Google Site Verification with Wordpress

As with all sites that wish to be found praying to the google gods of horrible user interfaces is required. In that there are several meta tags that your site needs to cough up so that the google bot understands this is a site worthy of its consideration.

There is a list of tags as identified in [1] but this post if going to focus on getting the verification code and planting it in a Wordpress site so that it presents it.

First, the meta tag we want to use is google-site-verification. And as with all things Google finding out how to get one varies, is hard to find, and the documentation is contradictory and confusing. This post is a result of the usual Google misinformation so the next time I need this I can .... well....consult with myself. In this case I finally found that the link at [2] helped. And already having a google analytics account allowed me to generate the verification code.

Essentially I did this:

1. Go to Webmaster Central and click Add a site. Enter the URL of your site. https://www.google.com/webmasters/verification/home
2. Choose alternate methods tab.
3. Select HTML Tag

This generates a tag like this:
<meta name="google-site-verification" content="z0TcgvjhJgg3FArBc8j8CAKMMFRpcW6uFBebbHYKRoE" />

Next I installed a Wordpress plugin called "Meta Tag Manager" [3] and entered the tag information there.

Once this was live in my site and every page was providing the meta tag I could click verify in the Wemaster Central page.

Another page will involve the setup for Google Analytics in my Wordpress site.




References:

1. Meta tags that Google understands, https://support.google.com/webmasters/answer/79812?hl=en
2. Verify site ownership on Google Search Console, https://support.google.com/analytics/answer/1142414?hl=en
3. Meta Tag Manager, https://en-ca.wordpress.org/plugins/meta-tag-manager/

Why Your Security Program Fails #1

You have a security group. They are passionate, trained, and competent. But security is still weak based on customer audits. Why?

Reason Number 1:

Your organization only performs security audits late in the quality cycle. Development neither engages nor listens to your security team because of a variety of reasons.

1. A culture of coddling developers so they feel elite, and therefore they know it all so they do not believe they require outside expertise.
2. Your Security team is in a quality group, and are therefore sneered at in North America.
3. Your Agile process has been broken to mean anything to anyone at any given time so therefore its missed as part of the agile cycle.
4.  Your hipster/hideous beard crowd is breaking things at the speed of Google because that's how code is made today.

Based on this any security issue may require a serious redesign. (Really?!, why can't our MongoDB cluster be exposed on the public internet?). Unless of course product managers can sweep it under some other rug.

Blame marketing. That normally works.

Has Your Company made this Traditional Mistake Managing a Security Team

So my background is development. I have been on both Red Team (attacking, pentesting, Threat/risk analysis) and Blue Team (design and implementation of security features, crypto etc). Yet for some reason the Red Team is typically in a quality group.

I can understand why to a point. But in a North American (NA) context where quality is a low priority (based on my experience) this approach is a failure.

Here is why I believe this:

1. In a NA context, there are little expectation of a quality group and are often ignored. They have no seat at the table.
2. Most security issues can be resolved and avoided during architecture. Unfortunately NA development does not engage (and in one of my experiences even purposely avoids a quality based security group) at this time so architectural mistakes are made and technical debt is incurred.
3. Threat models are inconsistent. Because of a low respect given to quality groups in a North American context development groups do not respect any group in a quality organization Therefore, they will not engage and ignore competent penetration testers in group within a quality group.

Fundamentally there is a lack of respect from development management and development members towards quality group members. I know, I have been in both. The different in a NA context is that management has low expectation for quality groups and often put under performing members  there. Development then as a whole has lower expectations and less respect for these organizations.

If you then have a group of well trained hackers in a quality group whose expertise crosses between these two divides then there is a problem. Your development organization will not respect or even listen to them and your product security as a whole suffers.

The bandaid solution is to move the red team group to the development management sphere but this avoids the elephant in the room, mainly the problem with how quality groups are managed and the expectations afforded them.

Throughout my career I have extended respect to all colleagues regardless of their position in the organizational structure. Development, Quality, and support.

However based on the unprofessional behavior of Developers towards colleagues in Quality I now have less respect for development teams. 

It is development who have the problem. And they are the ones that must fix it.

Burp Suite, Firefox, SSL, HSTS, and sec_error_unknown_issuer

If you are using Burp Suite Pro intercepting proxy you will know you have the following chain.

|Browser| <=>|burp|<=>|Target Website|

In an SSL environment burp will send its own self signed cert to your browser while behaving as the client to the target. 

But if the target website uses HSTS (HTTP Strict Transport Security) and you use Firefox as a client then you will have problems. What you will see is a sec_error_unknown_issuer error and no ability to add an exception.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. 

Ok, So we know the site is normal - in our case its an internal staging environment. We could use another browser but there is a way to work around this.

Originally I tried downloading the burp self-signed certificate and importing it into the Windoze certificate manager by double clicking the .crt file. However this did not result in any change, I still had the sec_error_unknown_issuer problem.

The solution here is to manually import the Burp certificate into Firefox by:

1. Firefox->Hamburger Menu at Top Right->Options->Advanced->Certificates->View Certificates
2. This will display a Certificate Manager dialog. Select Import and then select the Burp Certificate.

The Attitude Failure of an R&D Shop

So sometimes you overhear things. Sometimes you don't have to try to overhear things. And even sometimes these things are presented to you on a silver platter with a marching band.

This is one of those times as shared by a friend who works somewhere.

So an R&D group is managed from out of town. So there are regular visitors from out of town to see what is happening in that outpost of R&D. These visitors attend meetings and (fanfare) ask questions.

When one of those visitors leave the room a local senior/lead developer states (or rather it falls out of their mouth) for the benefit of the remainder of the local people in the room:

I don't like these visitors showing up, attending meetings, and asking questions when they don't know what's going on.

So there are few points I would like to address regarding this kinds of statement:

1. You do not own the product that you are working on. They do. Get use to questions from them. Or leave.
2. These people sign your paycheque. Get use to answering questions from them. Or leave.
3. You work for R&D. It's not the other way around. Get use to it. Or leave.
4. Perhaps, since they lead R&D,they need to  ask questions so they know what is going on. Get use to it. Or leave.
5. The reason they are asking questions is because you are not communicating with them. So perhaps you need to communicate so they do know "what is going on"? Suck it up buttercup.
6. Perhaps you are so confused and scattered that you yourself do not know what is going on.

Fundamentally this shows an R&D team with a very poor attitude. The question is not who I would fire first but when I would stop.

When You Realize that your development Geniuses are really Asses

So you have a development team. Yes. They are smart. But perhaps not as smart as you think. Regardless they swagger and talk. Controlling your projects and plotting down a path of doom.

But what are the signs that they have gone too far.

Could it be when:

1. They complain of out of town managers (you know, the  ones from head office) arriving and appearing at meetings and asking questions when they don't know anything about how your destroying the projects?
2. They claim they can rely only on unit tests?
3. Perhaps its when they think they can stovepipe code straight to production without a system level test in a staging environment?

If its any of these it probably already too late for you. Controlling their incompetent urges now that the arrogance is out of the bag will just mean they will leave to go destroy another project.

Or perhaps that would not be so bad after all.

Has Your Company made this Traditional Mistake Managing a Team

What traditional mistake is this? Search through your history,  you know its there....just lurking below the surface. Ah. There it is.

The Myth of the Genius Software Developer.

Sometimes it goes beyond myth, to adulation, subservience, and worship. Managers, the incompetent ones, prostrate themselves to the genius software developer thus leading them and their project down the path of doom.

Managers become lackeys.  Sorting the technical laundry too scared that all those eggs that they put in that one basket will fall. Scared that they would loose their genius.

Losers.

All of them.

The Crisis in the Software Industry

To be fair I have not seen this at any one company. I have seen it at every company I have worked for. And as a software developer with 20+ years experience I can also say, in my more immature days, I was guilty of the same sin.

What is that problem that I observe?

Just the arrogant self absorbed know-it-all behavior of  software development shops. Sure, some may be nice people. Some even care.

However I have a slightly different perspective. I have this perspective because I have been within development teams and outside development teams. I was known as the software developer/architect that talked to QC. Talked to support. The response I received from these teams that this was rare behavior.

My observations of development teams are as follows:

1. Do not consult, even if others outside development may have more experience on the technical issues they are working on.
2. Get easily impressed by "cool" technology. Nay, they are a slave to it.
3. Only address problems in how that cool technology can solve it.
4. Are easily impressed by technology that they think the "cool" kids are using.
5. Cannot address the core problem or use case. Unless it is in terms of that cool technology.
6. Cannot address problems with humility and respect. Are treated like unicorns and as such behave like unicorns.
7. Some even have a know-it-all behavior to the point of absurdity - such as the time a colleague announced that HE was a breast feed expert. (His wife was expecting and he read a book on it).

The end result of these issues is a product that has security (amongst other) flaws. By design. Combined with a FISI (F*ck it ship it) management methodology you can understand why shipped or cloud based software is garbage that customers end up becoming the quality testers.