[Owasp-o2-platform] Feedback

Matt Parsons mparsons1980 at gmail.com
Tue Nov 24 15:34:44 EST 2009

I use Ounce Labs out of the box to scan wars, jars and ears.  I then use O2
to filter my findings for my clients.   I also scan Dot-net source as long
as it compiles; with Ounce Labs out of the box.   The generic pdf reports
can be created from Ounce Labs.   When I do an assessment I break the
findings up into required, requested, informational, too be investigated,
validation required, validation encoding required and potentially malicious.
These are all broken up using bundles.   


The reports can be tweaked using O2.  But I generally create reports by API
with five lines above and five lines below each context of line of code.
Let me know if that helps.   




1. Scan java source. Such as WAR, JAR,  and EAR.
2. Scan Dot-net source. Compiled and otherwise.
3. Create a report from these scans that allows us to prioritize, browse,


Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

 <mailto:mparons1980 at gmail.com> mailto:mparsons1980 at gmail.com

 <http://www.parsonsisconsulting.com> http://www.parsonsisconsulting.com









From: owasp-o2-platform-bounces at lists.owasp.org
[mailto:owasp-o2-platform-bounces at lists.owasp.org] On Behalf Of Brad Causey
Sent: Tuesday, November 24, 2009 12:21 PM
To: Dinis Cruz
Cc: owasp-o2-platform at lists.owasp.org
Subject: Re: [Owasp-o2-platform] Feedback


See Inline

On Tue, Nov 24, 2009 at 12:07 PM, Dinis Cruz <dinis at ddplus.net> wrote:

This is great news Brad, please dump as much info here regarding what are
your requirements, objectives and deliverables (you can also use the O2
Power-User Blogs which you have an account :) ).


The best way to 'consume' O2 is to have a very explicit set of problems that
we can use O2 to solve. So Brad, are you able to list 5 items that you would
like to do with O2?


This I can handle:

1. Scan java source. Such as WAR, JAR,  and EAR.
2. Scan Dot-net source. Compiled and otherwise.
3. Create a report from these scans that allows us to prioritize, browse,

Thats about it really. I've looked at findbugs and Yasca but findbugs is
just Java and Yasca's plugins appear broken on the latest release.


Regarding training, there are already a couple commercial options that are
available to you: Bruce or Ian from IBM/Ounce , Cigital (talk to John Steven
since he knows the best ones),  Matt Parsons, and (if you fly them from
Brazil) Wagner from Conviso. There are a couple others power-users out
there, but I'm not sure I can mention their names :)


I would prefer to go through OWASP for this, thoughts?


On the topic of O2 Users and Companies providing commercial services on top
of O2, I've started a page here
(http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/Active_O2_Users) and
please feel free to add your name (It's a WIKI, just get an account and
start editing)

Assuming we finalize our process and make this an authorized tool, we just
might do that. =)




On Mon, Nov 23, 2009 at 2:19 PM, Brad Causey <bradcausey at gmail.com> wrote:

I'm firing this into the open forum because hopefully other folks will be
able to get something from it.

I am creating a standardized code review process manual for my employer.
This will include step-by-step (yay for the reqs in the financial sector)
guide on what needs to be done. Now because we don't have a shi-ton of
coders on our team, we need a tool to assist us. We primarly deal in java
and dot-net. Because of this, O2 came to mind, and I'm proud to say I've
convinced my boss to let me attempt to make O2 the "authorized" tool for
code review, across the organization.

I will probably end up having to hire a trainer and bring them in to train
the team on O2, but this also drives home the need for some simplistic
interfaces, and good docs.

I'd like to get with you Dinis, and make this happen, and share what we
create/learn with the O2 mailing list. Anonomized of course. =)

-Brad Causey

Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)

On Sat, Nov 21, 2009 at 10:04 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

First of all, a big Thank You to Rohit, since feedback like this is not easy
to do, and he is also providing a number of very good ideas (which I will
implement in the very short term)

I also completely agree with Rohit (and probably most of you that have tried
O2) that O2's GUI sucks from the point of view of a new user. 

I really like the idea of 'information hiding' for new users suggested by
Rohit, in fact once I made a bunch of 'analog' (i.e. on paper) sketches
based on the idea of 'rewarding user with features once he 'achieves' a
certain task (just like the games on the iPhone (which my kids play) which
only let you go to the next level once you completed the current one.

I'm going to provide a much more detailed answer to Rohit (including with a
PoC of the GUI that he described), but please keep feedback like this coming

And if you want to be track your requests, you can add them here:

Dinis Cruz

2009/11/19 Rohit Sethi <rklists at gmail.com>


Dinis et al, this project is very promising. Although I've known about
O2 for a while now, today was the first time I actually installed the
tool. Dinis, when you demonstrate the capabilities of O2 it's
awe-inspiring, but I imagine many people feel the same way as I do
when they actually install the tool: overwhelmed. I suggest you apply
the principle of "information hiding" to the design of the application
- provide people with a basic, simple view of the application and give
them the option to expand on more advanced features when needed. I
have some ideas for you, but I'm ashamed to say I don't have the
bandwidth to actually implement them :(

A few specific suggestions:
.       Is there a public bug tracking system? If not this is an invaluable
tool to solicit feedback and track bugs on an ongoing basis. You
should provide a link to the bug-tracker from the main OWASP O2 page

.       What was the rationale for creating a new GUI? In particular, why
didn't you just piggyback off an existing, pluggable IDE like Eclipse?
I'd guess the answer is because O2 is developed (I'm assuming) in .Net
and probably through Visual Studio in order to facilitate GUI widget
development. You've created a new look and feel which then requires
the end user to understand the new look and feel in order to make
sense of the application. Although I can appreciate the choice to go
use .Net instead of Java, I wonder if copying some of the GUI
conventions of Eclipse might be useful (more on this later). Note that
I'm no usability expert, but I'd like to share my thoughts anyway. I
would seriously suggest freezing new feature development for a while
and focus on improving usability; once the application is easier to
use, hopefully the user base will grow and so will the pool of
developers willing to pitch in. In general try to minimize the amount
of information in each dialogue box, and provide expandable, grouped
advanced options.

.       I think O2 would be better served as one application with various
features and extensions, rather than a loosely coupled collection of
modules. Not only will this help lower the learning curve to the
application, it will help clarify the user interface. Going back to
the Eclipse point, why not start with the concept of a "Project"? Each
project relates to an individual application, and is comprised of
several child elements. You can even have a Project Explorer /
Navigation similar to what Eclipse has. Rather than dragging and
dropping source files into different module windows, there should be
one location of source files within the projects and the modules can
reference those source files.
Here's an example of a potential Project structure:
      -Scanner Results (e.g. .ozmat)
      -Source Files (e.g. .class, .xml)
      -Findings (e.g. Ounce findings)
      -Rules (e.g. Ounce rules)
      -Scripts (e.g. Python, Java, C# scripts, etc.)
      -Intermediate Representation (e.g. CIR objects)

.       I appreciate the flexibility in offering discrete modules of O2
functionality; however, in its current format, I had a hard time
distinguishing between which functions are "Core O2 functions" and
what were really extensions. I suggest that you create a single GUI
which users can identify as the "O2 application". Similar to IDEs like
Eclipse, users could open the GUI and then select different views or
perspectives based on the features they wish to use. Similarly, I
suggest creating a single Windows installer that installs all Core O2
functions along with the single GUI (e.g. Rules Manager, Join Traces,
O2 Scripts, Findings Query, Findings Viewer, Findings Filter, Search
Assessment Run, etc.). Provide an option for custom installation in
case people want to scale down the features. Provide an interface to
install "extensions" such as Spring MVC or support for CSharpScripts,
Here's what I'd recommend for the top level menus of the Core O2

  -New /** starts a new project, perhaps with a wizard to help guide
the user */
  -Import /** import findings from various scanners */
/** Get rid of restart modules - this might be a useful debugging
concept but doesn't make sense to end users. Somebody should open and
close the app if they need to do this */

 -Configuration /** opens a dialog window with top level choices on
the left and details on the right, similar to Eclipse Preferences */
     -File System /** Top level choice */
        -File Location
        -Install Directory
        -Temp Directory
        -Executable Directory
     -Module Specific /** One top level choice for each module that
requires configuraiton */
     -Advanced /** Top level choice */
        -(other configuration items from the KO2Config)
/** Provide a radio button on the top to allow users to toggle between
Main configuration and user-specific configuration */
/** Provide standard Save and Cancel buttons on the bottom of the
dialogue window */

Modules /** Each should bring up a different dialog box */
  -Rules Manager /** don't distinguish between XRules and other kinds
of rules - this is confusing */
  -Log Viewer
  -Trace Joiner
  -Code Reflector
  -Script Editor /** should support  C-Sharp, Python and Java */
  -Findings Manager /** includes Filter and Viewer */
  -Intermediate Representation Viewer  /** or IR Viewer for short,
rather than CIR since this is now platform agnostic */
  -Technology-Specific Modules
      -Spring MVC
      -.Net /**Should include the .Net debugger (the web server
should be part of this functionality rather than a separate module),
.Net Callbacks Maker */

Windows /** no idea what functionality is supposed to be here */

 -Online Knowledgebase (or Wiki) /** Link to owasp site */
 -Request Help from O2 Developers
 -About /** include version, developers names and the email address
to provide feedback, don't need the Send Comment feature */

.       Do you really need the modules that allow people to run the scanner
from within O2? I argue this causes too much confusion for it's actual
.       If you use the above-suggested layout, Web Inspect Converter and
other Blackbox scanner import tools should be Wizards to import data
into a project's Scanner Results rather than new modules


Rohit Sethi
Security Compass
Owasp-o2-platform mailing list
Owasp-o2-platform at lists.owasp.org


Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

Owasp-o2-platform mailing list
Owasp-o2-platform at lists.owasp.org

Owasp-o2-platform mailing list
Owasp-o2-platform at lists.owasp.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/fdbdca4f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/fdbdca4f/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/fdbdca4f/attachment-0003.jpe 

More information about the Owasp-o2-platform mailing list