach is good but i have come to learn that the circumstances determine the "right way" to develop a software solution.
There is no best practice that is universal.The academically defined best practice are to guide in solution implementation but not actual implementation.

The practical approach gives a better development and implementation than wasting time in trying to do it the "right way".


2.Reading books cover to cover not the best way to learn


I have done a number of programming languages and most i have learnt on the job.Books and videos have been helpful but i haven't read the books completely. Skimming was what i was doing

the best way i have found to learn a now software development is to immerse myself into a project and learn the language as i design a solution.This has helped me in my learning curve of the language.

i am taking my 1st steps in reverse engineering and its not as i thought

There are smart ways to become smart, and then there are dumb ways to become smart. 


3. The Software development community


Talking and socializing is not my strong points. I have found myself needing the software communities and interacting with different groups on different devt platform.

Local meetups and online meetups and forums are very essential in a software developer life.The communities help members when they have an issue an you get to learn allot on different implementation techniques of a solution.

You might be a member of a coding community already, but you just haven’t realized it yet. For example, those who’re learning Python, Java or Ruby (for example), might find that they’re often using sites that have – already – built a community around itself. The absolute best example of this would be Codecademy, and their learning to program platform.

Communities like the ones in our chart provide “room” for asking the right questions, and more often than not, people will be eager to help you, offer advice and different perspectives on how-to tackle your bugs. The key element to these communities is to research your questions before you ask them!

What else?
  1. Up-to-date information and problem solving.
  2. Insightful answers, new perspectives.
  3. Tips and tricks for all-level programmers.
  4. Links to resources, talks and research papers.
  5. Meeting new friends, code buddies, potential partners.
I’d rather have real programmers throw stones at me, than to wait in line for an answer from the poor webmaster who’s already so caught up in his own projects, that he instantly regrets the idea of starting his own community in the first place. I’ve been there, I should know.




The chart above tries to display the programming communities that you’re going to find in list by their popularity , and it is the order that I feel is the most appropriate, personal preferences will differ and please don’t let your opinion discourage you.

Massive amount of online communities at once might seem like an overkill, but try to browse these few websites at least a couple of times, in the worst case scenario it will engrave the history in your Google searches, and make it easier to find content (answers) that way.

and the journey continues...

These are just a few of the things that I wish I had known when I first started my software development career, but there are many more and lots of other things that I did do right from the beginning.

By attempting and doing it the wrong way i got to learn the best way to do things like implementing classes,linked list,dynamic loading and the simplicity in designing a simple software.complexity doesn't make a software good.the user using it does.


Tuesday, 24 January 2017

How i got here



Pascal was my 1st programming language and it was the only lesson where i could have fun in class ,writing endless loop trying to come up with a matrix kind of screen but that would lead to computer restart.

After college i thought all was smooth ,little did i know its a hell of a career with its intrigues .In my 1st job i got immediately blindsided by unwritten rules and other day-to-day mix, that no one bothered to caution me about. And programming is no exception.

I learnt thats as a programmer, to get work done, you need to know

1. Version control systems
 Universities teach how to create source code for programs, but usually ignore everything about the management of that code. Every programmer should know how to create repositories, edit and commit code, and branch and merge effectively as part of a project workflow using Git or Azure ,BitBucket et al Subversion. By using the version control tools a programmer knows how to keep track and organise his work

2. Communication
I used to miss this classes and downplayed the content. waaaaah the 1st time i wrote a report it was a hectic session .trying to write a good report ,know which pre-position to write where .....i learnt that You also have to write release notes for your projects. You write commit messages for version control. You write tickets for bugs in the system. All of these and many more require clear, effective English communication – a skill that computer science programs seldom emphasize.

3.. Using libraries
Nobody needs to use a regular expression to extract the hostname from a URL. Every modern programming language includes a standard library of common functionality, or has standard libraries easily available.

Programmers need to understand that code that has already been written, tested, and debugged is going to be better quality than new code that she has to create. Even more important, code that doesn’t have to be written can be implemented much faster.

DONT be a google programmer who just copy pastes codes and move on .understand what that code does.


4. SQL
All the SQL I know I learned on the job.

Everything goes into and out of a database, and SQL is the language that’s used to retrieve it. SQL is also a declarative language, not a procedural language, and so requires learning a new way of thinking about problem solving. But every programmer should understand the basics of database normalization and be able to do SELECTs (including basic INNER and OUTER JOINs), INSERTs, UPDATEs and DELETEs.

5. Tool usage: IDEs, editors tools

It’s the job of programming tools to help manipulate the source code and all other data in the computer to make the programmer’s life easier. The Unix command-line, shell scripting, find, grep, and sed should be part of every programmer’s knowledge set.and working on different platforms helps as some commands and activities are still command-line based

6. Debugging
Every programmer should be able to debug with an interactive debugger .The ability to track down a problem through step-wise refinement is too important.

7. Defensive programming
Even rockstar programmers are fallible, much of the world is out of our control, and things will go wrong. Defensive programming is about understanding that simple truth. If things didn’t go wrong, we wouldn’t have to check file opens for success, or assert that customer IDs are valid integers, or to test our code to make sure that it works properly.

Programmers need to grasp that compiler warnings are helpful tools that make life easier, not nuisances to be avoided. Every programmer should know why each PHP program should start with
error_reporting(E_ALL), or c#.


 try
            {
                result = SafeDivision(a, b);
                Console.WriteLine("{0} divided by {1} = {2}", a, b, result);
            }
            catch (DivideByZeroException e)
            {
                Console.WriteLine("Attempted divide by zero.");
            }

8. Teamwork
Very few programming jobs allow you to work entirely on your own–and those that do are often intellectually crippling and leave you a worse programmer than when you started. Your code must interact with code written by others, or often be intermingled with code from others. No matter how talented, a programmer who can’t collaborate on projects with others has negative productivity, and quickly becomes a liability to the organization.

9. Working on existing code
In school, every class assignment is a new, greenfield project. That’s not how it works in the real world. The first thing that happens to new hires is they get assigned to fix ticket #8347 in the bug tracking system. After that, they have to add a small new complementary feature to an existing system with an established codebase. Designing new code comes months later, if they’re lucky.