[Owasp-o2-platform] Feedback

Brad Causey bradcausey at gmail.com
Tue Nov 24 19:00:19 EST 2009


Ahah!! I do not have the Ounce Security Analyst.

Does this mean I'm SOL?
I have used Analyst and it is a fantastic tool! Unfortunately I'm restricted
to open source.

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)
--


On Tue, Nov 24, 2009 at 5:55 PM, Matt Parsons <mparsons1980 at gmail.com>wrote:

>  I use Ounce and set the setting on Ounce Labs in Preferences to scan jar
> files.  See attached screen shots.
>
>
>
> Thanks,
>
> Matt
>
>
>
>
>
>
>
>
>
> Matt Parsons, MSM, CISSP
>
> 315-559-3588 Blackberry
>
> 817-294-3789 Home office
>
> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>
> http://www.parsonsisconsulting.com
>
> http://www.o2-ounceopen.com/o2-power-users/
>
> http://www.linkedin.com/in/parsonsconsulting
>
>
>
> [image: CISSP_logo]
>
>
>
>
>
> *[image: mattcropped]*
>
>
>
> *From:* Brad Causey [mailto:bradcausey at gmail.com]
> *Sent:* Tuesday, November 24, 2009 5:43 PM
>
> *To:* Matt Parsons
> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
> *Subject:* Re: [Owasp-o2-platform] Feedback
>
>
>
> Matt,
>
> This is good stuff, but it assumes you already have a findings file. Once I
> get there, this will be most helpful.
>
> Lets start with what tool you are using from the O2 binaries to ingest EAR
> files?
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
>  On Tue, Nov 24, 2009 at 5:00 PM, Matt Parsons <mparsons1980 at gmail.com>
> wrote:
>
> Brad,
>
> If you can get this attached is a presentation that I created off of one of
> Dinis classes.  Please let me know if you have any questions and if you
> receive it.
>
>
>
> Dinis,
>
> Feel free to modify this and post on the 02 website if you see value to
> it.
>
>
>
> Thanks,
>
> Matt
>
>
>
>
>
> Matt Parsons, MSM, CISSP
>
> 315-559-3588 Blackberry
>
> 817-294-3789 Home office
>
> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>
> http://www.parsonsisconsulting.com
>
> http://www.o2-ounceopen.com/o2-power-users/
>
> http://www.linkedin.com/in/parsonsconsulting
>
>
>
> [image: CISSP_logo]
>
>
>
>
>
> *[image: mattcropped]*
>
>
>
> *From:* Brad Causey [mailto:bradcausey at gmail.com]
> *Sent:* Tuesday, November 24, 2009 4:47 PM
> *To:* Matt Parsons
> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
>
>
> *Subject:* Re: [Owasp-o2-platform] Feedback
>
>
>
> Matt and Dinis,
>
> Forgive me, but are there "super stupid basic" tutorials out there? I
> briefly scoured the sight, and I've got a decent handle on 2 or 3 of the
> tools from just playing around with it. Ideally, a getting started document
> would be great.
>
> Matt - What o2 tool do you use, and what are you basic steps to get it into
> an oz file so you can view it in O2?
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
> On Tue, Nov 24, 2009 at 2:34 PM, Matt Parsons <mparsons1980 at gmail.com>
> wrote:
>
> I use Ounce Labs out of the box to scan wars, jars and ears.  I then use O2
> to filter my findings for my clients.   I also scan Dot-net source as long
> as it compiles; with Ounce Labs out of the box.   The generic pdf reports
> can be created from Ounce Labs.   When I do an assessment I break the
> findings up into required, requested, informational, too be investigated,
> validation required, validation encoding required and potentially
> malicious.    These are all broken up using bundles.
>
>
>
> The reports can be tweaked using O2.  But I generally create reports by API
> with five lines above and five lines below each context of line of code.
> Let me know if that helps.
>
>
>
> Thanks,
>
> Matt
>
>
> 1. Scan java source. Such as WAR, JAR,  and EAR.
> 2. Scan Dot-net source. Compiled and otherwise.
> 3. Create a report from these scans that allows us to prioritize, browse,
> etc.
>
>
>
> Matt Parsons, MSM, CISSP
>
> 315-559-3588 Blackberry
>
> 817-294-3789 Home office
>
> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>
> http://www.parsonsisconsulting.com
>
> http://www.o2-ounceopen.com/o2-power-users/
>
> http://www.linkedin.com/in/parsonsconsulting
>
>
>
> [image: CISSP_logo]
>
>
>
>
>
> *[image: mattcropped]*
>
>
>
> *From:* owasp-o2-platform-bounces at lists.owasp.org [mailto:
> owasp-o2-platform-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
> *Sent:* Tuesday, November 24, 2009 12:21 PM
> *To:* Dinis Cruz
> *Cc:* owasp-o2-platform at lists.owasp.org
> *Subject:* Re: [Owasp-o2-platform] Feedback
>
>
>
> See Inline
>
> On Tue, Nov 24, 2009 at 12:07 PM, Dinis Cruz <dinis at ddplus.net> wrote:
>
> This is great news Brad, please dump as much info here regarding what are
> your requirements, objectives and deliverables (you can also use the O2
> Power-User Blogs which you have an account :) ).
>
>
>
>  The best way to 'consume' O2 is to have a very explicit set of problems
> that we can use O2 to solve. So Brad, are you able to list 5 items that you
> would like to do with O2?
>
>
>
> This I can handle:
>
> 1. Scan java source. Such as WAR, JAR,  and EAR.
> 2. Scan Dot-net source. Compiled and otherwise.
> 3. Create a report from these scans that allows us to prioritize, browse,
> etc.
>
> Thats about it really. I've looked at findbugs and Yasca but findbugs is
> just Java and Yasca's plugins appear broken on the latest release.
>
>
>
> Regarding training, there are already a couple commercial options that are
> available to you: Bruce or Ian from IBM/Ounce , Cigital (talk to John Steven
> since he knows the best ones),  Matt Parsons, and (if you fly them from
> Brazil) Wagner from Conviso. There are a couple others power-users out
> there, but I'm not sure I can mention their names :)
>
>
>
> I would prefer to go through OWASP for this, thoughts?
>
>
>
>
> On the topic of O2 Users and Companies providing commercial services on top
> of O2, I've started a page here (
> http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/Active_O2_Users) and
> please feel free to add your name (It's a WIKI, just get an account and
> start editing)
>
>
> Assuming we finalize our process and make this an authorized tool, we just
> might do that. =)
>
>
>
>
> Dinis
>
>
>
> On Mon, Nov 23, 2009 at 2:19 PM, Brad Causey <bradcausey at gmail.com> wrote:
>
> I'm firing this into the open forum because hopefully other folks will be
> able to get something from it.
>
> I am creating a standardized code review process manual for my employer.
> This will include step-by-step (yay for the reqs in the financial sector)
> guide on what needs to be done. Now because we don't have a shi-ton of
> coders on our team, we need a tool to assist us. We primarly deal in java
> and dot-net. Because of this, O2 came to mind, and I'm proud to say I've
> convinced my boss to let me attempt to make O2 the "authorized" tool for
> code review, across the organization.
>
> I will probably end up having to hire a trainer and bring them in to train
> the team on O2, but this also drives home the need for some simplistic
> interfaces, and good docs.
>
> I'd like to get with you Dinis, and make this happen, and share what we
> create/learn with the O2 mailing list. Anonomized of course. =)
>
>
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
> On Sat, Nov 21, 2009 at 10:04 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
> First of all, a big* Thank You to Rohit*, since feedback like this is not
> easy to do, and he is also providing a number of very good ideas (which I
> will implement in the very short term)
>
> I also completely agree with Rohit (and probably most of you that have
> tried O2) *that O2's GUI sucks from the point of view of a new user*.
>
> I really like the idea of 'information hiding' for new users suggested by
> Rohit, in fact once I made a bunch of 'analog' (i.e. on paper) sketches
> based on the idea of 'rewarding user with features once he 'achieves' a
> certain task (just like the games on the iPhone (which my kids play) which
> only let you go to the next level once you completed the current one.
>
> I'm going to provide a much more detailed answer to Rohit (including with a
> PoC of the GUI that he described), but please keep feedback like this coming
>
> And if you want to be track your requests, you can add them here:
> http://code.google.com/p/o2platform/issues/list
>
> Dinis Cruz
>
> 2009/11/19 Rohit Sethi <rklists at gmail.com>
>
>
>
> Dinis et al, this project is very promising. Although I've known about
> O2 for a while now, today was the first time I actually installed the
> tool. Dinis, when you demonstrate the capabilities of O2 it's
> awe-inspiring, but I imagine many people feel the same way as I do
> when they actually install the tool: overwhelmed. I suggest you apply
> the principle of "information hiding" to the design of the application
> - provide people with a basic, simple view of the application and give
> them the option to expand on more advanced features when needed. I
> have some ideas for you, but I'm ashamed to say I don't have the
> bandwidth to actually implement them :(
>
> A few specific suggestions:
> •       Is there a public bug tracking system? If not this is an invaluable
> tool to solicit feedback and track bugs on an ongoing basis. You
> should provide a link to the bug-tracker from the main OWASP O2 page
>
> •       What was the rationale for creating a new GUI? In particular, why
> didn’t you just piggyback off an existing, pluggable IDE like Eclipse?
> I'd guess the answer is because O2 is developed (I’m assuming) in .Net
> and probably through Visual Studio in order to facilitate GUI widget
> development. You’ve created a new look and feel which then requires
> the end user to understand the new look and feel in order to make
> sense of the application. Although I can appreciate the choice to go
> use .Net instead of Java, I wonder if copying some of the GUI
> conventions of Eclipse might be useful (more on this later). Note that
> I’m no usability expert, but I’d like to share my thoughts anyway. I
> would seriously suggest freezing new feature development for a while
> and focus on improving usability; once the application is easier to
> use, hopefully the user base will grow and so will the pool of
> developers willing to pitch in. In general try to minimize the amount
> of information in each dialogue box, and provide expandable, grouped
> advanced options.
>
> •       I think O2 would be better served as one application with various
> features and extensions, rather than a loosely coupled collection of
> modules. Not only will this help lower the learning curve to the
> application, it will help clarify the user interface. Going back to
> the Eclipse point, why not start with the concept of a “Project”? Each
> project relates to an individual application, and is comprised of
> several child elements. You can even have a Project Explorer /
> Navigation similar to what Eclipse has. Rather than dragging and
> dropping source files into different module windows, there should be
> one location of source files within the projects and the modules can
> reference those source files.
> Here’s an example of a potential Project structure:
> Project
>   -Input
>       -Scanner Results (e.g. .ozmat)
>       -Source Files (e.g. .class, .xml)
>   -Analysis
>       -Findings (e.g. Ounce findings)
>       -Rules (e.g. Ounce rules)
>       -Scripts (e.g. Python, Java, C# scripts, etc.)
>       -Intermediate Representation (e.g. CIR objects)
>
> •       I appreciate the flexibility in offering discrete modules of O2
> functionality; however, in its current format, I had a hard time
> distinguishing between which functions are "Core O2 functions" and
> what were really extensions. I suggest that you create a single GUI
> which users can identify as the "O2 application". Similar to IDEs like
> Eclipse, users could open the GUI and then select different views or
> perspectives based on the features they wish to use. Similarly, I
> suggest creating a single Windows installer that installs all Core O2
> functions along with the single GUI (e.g. Rules Manager, Join Traces,
> O2 Scripts, Findings Query, Findings Viewer, Findings Filter, Search
> Assessment Run, etc.). Provide an option for custom installation in
> case people want to scale down the features. Provide an interface to
> install "extensions" such as Spring MVC or support for CSharpScripts,
> etc.
> Here’s what I’d recommend for the top level menus of the Core O2
> application:
>
> File
>   -New /** starts a new project, perhaps with a wizard to help guide
> the user */
>   -Open
>   -Save
>   --------
>   -Import /** import findings from various scanners */
>   ---------
>   -Exit
> /** Get rid of restart modules - this might be a useful debugging
> concept but doesn't make sense to end users. Somebody should open and
> close the app if they need to do this */
>
>
> Edit
>  -Cut
>  -Copy
>  -Paste
>  -------
>  -Configuration /** opens a dialog window with top level choices on
> the left and details on the right, similar to Eclipse Preferences */
>      -File System /** Top level choice */
>         -File Location
>         -Install Directory
>         -Temp Directory
>         -Executable Directory
>      -Module Specific /** One top level choice for each module that
> requires configuraiton */
>      -Advanced /** Top level choice */
>         -(other configuration items from the KO2Config)
> /** Provide a radio button on the top to allow users to toggle between
> Main configuration and user-specific configuration */
> /** Provide standard Save and Cancel buttons on the bottom of the
> dialogue window */
>
>
> Modules /** Each should bring up a different dialog box */
>   -Search
>   -Rules Manager /** don't distinguish between XRules and other kinds
> of rules - this is confusing */
>   -Log Viewer
>   -Trace Joiner
>   -Code Reflector
>   -Script Editor /** should support  C-Sharp, Python and Java */
>   -Findings Manager /** includes Filter and Viewer */
>   -Intermediate Representation Viewer  /** or IR Viewer for short,
> rather than CIR since this is now platform agnostic */
>   -Technology-Specific Modules
>       -Spring MVC
>       -.Net /**Should include the .Net debugger (the web server
> should be part of this functionality rather than a separate module),
> .Net Callbacks Maker */
>
> Windows /** no idea what functionality is supposed to be here */
>
> Help
>  -Online Knowledgebase (or Wiki) /** Link to owasp site */
>  -Request Help from O2 Developers
>  -About /** include version, developers names and the email address
> to provide feedback, don’t need the Send Comment feature */
>
> •       Do you really need the modules that allow people to run the scanner
> from within O2? I argue this causes too much confusion for it’s actual
> value
> •       If you use the above-suggested layout, Web Inspect Converter and
> other Blackbox scanner import tools should be Wizards to import data
> into a project’s Scanner Results rather than new modules
>
> Cheers,
>
> --
> Rohit Sethi
> Security Compass
> http://www.securitycompass.com
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
>
>
> --
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/9f019629/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/9f019629/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/9f019629/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/9f019629/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/9f019629/attachment-0007.jpe 


More information about the Owasp-o2-platform mailing list