Checking certificate dates

Sometime, when we are working or doing some investigations in our spare time we need to check the dates a web certificate has, especially, the expiration date. Obviously, we can go to our browser, introduce the desired url and with a few clicks check the issued and expiration dates.

But, there is another way more simple, easier and, in case we need it, we can script.

echo | openssl s_client -servername -connect 2>/dev/null | openssl x509 -noout -dates

This simple command gives us the information we want.

I hope it is useful.

Checking certificate dates

Change file date and time

Sometimes if we need to perform some tests we need some files to have a modification day and time matching our criteria. If we are in a Unix/Linux based system, we can use easily the command line tool “touch”.

An example command will be:

touch -t 01010001 file.txt
touch execution

Extracted from “man touch”. The option “-t” changes the access and modification times to the specified time instead of the current time of day.  The argument is of the form:[[CC]YY]MMDDhhmm[.SS]

Change file date and time

Headless browser

A lot of people do not know but some browsers have a “headless” option we can use to execute operations using the console or terminal. This is useful for scripts, invocations from our applications or anything we can think of.

We just need to execute the next instruction:

firefox --headless --screenshot ~/image.png

The result is going to be something like:

Headless browser

Java reflection: Accessing a private field

Sometimes, when we import 3rd-party libraries, we can find cases where the information we want is has been populated in an object but, the property is a private one and there are no methods to recover it. Here, it is where the Java reflection capabilities can help us.

Note: Use reflection carefully and, usually, as a last resource.

Let’s say we have a simple class with a private property:

class A {
    private String value = "value";

We want to access the property “value” but, for obvious reasons, we cannot do it.

We can implement our reflection method to access the property value:

import java.lang.reflect.Field;

public class Reflection {

   public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException {
      final A a = new A();
      final Field secureRenegotiationField = a.getClass().getDeclaredField("value");


      System.out.println((String) secureRenegotiationField.get(a));

With these few lines of code, we will be able to access the value.

Java reflection: Accessing a private field

Groups in Regular Expressions

We cannot discuss the power of regular expression, an amazing tool with unlimited (usually our imagination) capabilities to progress strings. Every developer should, at least, have a basic understanding of them. But, lately, I have realized not a lot of people knows the possibility of creating and labeling “groups”. Groups allow us to access in a very  simple and clear way to the expressions matching our regular expression.

Regular expressions allow us to not just match text but also to extract information for further processing. This is done by defining groups of characters and capturing them using the special parentheses “(” and “)” metacharacters. Any subpattern inside a pair of parentheses will be captured as a group. In practice, this can be used to extract information like phone numbers or emails from all sorts of data.

Here, I am just going to write a little example to show the basic behavior and, I leave to all of you to find the appropriate use cases. In the example, I am going to extract some different hashes for further processing.

public static void main(String[] args) {
    final Pattern HASH_PATTERN = Pattern.compile("^(?<md5>[0-9a-f]{32})(?:/)(?<sha1>[0-9a-f]{40})(?:/)(?<sha256>[0-9a-f]{64})$");
    final Matcher matcher = HASH_PATTERN.matcher("ce114e4501d2f4e2dcea3e17b546f339/a54d88e06612d820bc3be72877c74f257b561b19/c7be1ed902fb8dd4d48997c6452f5d7e509fbcdbe2808b16bcf4edce4c07d14e");

    if (matcher.matches()) {         
        final String md5 ="md5");         
        final String sha1 ="sha1");         
        final String sha256 ="sha256");         

As you can see, the example is pretty simple, it takes one line that contains a string and extracts the MD5, SHA1 and SHA256 hashes. We can see the code is easy to read and understand because everything is using human readable labels not just numbers to access the groups and there is no need to process the string with split operations or similars.

The syntax for the groups is:

(?<name>X)– X, as a named-capturing group

(?:X) – X, as a non-capturing group

With this, we can easily make our code easier to read and maintain when we are extracting information or doing some text processing.

For further information, check the Java documentation: Pattern (Java SE 10 & JDK 10)

Groups in Regular Expressions

Enterprise roles

We are living big times. Companies are changing, evolving, re-inveting themselves and usually all of this happens with the help of technology, think that, luckily, allow us to be involved. But, all these changes have helped the appearance of new or re-invented roles at directive levels in the different companies.

We are hired to get our job done and, sometimes, this job involves to discuss and present our ideas to managers or directives. Here, it is where we fall in this dance of letters and acronyms like CEO, CTO, CISO… A long list of them, and, to do our job properly, we need to know who we should be addressing. We do not want to be losing our time and, I am quite sure, they do not want to lose their time.

For this reason, I have made a small list of these roles and what they mean, just a little help for the most common ones:

For this reason, I have made a small list of these roles and what they mean, just a little help for the most common ones:

CEO (Chief Executive Officer)

He is the executive director, the manager, the highest position in the organizational chart of the organization. It is the final responsible for the actions carried out within the company, its performance and its efficiency.

Its main function is to supervise and ensure that the strategy defined in the company complies with the achievement of the objectives of the organization, in addition to sowing the principles and basic pillars to be followed within the company.

The CEO has an important relationship with the CIO, because the strategies of companies are closely linked to the field of information technology.

CIO (Chief Information Officer)

He is the systems manager or director of information technology. It reports directly to the CEO, and basically ensures that the organization’s strategies are aligned with information technology to achieve the planned objectives.

In addition, it is responsible for improving the information technology processes of the organization, managing risk and business continuity, controlling the cost of information technology infrastructure, aligning information technology governance with technological requirements, and establish improvements and innovations of solutions and products.

CSO (Chief Security Officer)

It is responsible for the security of the organization. The CSO is sometimes called the corporate security officer. We can think that the CISO and the CSO are the same role and that they perform the same functions. In small organizations it is common for both responsibilities to coincide in the same person. But it really is not like that. The role of the CISO is usually more focused on aspects of information security, while the CSO is required to:

  • Have a business vision that understands the risks the organization faces and how to deal with them.
  • Understand the mission and objectives of the company and ensure that all activities are planned and executed to meet those objectives.
  • Understand the regulatory needs, the management of the reputation of the organization and the expectations of the users.
  • Establish business continuity and disaster recovery plans in the field of information technology.
  • Be aware of regulatory changes, should be informed of the consequences for the activities of the organization and proposing appropriate measures to adapt to the new regulatory framework.

When there is CSO and CISO, the CISO reports to the CSO and the CSO to the address.

CTO (Chief Technology Officer)

The role of the CTO in a role similar to the CIO but more “technical”. In this sense, they have identified no less than six different roles that CTOs can play. They intermingle with the functions of the CIO. However, we can say that he is a technical director, being responsible for the day-to-day management of information technologies.

CISO (Chief Information Security Officer)

The CISO (Chief Information Security Officer) is the director of information security. Basically it is a role played at the executive level and its main function is to align the security of information with business objectives. In this way it is guaranteed at all times that the company’s information is adequately protected.

As we said, every day new roles are emerging. Therefore, many of the responsibilities of a position have been modified over the years. However, for the role of CISO we can say that in general, its responsibilities include:

  • Generate and implement information security policies.
  • Guarantee the security and privacy of the data.
  • Supervise the administration of control of access to information.
  • Supervise the regulatory compliance of information security.
  • Responsible for the response team to information security incidents of the organization.
  • Supervise the security architecture of the company’s information.

In general, these are the roles you can hear around more often but a lot more of them exist, i.e. CFO (Chief Financial Officer), CMO (Chief Marketing Officer), CDO (Chief Data Officer or Chief Digital Officer). This last one, probably it is going to show more often every day. As we can see the rule basically is: Chief + + Officer.

Let’s just keep them in mind, next time we need to talk or email someone to do our job.

Post based on: INCIBE

Enterprise roles

Git top committers

It is very common nowadays for companies to have a big when not a huge amount of code in their repositories and, if we are lucky, all this code will be split across multiple projects and repositories. In addition to this, it is very common in this company environments that no one owns an specific project, people just work in their tasks and sometimes they change multiple projects. This environment produces a situation where when you have questions about an specific project you do not know exactly who is the best person to ask.

There is not a simple solution to solve that but, if you are using git as a version control system, one possible solution is to obtain the top committers of the project. We can do this easily with a very simple command:

git shortlog -s -n --all | head -3

This will show us the first three top committers for our project. But, we are developers, we are lazy and we like to automate and build scripts to cover more than the simple case. Then, we can build this script:


print_help() {
    echo " Do you need help or knowledge about one of our projects?
    Who is the better person to ask about one of them?
    Here you can find it!


        topcommitters - list top committers in the git projects

        topcommitters [OPTION]... [PROJECT]...

        List top committers in the git projects

        There are not mandatory arguments. By default top 5 committers in all projects are listed.

            -f, --folder
                location of the repositories. By default ~/sourcecode

            -c, --count
                number of committers listed. By default 5

            -p, --project
                single project to be listed. ie: deliveries-service

            -h, --help
                show this help message.

        Exit status:
            0 if OK,

        Written by fjavierm.


    BSD                   1 July, 2018                        BSD

show_multiple() {
    # Loop all sub-directories
    for f in $dir
        show_single $f

show_single() {

    # Only interested in directories
    [ -d "${f}" ] || return

    echo -en "\033[0;35m"
    echo -n "${f}"
    echo -en "\033[0m"

    # Check if directory is a git repository
    inside_git_repo="$f/$(git rev-parse --is-inside-work-tree 2>/dev/null)"
    if [ "$inside_git_repo" ];
        cd $f


        # list top authors
        echo -en "\n"
        git shortlog -s -n --all -- . | head -${count}

        cd ../
        echo -ne "\t\t\tNot a git repository"


while [[ $# -gt 0 ]]

case $key in
    shift # past argument
    shift # past value
    shift # past argument
    shift # past value
    shift # past argument
    shift # past value
    exit 0
    *) # unknown option
    POSITIONAL+=("$1") # save it in an array for later
    shift # past argument
set -- "${POSITIONAL[@]}" # restore positional parameters


# No directory has been provided, use default
if [ -z "$dir" ]

# No count has been provided, use 5
if [ -z "$count" ]

# Make sure directory ends with "/"
if [[ $dir != */ ]]

if [ -z "$PROJECT" ]
    show_single $dir$PROJECT

exit 0

Basically the script executes almost the same command we have seen at the beginning but it offers us a few more options.

We can list all the projects at once in our default folder ~/sourcecode:


We can see the help text:

./ -h

We can specify where our projects are:

./ -f ~/mycode

We can select where the projects are, which concrete project do we want and how many committers we want to see:

./ -f ~/mycode -p ecommerce -c 3

One interesting feature is that, as you can notice, the command in the script is slightly different to the original command:

Original: git shortlog -s -n --all | head -3
Script: git shortlog -s -n --all -- . | head -${count}

This difference gives us the possibility to list committers in a folder inside the git repository even if that folder is not the repository folder. For example, imagine we have the next project structure:

-- .git
-- 3rd-party-apis
-- facebook
-- twitter
-- google
-- linkedin

Imagine that we want to obtain information about the facebook project. If we just execute “./ -p big-project” we will obtain the top committers for the whole project and this is not what we want but, with the modification of the original command in the script, we are allowed to execute “./ -p big-project/facebook” and obtain the exact information we want.

Git top committers