Yeah, I lied.

I have had to do some work on a shopping cart that was originally written in ASP and it has reminded me why I enjoy not writing ASP. Last time I wrote ASP was in early 2003, but at least my code was well organized. I had includes in a central location, I was using VB ActiveX components to handle some of the site features and I was well to put it bluntly not so full of myself that I didn’t do research on improving my code.

The programmer who wrote this, I know of through a friend, and while I have not talked to him more than a few times I know through my friend that people have been very unhappy with his code. The last company I know of that experienced this he had some deal with, and cashed out of the deal because even he admitted the application bogged down the servers horribly. The server it was running on has 6gb of RAM and isn’t some old junker. It is also running Windows 2003 x64, and SQL Server 2005, which should help performance. The company that paid him to originally write the code has since hired another company to rewrite it so that the client is getting what they pay for when they resell the product.

Anyway, this cart was originally another ASP shopping cart and was stripped of a lot of the identifying details, which he then made into what was supposed to be some sort of “template” setup. I can really say though that it has been one of the more aggravating edits I have had to do, things are just all over the place in the code. Normally a template system allows you to make some visual changes without having to do a huge amount of editing. Take Wordpress for example, you know what pages to edit and what tags to add and you put them where you want the information to be displayed. Shopping carts are of course more complicated, but osCommerce uses templates and from what I’ve seen it is much easier. Templates are also used so the designers can stay out of the logic as much as possible since that is not what they do, with this setup there is logic all over the place. A number of files only have a line or two in them and the only one that means anything is the include line referencing a file with the exact same name in another directory.

I am really not big on putting down other programmers because I know for a fact there is code I have written that has not been worthy of any praise, but I also don’t regard myself as a top notch programmer like he does. When someone speaks about them self like they are top dog, they are just asking for it. There is also a difference between selling yourself and going overboard. It is just part of sales to make yourself sound like you are the only one for the job and if they decide not to go with you then it is their loss, in some cases you are and in some cases you aren’t. When I received the job for the FTA I was told from the start that it was in Joomla and I immediately looked at the code. Knowing I couldn’t fake knowing Joomla I said flat out that I had never worked with Joomla, but I have experience writing readable and well thought out code. Now the designer who did the template told them that he had worked with Joomla and la di da, but when I received his template he had hard coded things in that should have been dynamic, which of course would keep the end client from being able to edit them.

This post is getting a little bitchy now, but it is surprising just how many people go around making themselves into something they aren’t and making a lot of money doing it. This of course is nothing new as I am sure a lot of you have seen the posts discussing the tests that companies are giving during interviews and finding out that the programmers cannot solve basic problems. If you haven’t read the article do a Google search for FizzBuzz.

Tomorrow is weeCamp, a beCamp/barCamp style conference covering web application security. I am REALLY excited about this conference, there was a chance I was not going to be able to go, but I will be there. The talk I think I will be most interested in hearing is RoR security. I have been learning RoR a bit the past week and while there is a learning curve I am really enjoying it. I have a large project that I am going to be tackling in the Rails framework and I hope that my needs to not exceed my limited experience with RoR. Worst case I have to write it in PHP by scratch or use CakePHP.

Very early Friday morning I was updating my BIOS and it appears that the utility killed off a dependency for my UPS utility, which then made the application think that the connection was lost. This resulted in my UPS rebooting and killing the power to my machine in the middle of the update. I was unable to do a BIOS recovery so I had to order a new motherboard since MSI does not have advanced replacement. If I RMA that board it will take 7-10 business days for them to fix it after they receive it. Combine that with shipping and I am looking at probably a month, considering that is my primary system and migrating everything to another system is just out of the question I felt the $150 was worth it.

Its been a difficult few days even outside my techie life, so I am really hoping this conference will boost my spirits.

For a while I have been keeping my eye on certifications I would like to obtain in the next few years. Being honest with myself it really is just a goal because it would be very costly and time consuming to obtain all of them, not impossible, just difficult. What is a life without goals? however difficult they might be. After speaking with some security professionals on [H] I have added enough certifications to keep me busy for many many years. There are a number of certifications that you really cannot pass without real world experience, one I have heard of is the CISSP, which requires four years of experience (5 years effective Oct. 2007), however two years may be waived. One of my goals is to have the credentials that would land me contracts as a white hat so getting real world security experience is a priority anyway.

Below the list of certifications I have an additional list which outlines the certifications for the DoD directive 8570.1. This directive applies to individuals administering DoD machines. Of course the major problem with certifications is maintaining them, the more certifications you have the more difficult it can be since you have to recertify every so often. The list below is a broad list of certifications I am interested in, and while I would like to have them all the list will be narrowed over time. Lets say I get my RHCT, but when looking into Solaris more, I don’t have interest in working with Solaris or the other way around, ultimately reducing the list over time.

Now for the main list of certifications:

• Certified Ethical Hacker
• Zend Certified Engineer
• CompTIA Linux+
• CompTIA Server+
• CCNA, Cisco Certified Network Associate
• Linux Professional Institute Certification (LPIC-1), Junior Level Administration
• Linux Professional Institute Certification (LPIC-2), Advanced Level Administration
• Linux Professional Institute Certification (LPIC-3), Senior Level Administration
• Sun Certified System Administrator (SCSA)
• Sun Certified Network Administrator (SCNA)
• Sun Certified Security Administrator (SCSECA)

Since Red Hat has recieved its EAL4 certification with Labeled Security Protection Profile (LSPP) I added some of the Red Hat certifications to the list

• Red Hat Certified Technician (RHCT)
• Red Hat Certified Engineer (RHCE)
• Red Hat Certified Security Specialist (RHCSS)

DoD Directive 8570.1 Technical I

• A+
• Network+
• TICSA, TruSecure Certified Security Associate
• SSCP, Systems Security Certified Practitioner

DoD Directive 8570.1 Technical II

• GSEC, GIAC Security Essentials Certification
• Security+
• SCNP, Security Certified Network Professional
• SSCP, Systems Security Certified Practitioner

DoD Directive 8570.1 Technical III

• CISSP, Certified Information Systems Security Professional
• SCNA, Security Certified Network Architect
• CISA, Certified Information System Auditor
• GSE, GIAC Security Expert

There are also a number of certifications under the SANS Global Information Assurance Certification that look very interesting. These certifications also seem to be more specific, an example being “GIAC Securing Oracle Certification” or the “GIAC Secure Internet Presence”.

One of the posters from [H] had this in his signature.

CCNA, CCNP, CCIE, CCAI, MCT, MCSE, CNE, CNI, A+, Net+, Security+, SSCP

Showing that it is very possible to obtain a grip of certifications

When I colocated everything I realized that I was pulling the CSS and ICO from a local trac environment. I have updated the post Automated Project Creation with the new link to download the template and CSS.

I have mentioned before that I am working with Joomla and Docman for this FTA site and I recently found a bit of a scaling issue I thought I would mention. I don’t know how many of you use the query log option that MySQL offers, but I highly recommend you do.

I browsed to the resources section and viewed a page with 124 documents on it. You would think that wouldn’t be so bad, but in actuality it is ridiculous. That one page view generated 1611 SQL queries. The reason is that it grabs the list of documents, and then for each one it would check to see if the user had access to that category and there was another check that has slipped my mind. Just the category access check was for some reason causing 10 SQL queries per document and what makes it worse is that every document was in the same category so really only one access check needed to be done. Since all Docman categories are 100% open to the public I had no problem removing the SQL query and having it return TRUE for every document. This change dropped the queries from 1200 down to 155. The reason it is 1200 and not 1600 is because the other check that I still can’t remember was also removed and that eliminated roughly 300 queries.

Personally I think that the component could have handled grabbing the information better than it was; joins being the biggest improvement.