Tuesday, April 19, 2016

How do I check if a particular Python package is installed or not

How do I check if a particular Python package, say mordor, is installed or not?

Firstly, check if pip (package manager) is available in your machine.
Using pip, check if the required package is installed or not.

# pip list | grep mordor
#

If mordor package is not present, I could install it using `pip install Mordor`

# pip install mordor
Collecting mordor
  Downloading mordor-1.1.tar.gz
Installing collected packages: mordor
  Running setup.py install for mordor ... done
Successfully installed mordor-1.1
#

What if my machine is not connected to the Internet?  `pip install mordor` fails for me.

# pip install mordor
Downloading/unpacking mordor
  Cannot fetch index base URL https://pypi.python.org/simple/
  Could not find any downloads that satisfy the requirement mordor
No distributions at all found for mordor
Storing complete log in /root/.pip/pip.log
#

So I have to download the tar.gz file of this package from pypi.python.org
In case of mordor package, the file I am looking for is https://pypi.python.org/packages/source/m/mordor/mordor-1.1.tar.gz

After copying the tar.gz file (mordor-1.1.tar.gz in this case) to the machine, I untar-unzip it.

# tar -zxvf mordor-1.1.tar.gz
mordor-1.1/
mordor-1.1/PKG-INFO
mordor-1.1/setup.py
mordor-1.1/src/
mordor-1.1/src/mordor.py
mordor-1.1/src/ordor.py
#

I installed the required package using `python setup.py install`

# cd mordor-1.1
# python setup.py  install
running install
running build
running build_py
creating build
creating build/lib
copying src/mordor.py -> build/lib
copying src/ordor.py -> build/lib
running install_lib
copying build/lib/mordor.py -> /usr/lib/python2.6/site-packages
copying build/lib/ordor.py -> /usr/lib/python2.6/site-packages
byte-compiling /usr/lib/python2.6/site-packages/mordor.py to mordor.pyc
byte-compiling /usr/lib/python2.6/site-packages/ordor.py to ordor.pyc
running install_egg_info
Writing /usr/lib/python2.6/site-packages/mordor-1.1-py2.6.egg-info
#
# pip list | grep mordor
mordor (1.1)
#

Here I did not talk at all about dependencies.  While installing a Python package, you may run into a situation where dependencies are missing.  So you have to first install all the dependencies, and then install the package that you wanted.

Wednesday, April 13, 2016

How to save $$$ by using open source software instead of proprietary software

In March 2014, a storm happened in our office.  Some 50 folks were given marching orders.  From being laid back and overstaffed, our office floor was suddenly "awakened" and short-staffed.  Some folks had seen their "moment of truth".  For me, I was told to take some new tasks.  Tasks that my team members were "supposedly" doing.  And also an additional role in the security team of our products, SONAS and V7000 Unified.  I am always ready to take new tasks.  Being an evolved Aquarian, I welcome change.

The new role in the security team of our products, I started it in my natural style, taking the bull by the horn.  I strongly believe that's what works in a stormy weather.  My method was to question everything.  Review everything, and replace / adjust what is appropriate.

As part of this security role, my colleagues used to execute a security scan of our products on periodical basis, using Nessus.  Nessus is a proprietary comprehensive vulnerability scanner.  I studied this task in the same manner - question everything.  I found OpenVAS, a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.

I did not use Nessus at all.  I told our admin folks not to continue the paid user account that was being used for executing vulnerability scans using Nessus.  I started using OpenVAS.

From the OpenVAS web site, I downloaded an image that contained a ready to use Virtual Machine, along with OpenVAS.  I prepared a virtual machine in my laptop.  It was easy.  I like the idea of providing an image that I could download and start a virtual machine that has OpenVAS installed.

In the scope of my projects, both Nessus and OpenVAS are vulnerability scanners.  Both work on the principle of scanning the product for presence of known security issues.  I did not do a deep study to determine which one is slightly better than the other.  I did not have that luxury of time.  More important was to get the job done, in time, and with minimum money spent.  In my limited study of Nessus and OpenVAS, I found Nessus has a richer GUI than OpenVAS.

What was the benefit of using Nessus?  The centralized IBM team was managing Nessus server.  At the cost of project money.  I decided to put some effort to setup OpenVAS, maintain it, and use it.  I saved on the project money that was spent for Nessus user account, and hardware in the lab from where security scan was initiated.

What is the benefit of using OpenVAS?
* No need to purchase software or any licenses
* No additional hardware needed.  OpenVAS is running in a virtual machine, which is running in my laptop

And the cost associated?  The effort required to setup and maintain OpenVAS running in a virtual machine.

Considering benefits vs the cost associated, this was a good bargain.

What did I miss?  Nessus seems to have a richer GUI than OpenVAS.  I am willing to miss a better user experience, for saving some $$$ from my project budget.

In my opinion, rather than which vulnerability scanner is being used, what is important in the scope of my project is identifying the optimal frequency at which scan should be done, and doing it.

Checking the product using a vulnerability scanner during development phase is important.  But this has a limited value.  Vulnerability scanners check the product against known security issues.  They can not find security issues that are not yet recognized.  Recognizing security issues is done by skilled humans, by looking at code (for example, Bar Mitzvah attack), by applying new ideas (for example, slowloris) etc.  Then these vulnerability scanners update their "signatures" to detect the new issue.

So, checking the product using a vulnerability scanner during development phase should be done.  This ensures that we are not shipping our product with any of the known security issues.  But this does not guarantee our product is 100% secure at the time of release.  There could be security issues present in our product, resulting from unsafe code.

If you are not sure about which vulnerability scanner to use, a good idea is to use two vulnerability scanners and compare the results.  In my project work, I did not have the luxury of using two vulnerability scanners and comparing the results.  So I chose one and used it, with awareness of the situation and the possible outcomes.

Please note : thoughts expressed here are my own, and not necessarily of my employer.