Boys with cool shades and urm... not so cool head gear

Little kids are like monkeys... They see you wearing shades while driving and they want a pair too. Oh, but they are rather innovative too... Check out the "cool" headgear they've got on while posing for this shot.

Virtual Machine - a software engineer's best friend

Here is another reason why Virtual Machine(s) are a developer's best friend. If you are a packaged software developer (doesn't matter if its desktop or server software), you will probably realize that platform compatibility testing is a large part of the release cycle; not only is the actual testing tedious and time consuming, setting up and maintaining the many testing environments is a whole lot worse. In addition, it can get pretty expensive too as you will need multiple machines to contain them.

Back in the days when I was developing packaged software, one of my strategies for managing test environments on the cheap is to use boot loaders (such as LILO and GRUB) and hard disk partitions. Using this approach, I had up to four environments running on a single PC (only four environments due to a limitation on the number of primary partitions a hard disk can have). Not long after, I figured that I could further cut down on the number of boxes required by using removable caddies to facilitate the swapping of hard disks on a single PC.

This strategy was indeed cost effective (I managed to reduce my farm of test PCs from eight to just two) but it was darn tedious and not as robust as I had wanted; I could only have one environment up at a time on one PC and it was time consuming to shutdown and startup another. In addition, the OS images are practically tied to the specific hardware it was installed on as we all know how crappy Windows is when it comes to swapping hardware.

Then enters VMware and its (then) flagship product VMware Workstation. My test environments became normal files and were able to run off any host OSes as long as the hypervisor supports it. With it, I was no longer bounded by the four primary partition limit on a hard disk, could run multiple environments all at the same time and copy/move them between PCs seamlessly (even if they are running different host OSes!). In addition, with the snapshot feature, I could create a base image of each test environment and easily revert to it after testing.

Out went the drive caddies, the stack of hard disks and backup tapes piled up on my desk, LILO, PartitionMagic and Norton Ghost! In addition to cost savings, the time saved was also considerable and it was appropriately channeled to our LAN parties in the office! :)

Diamond TIP: new menu for your home screen

If you have used Windows Mobile 2003 or earlier, you will probably know what the "new menu" was and how useful it had been. For those who have not, it is basically a way to quickly create a new document (e.g. word, excel, note, email, sms) via a popup menu that is triggered by tapping on the text "New" found at the bottom of the home screen. (See screenshot on the right)

Unfortunately, this nifty little feature was removed from Windows Mobile 5 and up. (Thats a -1 for you Microsoft.) The good news is that useful features like this don't go away; they just get reintroduced via third parties.

The first application that does this is called WM5NewMenu by a developer named Saman. It started out as a direct replacement for the old functionality but has now grown to be a very powerful and highly configurable utility that can launch pretty much anything that you can think of. (See screenshot on left. More screenshots here). Best of all, it remains a freeware even today.

It has served me well back in my 838 pro days but unfortunately, the look and feel just don't jive with the snazzy TouchFlo UI. As luck would have it, HTC had a similar feature called the "Action Screen" in the Touch model (+1 HTC!) and it has been ported over to the Diamond by the guys at xda-developers (+2 XDA Developers!)! So now, we get the best of both worlds; the new menu functionality in cool graphics!

There are currently two layouts available; the first and original being the row layout (screenshot on far right) and the latest being the grid layout (screenshot on right) ala the upcoming HTC Touch Pro.

Personally, I like the latter better as it allows up to nine items instead of seven in the row layout.

Can things get any better than this? Yes! If you are like me, using a third party PIM (like the excellent Pocket Informant), you can customize Action Screen to launch the appropriate screens in your third party applications! In fact, you can even change the buttons and the related actions totally! For details, look here.

If you are lazy and just want to get it working with Pocket Informant, here's how:

• New Note - Change registry value for the key HKEY_LOCAL_MACHINE\Software\HTC\Biotouch\ActionScreen\APP_2\Path to \Program Files\WebIS\PocketInformant\PIAlarmNoteCreate.exe
  
• New Appointment - Change registry value for the key HKEY_LOCAL_MACHINE\Software\HTC\Biotouch\ActionScreen\APP_3\Path to \Program Files\WebIS\PocketInformant\PocketInformant.exe
  
• New Task - Change registry value for the key HKEY_LOCAL_MACHINE\Software\HTC\Biotouch\ActionScreen\APP_4\Path to \Program Files\WebIS\PocketInformant\PocketInformant.exe
  
• New Contact - Change registry value for the key HKEY_LOCAL_MACHINE\Software\HTC\Biotouch\ActionScreen\APP_5\Path to \Program Files\WebIS\PocketInformant\PocketInformant.exe
  

WebApp Security Test tool - IBM Rational AppScan

This is part 3 (after Introduction, HP Application Security Center) of the series on web application security test tools. This week, I invited IBM to present their offering called IBM Rational AppScan.

• Formally Watchfire Corporation before its acquisition in July 2007.
• Does not have a code analyzer component like HP. [Edit: Will have one in the upcoming version come Sept 2008 as pointed out by Chris.]
• Run-time analyzer comes in three flavors:


1. Standard Edition
• Targeted at standalone usage scenarios.
• Black-box testing tool (does not require source code but requires a running system).
• Underlying implementation technology independent.
• Works by crawling an entire website (link depth and type is configurable) after been given a root URL.
• Suggests common fixes when vulnerabilities are found but cannot automatically fix them. (Obviously since it has no knowledge or access to the underlying code!)
• Will not be able to detect threats on pages that are not explicitly defined in the test, exist as links in the website or directories that do not allow listing.
• Supports legal and regulatory compliance by scanning against well known policies (e.g. Sarbanes-Oxley, HIPAA, PCI Data Security Standard, OWASP Top Ten) and generate the necessary reports.
• Requires regular updates to keep up with latest threat signatures (like anti-virus software).
• Must run full suite of tests after an update as the tool is unable to determine the delta.
• Includes a whole bunch of advanced tools for penetration testers.
• Supports only Windows Platform for running the tool.


2. Tester Edition
• Targeted as part of the Quality Assurance process usage.
• Contains same features as the Standard Edition plus the following.
• Automatic test creation, modification and maintenance capabilities to enable testing and remediation.


3. Enterprise Edition
• Targeted at multi-user environments.
• Contains same features as the Standard Edition plus the following.
• Centralized test management and reporting, remote scanning administration.
• Continuous monitoring and aggregation of metrics to ensure remediation and trend improvement over time.
• Sophisticated dashboards and flexible reporting views to provide enterprise-wide visibility of risks and remediation progress.
• Web based access for users.
• Supports only Windows Platform for server components.

Diamond TIP: Customize Comms Manager!

The default Comm Manager in the Diamond include options for Push Mail and Data Connection. If you don't use Push Mail or GPRS, then these buttons become white elephants. Even if you do use GPRS, you can easily turn off data connection via the notification bubble so why duplicate the function here?

So how would you like to replace them with more useful functions like (1) 3G switching (i.e. switching between normal GSM mode and 3G mode) or (2)turning beam on/off (i.e. making your device discoverable to others via bluetooth)or (3) switching between vibrate and ringer mode or (4) ActiveSync (just a hot key to launch ActiveSync) or (5) IP Phone or (6) Internet Sharing (not sure what the last two do)?

For me, I chose (1) and (2) for the following reasons:

1. 3G coverage is really patchy compared to GSM hence the phone will be searching for 3G signal more often and in the process wasting more battery life. Given that the Diamond has a small capacity battery, this situation is something you should really avoid. So from a power perspective, its best to stay in GSM mode and only switch to 3G mode when you need to. With this button, I can now quickly and easily switch between the two networks as compared to having to navigate through the phone settings in the settings menu.
2. Turning Beam off simply means turning off the discovery mode in Bluetooth. Note that without discovery, previously paired devices can still communicate with your phone via bluetooth. However, new devices will not be able to pair with you unless you turn discovery back on or you pair with them instead (their discovery setting must be on of course). Turning discovery on only when you need to do pairing is considered a good security practice. For details, read this. Again, having the option in the Comms Manager is much easier and quicker to access than navigating through the bluetooth settings in the settings menu.

Ok, enough talking. Let's get on with the customization already! First, download and install Advanced Configuration Tool 3.0 if you haven't already done so. It is a third party application with a nice UI that allows you to tweak the default applications without having to dirty your hands working with a registry editor. And yes, its free!

Start the application, tap on "Menu" and then "Comm Manager settings...". You can then enable/disable the functions you want as well as reorder them accordingly. Note that most if not all non-default options will not come with icons. To add them, you will have to create the icons in PNG format and throw them into the \Windows folder. The naming convention used is as follows:

Function	Filenames
3G	Function_3G.png and Function_3G_Disable.png
ActiveSync	Function_ActiveSync.png and Function_ActiveSync_Disable.png
Beam	Function_Ir.png and Function_Ir_Disable.png
Phone	Function_Phone.png and Function_Phone_Disable.png
Internet Sharing	Function_InternetSharing.png and Function_InternetSharing_Disable.png
Ringer	Function_Vibrate.png and Function_Vibrate_Disable.png
Wireless LAN	Function_WLAN.png and Function_WLAN_Disable.png
Microsoft Direct Push	Function_AUTD.png and Function_AUTD_Disable.png
Bluetooth	Function_Bluetooth.png and Function_Bluetooth_Disable.png
Data Connection	Function_DataDisconnection.png and Function_DataDisconnection_Disable.png
Flight mode	Function_FlightMode.png and Function_FlightMode_Disable.png

I have created a couple of icons for my own use. You are welcome to download and use them as you wish. Simply right click on each icon and select "Save Picture As...". Remember, you need to drop them in the \Windows folder in order to use them!

We are Singapore....

My my.... Ain't we patriotic now.....

WebApp Security Test tool - HP Application Security Center

The first product we are looking in the area of web application security testing tools is from HP. This is actually a suite of products collectively called HP Application Security Center. The following are some notes I have taken after hearing their presentation and browsing through their website.

• Formerly SPI Dynamics before its acquisition in June 2007
• Full security test suite that offers tools for different phases of the SDLC:


1. DevInspect – Development stage
• Primarily a source code analyzer or white-box testing tool (i.e. requires full source code but does not require running system).
• Underlying implementation technology specific (C#, Java, JavaScript, HTML, XML, AJAX).
• Tight integration in development process (via the IDEs) hence allowing threats to be detected early (even before a developer checks the code in).
• Suggests and can automatically apply code fixes when vulnerabilities are found.
• Requires regular updates to keep up with latest threat signatures (like anti-virus software).
• Note that this tool catches only compile-time threats, not run-time threats. Hence needs to be partnered with one of the below.
• Deploys as plugins to Eclipse and Visual Studio.


2. QAInspect – UAT/SIT stage (maybe even as part of continuous integration)
• Black-box testing tool (does not require source code but requires a running system).
• Underlying implementation technology independent.
• Works by crawling an entire website (link depth and type is configurable) after been given a root URL.
• Suggests common fixes when vulnerabilities are found but cannot automatically fix them. (Obviously since it has no knowledge or access to the underlying code!)
• Will not be able to detect threats on pages that are not explicitly defined in the test, exist as links in the website or directories that do not allow listing.
• Supports legal and regulatory compliance by scanning against well known policies (e.g. Sarbanes-Oxley, HIPAA, PCI Data Security Standard, OWASP Top Ten) and generate the necessary reports.
• Requires regular updates to keep up with latest threat signatures (like anti-virus software).
• Must run full suite of tests after an update as the tool is unable to determine the delta.
• Tight integration with HP Quality Center and HP TestDirector hence allowing security tests to be managed as part of an overall test plan/run including functional and/or performance tests.
• Automatically generate defect logs in HP Quality Center based on vulnerabilities found during the tests.
• Integrates with HP AMP (Assessment Management Platform) to provide enterprise assessment management. i.e. centralized control over user permissions, security policies and remote scanning administration.
• Supports only Windows Platform for running the tool.


3. WebInspect – anytime (after you have a running system of course)
• Essentially the same as QAInspect except that its targeted for standalone use.
• Includes a whole bunch of advanced tools for penetration testers.
• Does not offer integration with HP Quality Center or HP TestDirector for overall test management but can push vulnerabilities as defects to HP Quality Center.
• Does integrate with HP AMP for enterprise assessment management.
• As far as licensing goes, in Singapore, comes in two flavors:
1. Single User (i.e. one PC), Single Target (i.e. one IP address)
2. Single User (i.e. one PC), unlimited Targets (for about double the price of the above)