SlideShare a Scribd company logo

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)

Download as PPTX, PDF
Davide Cioccia, profile picture
Davide Cioccia

The document discusses BDD mobile security testing using OWASP's MASVS and MSTG, highlighting the importance of integrating security throughout the software development lifecycle. It emphasizes the need for a standardized approach to mobile testing, addressing challenges like different operating systems and app types, proposing Calabash as a tool for automated security testing. The document includes use cases illustrating various security requirements and testing methodologies for mobile applications.

Software
1 of 48
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash
About Me • #whoami • Davide Cioccia • Security Engineer @ ING Bank NL • Italian leaving in the NL • +7 years security experience • Security magazines and OWASP MSTG contributor • Focus: – Mobile application security – SSDLC – PT & VA – Incident Response
• Agile Way of Working
• CICD Requirements Design Code Build Test Release Deploy Operate Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps
• Security challenges • Technical: • Provide security at the DevOps speed • Detect vulnerabilities in early stage • Have developers understand security • Have Pentesters focus on “serious” stuff • Business • Lower cost to fix • Lower time to fix • Lower time for testing • Lower time to market
• Manual vs Automation
• Automate the testing: the biggest problem
• Solution: BDD Testing Describe the behavior of your software in a very understandable language
• Solution: BDD Testing with Cucumber and Gherkin • Automated • Understandable by all the stakeholders • It fits in the workflow of CI/CD
• BDD Testing Business facing Technology facing
• BDD security tests • Different frameworks available in the market • Usage of PT tools, such as Nessus, ZAP, Burp etc • Focused on server side testing (API, Web Services..)
• Mobile BDD security tests?
• Mobile BDD security tests?
• Main problems – different Operating Systems – client side testing – different apps (native, hybrid,web) – different security controls – different way of testing (iOS, Android, Windows Phone)
How to fix these problems?
• We need a security standard for Mobile Testing
• We need a process Requirements Design Code Build Test Release Security Requirements Threat modeling (abuse case generation) Threat based security controls & test specification Implement BDD standardized security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test cases MASVS Checklist Manual PT Identify the flaw Patch the flaw
• We need a tool • Cross platform (Android, iOS), we just cut Windows Phone off right? • Support for hybrid apps • Running on emulators • Running on real devices • Possibility to integrate it in the CI/CD • Support for Gherkin syntax • A lot of customization • Free! (We like that :D)
• And the winner is … calaba.sh
• Calabash
• Calabash
• Integration with with other mobile security frameworks • Pentest frameworks for Android and iOS • Automate manual activities • scriptable • the agent must run on the device – Powered by MWRlab
Let’s try it out https://github.com/dineshshetty/Android-InsecureBankv2
• UC1: sensitive information in log file (standard test) – Requirements 1. Logs must not contain usernames 2. Logs must not contain passwords 3. Logs must not contain information related to the user 4. Logs must not disclose sensitive information MASVS V2 - Data Storage and Privacy MSTG 2.1: Sensitive information in log files
• What’s wrong here?
• What’s wrong here?
• Use case 1: sensitive information in log file – Feature
• Use case 1: sensitive information in log file – Feature
• Use case 1: sensitive information in log file – Step
• Similar tests implemented • Sensitive data in the clipboard ▪ adb shell su <uid> service call clipboard 2 s16 <package_name> • Sensitive data in keyboard cache ▪ query /data/data/com.android.providers.user dictionary/databases/user_dict.db
• Use case 2: Internal activities must not be exported – Requirements 1. The only exported activity must be the login 2. Internal activities should have the flag exported set to false MASVS: V6 - Platform Interaction V4 - Authentication and Session Management
• Use case 2: Internal activities must not be exported – Feature
• Use case 2: Internal activities must not be exported – Step without Drozer
• Use case 2: Internal activities must not be exported – Step with Drozer
• Use case 3: JavaScript in WebView must be disabled – Requirements 1. The Webview must not execute JavaScript code 2. If an input is reflected in the WebView it must be sanitized MASVS V6: Platform interaction MSTG: V6.5: JavaScript is disabled in WebViews unless explicitly required.
• Use case 3: JavaScript in WebView must be disabled – Feature
• Use case 3: JavaScript in WebView must be disabled <HMTL /> loadsave
• Use case 3: JavaScript in WebView must be disabled – Step • Provided by calabash • Checks if an alert box is executed and contains the text specified
• Use case 4: Content provider information disclosure – Requirements 1. Content Providers must not expose sensitive information 2. Content Providers must not be exported if there are no other apps from the same developer 3. Content Providers must use android:export = false instead of android:export = true MASVS V6: Platform Interaction MSTG: Testing Platform Interaction on Android
• Use case 4: Content provider information disclosure – Feature
• Use case 4: Content provider information disclosure – Feature
• Use case 4: Content provider information disclosure – Step
Other tests implemented: • Exploit Broadcast Receivers • Intent Sniffing • Sensitive information in Pasteboard • More…
• Integration with CI/CD (Jenkins) – Android emulator plugin – Add Gemfile to your workspace – Shell script https://azevedorafaela.wordpress.com/2014/10/08/9-steps-to-configure-jenkins-with-calabashcucumber/
Improvements • Include OWASP ZAP for API test • Use the ”backdoor” feature to modify the code at runtime • ?
DEMO
• Achievements – Speed – Quality – Accuracy – Scalability – Maturity “Trying to speed project schedule by reducing testing is like trying to lose weight by donating blood” Klaus Leopold
THANK YOU Davide Cioccia email: davide.cioccia@ing.nl web: davidecioccia.com

More Related Content

PPTX
Security Testing for Containerized Applications
Soluto
 
PDF
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 
PDF
DevSecOps What Why and How
NotSoSecure Global Services
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
DevSecOps - The big picture
Stefan Streichsbier
 
PDF
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
Security Testing for Containerized Applications
Soluto
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps - The big picture
Stefan Streichsbier
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 

What's hot (20)

PDF
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PPTX
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
PPTX
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon
 
PPTX
How Azure DevOps can boost your organization's productivity
Ivan Porta
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PDF
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
PDF
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PDF
Your Framework for Success: introduction to JavaScript Testing at Scale
Sauce Labs
 
PPTX
All Around Azure: DevOps with GitHub - Managing the Flow of Work
Davide Benvegnù
 
PDF
CICD with Jenkins
Vietnam Open Infrastructure User Group
 
PPTX
ATAGTR2017 Wearable App Testing
Agile Testing Alliance
 
PDF
Securing the Pipeline
Thoughtworks
 
PDF
Serverless Security: Doing Security in 100 milliseconds
James Wickett
 
PDF
Hacker Games & DevSecOps
lokori
 
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
DevSecOps : an Introduction
Prashanth B. P.
 
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
DevOps & Security: Here & Now
Checkmarx
 
DevSecOps reference architectures 2018
Sonatype
 
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon
 
How Azure DevOps can boost your organization's productivity
Ivan Porta
 
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Your Framework for Success: introduction to JavaScript Testing at Scale
Sauce Labs
 
All Around Azure: DevOps with GitHub - Managing the Flow of Work
Davide Benvegnù
 
CICD with Jenkins
Vietnam Open Infrastructure User Group
 
ATAGTR2017 Wearable App Testing
Agile Testing Alliance
 
Securing the Pipeline
Thoughtworks
 
Serverless Security: Doing Security in 100 milliseconds
James Wickett
 
Hacker Games & DevSecOps
lokori
 
Ad

Similar to BDD Mobile Security Testing (OWASP AppSec Bucharest 2017) (20)

PDF
Null singapore - Mobile Security Essentials
Sven Schleier
 
PPTX
DevSecCon Boston2018 - advanced mobile security automation with bdd
Davide Cioccia
 
PDF
Owasp masvs spain 17
Luis A. Solís
 
PPTX
Mobile Security at OWASP - MASVS and MSTG
Romuald SZKUDLAREK
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PDF
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
DOCX
Jim Richardson Software Testing CS459 IP 5
Jim Richardson
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
PDF
Android pentesting
Mykhailo Antonishyn
 
PPTX
Untitled 1
Sergey Kochergan
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PPTX
Mobile platform security models
Prachi Gulihar
 
PPTX
Security testing of mobile applications
GTestClub
 
PPTX
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
 
PPTX
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
PDF
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz
 
PDF
Jump-Start The MASVS
Prathan Phongthiproek
 
Null singapore - Mobile Security Essentials
Sven Schleier
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
Davide Cioccia
 
Owasp masvs spain 17
Luis A. Solís
 
Mobile Security at OWASP - MASVS and MSTG
Romuald SZKUDLAREK
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
Jim Richardson Software Testing CS459 IP 5
Jim Richardson
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
Android pentesting
Mykhailo Antonishyn
 
Android pentesting
Mykhailo Antonishyn
 
Untitled 1
Sergey Kochergan
 
Mobile application security
Shubhneet Goel
 
Mobile Application Security
Ishan Girdhar
 
Mobile platform security models
Prachi Gulihar
 
Security testing of mobile applications
GTestClub
 
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
 
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz
 
Jump-Start The MASVS
Prathan Phongthiproek
 
Ad

More from Davide Cioccia (9)

PDF
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
 
PDF
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
 
PPTX
Black Hat Europe 2018 Arsenal Tools - Squatm3
Davide Cioccia
 
PPTX
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
Davide Cioccia
 
DOCX
NAS Botnet Revealed - Mining Bitcoin
Davide Cioccia
 
PDF
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
PDF
One shot eight banks
Davide Cioccia
 
PDF
Windows Mobile 6.5: Client for a multimedia conferencing platform
Davide Cioccia
 
PDF
A statistical framework to evaluate the "diversity" impact against Advanced P...
Davide Cioccia
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
 
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
 
Black Hat Europe 2018 Arsenal Tools - Squatm3
Davide Cioccia
 
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
Davide Cioccia
 
NAS Botnet Revealed - Mining Bitcoin
Davide Cioccia
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
One shot eight banks
Davide Cioccia
 
Windows Mobile 6.5: Client for a multimedia conferencing platform
Davide Cioccia
 
A statistical framework to evaluate the "diversity" impact against Advanced P...
Davide Cioccia
 

Recently uploaded (20)

PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
Introduction Database Management System for Course Database
ReinertYosua
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
System and Network Administraation Chapter 3
jaramharo
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
assetexplorer- product-overview - presentation
nonameist3434
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Nekopoi APK 2025 free lastest update
umarali35kp
 

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)

  • 1. BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash
  • 2. About Me • #whoami • Davide Cioccia • Security Engineer @ ING Bank NL • Italian leaving in the NL • +7 years security experience • Security magazines and OWASP MSTG contributor • Focus: – Mobile application security – SSDLC – PT & VA – Incident Response
  • 3. • Agile Way of Working
  • 4. • CICD Requirements Design Code Build Test Release Deploy Operate Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps
  • 5. • Security challenges • Technical: • Provide security at the DevOps speed • Detect vulnerabilities in early stage • Have developers understand security • Have Pentesters focus on “serious” stuff • Business • Lower cost to fix • Lower time to fix • Lower time for testing • Lower time to market
  • 6. • Manual vs Automation
  • 7. • Automate the testing: the biggest problem
  • 8. • Solution: BDD Testing Describe the behavior of your software in a very understandable language
  • 9. • Solution: BDD Testing with Cucumber and Gherkin • Automated • Understandable by all the stakeholders • It fits in the workflow of CI/CD
  • 10. • BDD Testing Business facing Technology facing
  • 11. • BDD security tests • Different frameworks available in the market • Usage of PT tools, such as Nessus, ZAP, Burp etc • Focused on server side testing (API, Web Services..)
  • 12. • Mobile BDD security tests?
  • 13. • Mobile BDD security tests?
  • 14. • Main problems – different Operating Systems – client side testing – different apps (native, hybrid,web) – different security controls – different way of testing (iOS, Android, Windows Phone)
  • 15. How to fix these problems?
  • 16. • We need a security standard for Mobile Testing
  • 17. • We need a process Requirements Design Code Build Test Release Security Requirements Threat modeling (abuse case generation) Threat based security controls & test specification Implement BDD standardized security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test cases MASVS Checklist Manual PT Identify the flaw Patch the flaw
  • 18. • We need a tool • Cross platform (Android, iOS), we just cut Windows Phone off right? • Support for hybrid apps • Running on emulators • Running on real devices • Possibility to integrate it in the CI/CD • Support for Gherkin syntax • A lot of customization • Free! (We like that :D)
  • 19. • And the winner is … calaba.sh
  • 22. • Integration with with other mobile security frameworks • Pentest frameworks for Android and iOS • Automate manual activities • scriptable • the agent must run on the device – Powered by MWRlab
  • 23. Let’s try it out https://github.com/dineshshetty/Android-InsecureBankv2
  • 24. • UC1: sensitive information in log file (standard test) – Requirements 1. Logs must not contain usernames 2. Logs must not contain passwords 3. Logs must not contain information related to the user 4. Logs must not disclose sensitive information MASVS V2 - Data Storage and Privacy MSTG 2.1: Sensitive information in log files
  • 27. • Use case 1: sensitive information in log file – Feature
  • 28. • Use case 1: sensitive information in log file – Feature
  • 29. • Use case 1: sensitive information in log file – Step
  • 30. • Similar tests implemented • Sensitive data in the clipboard ▪ adb shell su <uid> service call clipboard 2 s16 <package_name> • Sensitive data in keyboard cache ▪ query /data/data/com.android.providers.user dictionary/databases/user_dict.db
  • 31. • Use case 2: Internal activities must not be exported – Requirements 1. The only exported activity must be the login 2. Internal activities should have the flag exported set to false MASVS: V6 - Platform Interaction V4 - Authentication and Session Management
  • 32. • Use case 2: Internal activities must not be exported – Feature
  • 33. • Use case 2: Internal activities must not be exported – Step without Drozer
  • 34. • Use case 2: Internal activities must not be exported – Step with Drozer
  • 35. • Use case 3: JavaScript in WebView must be disabled – Requirements 1. The Webview must not execute JavaScript code 2. If an input is reflected in the WebView it must be sanitized MASVS V6: Platform interaction MSTG: V6.5: JavaScript is disabled in WebViews unless explicitly required.
  • 36. • Use case 3: JavaScript in WebView must be disabled – Feature
  • 37. • Use case 3: JavaScript in WebView must be disabled <HMTL /> loadsave
  • 38. • Use case 3: JavaScript in WebView must be disabled – Step • Provided by calabash • Checks if an alert box is executed and contains the text specified
  • 39. • Use case 4: Content provider information disclosure – Requirements 1. Content Providers must not expose sensitive information 2. Content Providers must not be exported if there are no other apps from the same developer 3. Content Providers must use android:export = false instead of android:export = true MASVS V6: Platform Interaction MSTG: Testing Platform Interaction on Android
  • 40. • Use case 4: Content provider information disclosure – Feature
  • 41. • Use case 4: Content provider information disclosure – Feature
  • 42. • Use case 4: Content provider information disclosure – Step
  • 43. Other tests implemented: • Exploit Broadcast Receivers • Intent Sniffing • Sensitive information in Pasteboard • More…
  • 44. • Integration with CI/CD (Jenkins) – Android emulator plugin – Add Gemfile to your workspace – Shell script https://azevedorafaela.wordpress.com/2014/10/08/9-steps-to-configure-jenkins-with-calabashcucumber/
  • 45. Improvements • Include OWASP ZAP for API test • Use the ”backdoor” feature to modify the code at runtime • ?
  • 46. DEMO
  • 47. • Achievements – Speed – Quality – Accuracy – Scalability – Maturity “Trying to speed project schedule by reducing testing is like trying to lose weight by donating blood” Klaus Leopold
  • 48. THANK YOU Davide Cioccia email: davide.cioccia@ing.nl web: davidecioccia.com