Google recently released Skipfish, a command-line tool for testing the security of web applications. I decided to download the source code, compile it, and then test it on one of our beta instances of ConcourseConnect.  ConcourseConnect was previously tested by a 3rd party security company so I was eager to find out how things would go this time around.

Skipfish is easy to compile and use on Mac OSX.  You must have Apple's Xcode installed first.  Here's the steps I took to run Skipfish:

1. Download the skipfish source from the Skipfish Google Code Project
2. Download the required library libidn, I grabbed the latest version 1.18
3. Install libidn by extracting the libidn contents, then typing (in a terminal):
   1. ./configure
   2. sudo make install
4. In the Skipfish directory, use Terminal to compile skipfish by typing: make
5. Copy the file called dictionaries/minimal.wl to skipfish.wl

If all goes well, then you can test your web application.

Using a web browser, navigate to a test instance of ConcourseConnect (or any app you want to test). Make sure it is a test instance because Skipfish will be navigating to every link that it sees on the website. It's possible that it can add data, delete, and modify so never run on a production instance. You can optionally login to the test instance with a username and password. If you do this, Skipfish will test even more links and act as a logged in user.

Once the browser is showing your site, go to the browser's preferences and show the cookies for the site. For the test site, copy the contents of the JSESSIONID. This is the server session that Skipfish will use for testing. (Safari doesn't let you copy the cookie contents so I opted for Google Chrome). Obtain a session id each time before you test as the session may have expired. You can also use a command-line tool to create and obtain the session id for automated testing.

I used the following parameters to test ConcourseConnect:

./skipfish \
-C JSESSIONID=A2D311CE14F6B6A437812CCBFB1D8F07 \
-o site_results \
-X /connect/logout \
-X /logout \
http://localhost:8080/connect

These parameters told Skipfish to use the JSESSIONID cookie, to output the results into a directory called site_results, to avoid the logout command (which tells the server to invalidate the session id), and to test the site which is running on my local computer.

The results were interesting... and really only a few items were relevant.

Skipfish reported 32 warnings: Integer overflow vector, Format string vector, SQL injection vector, Shell injection vector, and Server-side XML injection vector. I reviewed the instances and didn't find any evidence of a real problem.  Skipfish also reported some semi-important warnings: Directory traversal possible, Conflicting MIME / charset info, Incorrect or missing MIME type, External content embedded on a page, and XSS vector in document body. I also reviewed these and confirmed two issues that we were able to correct.

Overall the results were certainly helpful. I figured if someone out there is going to use this tool to do harm, then we must use it ourselves as part of the code release process. Regardless of the results, this is a great way for someone to gain some personal insight into web security and to incorporate the findings into all of your web apps.

This is a question that we have internally discussed for years.  We decided that the answer was yes, a corporate web site can be a social networking community, and we have been running a web site and community, all-in-one, for about 8 years now.  Powering concursive.com is ConcourseConnect 2.0 -- it's a collaboration application, but with the flexibility of a light-weight content management system.

JetBrains recently released a preview version of IntelliJ as Open Source.  The marketing page declares IntelliJ as "The Most Intelligent Java IDE — Now Free and Open Source."

I've been a paying customer of IntelliJ IDEA for several years, and with this news I thought, how great! I can continue to use the Enterprise edition on my main computer, and on my second computer use the Community edition for minor edits.  You can't run two copies of IntelliJ Enterprise at the same time on the same network, so I have avoided using IntelliJ on two computers and use NetBeans instead.

The Community Edition looks very familiar to those using the Enterprise edition, with a few graphical color changes and some features removed.  Most of the removed features are for hardcore refactoring, testing, and developing with integrated web servers... features a useful editor wouldn't need anyhow.  The most surprising removed feature however, is that the "Most Intelligent Java IDE" doesn't know what a Java Server Pages (.jsp) file is.  That's right, try to open a .jsp and the editor asks the user what to do with it.  Is it a text file? an html file? well, no it's a .jsp!  At a time when Eclipse, NetBeans, and even editors like JEdit have no problems identifying .jsp files, why would that feature be removed?  I hope this feature gets added before the final Community Edition release.  For a java web developer, or even to augment a primary IDE, the Community Edition just doesn't cut it.  

With that said, I think the move by IntelliJ to Open Source part of the IDE is a great gesture.  I'm all too familiar with open-sourcing an application and maintaining dual-licensed editions so the devotion to the Community Edition will certainly be scrutinized by users.  The IDE is really top-notch and it will be interesting to see where it goes from here.  Will it make sense to use the Community Edition?  What do you think about it?

After upgrading to the latest Mac OS, things are definitely running well -- the speed is noticeable.  IntelliJ and NetBeans are working just fine for me and the latest ConcourseSuite CRM alpha and ConcourseConnect are both running fine too.  The default Java is now Java 6.

Perhaps the best "new" feature is that Spaces finally works with IntelliJ and NetBeans!  Previously, when either was activated, Spaces would not switch unless there was a second window.

Everyone having a good experience?

I've been an advocate of IntelliJ for quite some time.  In fact, over the years I've converted a few around here and still today I think it works well.  The main gripe I have recently is compatibility with Mac OSX -- daily crashes, and with each crash comes a lengthy cache rebuild.  On an Apple Java Developers discussion forum another user with the same exception indicated that JetBrains (the owner of IntelliJ) pointed to Apple's latest Java release as the culprit for a windowing exception and that they wouldn't/couldn't do anything about it.  I don't expect an update anytime soon so I had to act quickly.

With a newly released NetBeans IDE, and a problematic IntelliJ 8 and 9 beta on my hands, I decided to give the new NetBeans release a shot.  Setting up my projects was easy using the wizard.  I pointed to the webapp source directory, the libraries and added resource directories.  This was for ConcourseSuite CRM 6 alpha, ConcourseConnect and several custom projects.

Working inside the NetBeans IDE was surprising simple and elegant.  I quickly surveyed the menus to see if all/most of the IntelliJ functions I use were there, and they are!  In the NetBeans preferences area I changed the keymap to IDEA, then began to use the IntelliJ key commands I was used to.  Aside from having to use CTRL instead of the Mac's Command key, the experience seemed similar.  I've now updated the keymap, color palette, and installed the Copy & Paste History and Copy Paths plugins to relive my IntelliJ experience (download my customizations here).

Since the Concursive project sources I use are structurally similar to a Maven's suggested structure, there wasn't anything to worry about.  Choosing "Run Main Project" started up Tomcat and the webapp worked right away.  NetBeans includes an HTTP Server Monitor by default that hooks into the Request, Session, Application Context, Cookies and HTTP Header Properties which I found immediately useful.

Some other highlights:

• Place the cursor on a variable name and NetBeans highlights the usages automatically
• Open a file, then choose Tools-> Diff to compare that file to another open file, or any file using the file selector
• Create Project Groups and switch back and forth between sets of projects quickly
• Subversion works well and seamlessly maps New/Deleted files to Subversion actions Add/Remove
• Use the Database Services window to execute and view database records
• NetBeans is Open Source

Somehow updating Tomcat's settings eluded me... To modify the settings for Apache Tomcat, you have to open up the Services window pane, choose Servers, then right-click on Apache Tomcat to change its settings.

There you have it.  After less than a week's use of NetBeans, and with some hesitation, I feel comfortable enough to use NetBeans as my primary IDE.  It has proven to be feature rich, stable, and fun.  I've got IntelliJ on standby for the time being and hope that the exception gets worked out.

Every so often the topic of which IDE do you use comes up.  I've posted about this in the past and while I passionately have a preference, as do others based on the comments to that article, I've found that given the requirement of writing good code, the modern IDE choices are interoperable.  Let me explain...