[Owasp-o2-platform] Feedback

Brad Causey bradcausey at gmail.com
Tue Nov 24 19:15:17 EST 2009


So I think I've realized that I totally misunderstood the o2 platform.

What tools can O2 interact with that carry an open source license?
(I'm mostly interested in java and dot-net


-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)
--


On Tue, Nov 24, 2009 at 6:00 PM, Brad Causey <bradcausey at gmail.com> wrote:

> Ahah!! I do not have the Ounce Security Analyst.
>
> Does this mean I'm SOL?
> I have used Analyst and it is a fantastic tool! Unfortunately I'm
> restricted to open source.
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
>
> On Tue, Nov 24, 2009 at 5:55 PM, Matt Parsons <mparsons1980 at gmail.com>wrote:
>
>>  I use Ounce and set the setting on Ounce Labs in Preferences to scan jar
>> files.  See attached screen shots.
>>
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Matt Parsons, MSM, CISSP
>>
>> 315-559-3588 Blackberry
>>
>> 817-294-3789 Home office
>>
>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>
>> http://www.parsonsisconsulting.com
>>
>> http://www.o2-ounceopen.com/o2-power-users/
>>
>> http://www.linkedin.com/in/parsonsconsulting
>>
>>
>>
>> [image: CISSP_logo]
>>
>>
>>
>>
>>
>> *[image: mattcropped]*
>>
>>
>>
>> *From:* Brad Causey [mailto:bradcausey at gmail.com]
>> *Sent:* Tuesday, November 24, 2009 5:43 PM
>>
>> *To:* Matt Parsons
>> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>
>>
>>
>> Matt,
>>
>> This is good stuff, but it assumes you already have a findings file. Once
>> I get there, this will be most helpful.
>>
>> Lets start with what tool you are using from the O2 binaries to ingest EAR
>> files?
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>>  On Tue, Nov 24, 2009 at 5:00 PM, Matt Parsons <mparsons1980 at gmail.com>
>> wrote:
>>
>> Brad,
>>
>> If you can get this attached is a presentation that I created off of one
>> of Dinis classes.  Please let me know if you have any questions and if you
>> receive it.
>>
>>
>>
>> Dinis,
>>
>> Feel free to modify this and post on the 02 website if you see value to
>> it.
>>
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>>
>>
>>
>> Matt Parsons, MSM, CISSP
>>
>> 315-559-3588 Blackberry
>>
>> 817-294-3789 Home office
>>
>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>
>> http://www.parsonsisconsulting.com
>>
>> http://www.o2-ounceopen.com/o2-power-users/
>>
>> http://www.linkedin.com/in/parsonsconsulting
>>
>>
>>
>> [image: CISSP_logo]
>>
>>
>>
>>
>>
>> *[image: mattcropped]*
>>
>>
>>
>> *From:* Brad Causey [mailto:bradcausey at gmail.com]
>> *Sent:* Tuesday, November 24, 2009 4:47 PM
>> *To:* Matt Parsons
>> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
>>
>>
>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>
>>
>>
>> Matt and Dinis,
>>
>> Forgive me, but are there "super stupid basic" tutorials out there? I
>> briefly scoured the sight, and I've got a decent handle on 2 or 3 of the
>> tools from just playing around with it. Ideally, a getting started document
>> would be great.
>>
>> Matt - What o2 tool do you use, and what are you basic steps to get it
>> into an oz file so you can view it in O2?
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>> On Tue, Nov 24, 2009 at 2:34 PM, Matt Parsons <mparsons1980 at gmail.com>
>> wrote:
>>
>> I use Ounce Labs out of the box to scan wars, jars and ears.  I then use
>> O2 to filter my findings for my clients.   I also scan Dot-net source as
>> long as it compiles; with Ounce Labs out of the box.   The generic pdf
>> reports can be created from Ounce Labs.   When I do an assessment I break
>> the findings up into required, requested, informational, too be
>> investigated, validation required, validation encoding required and
>> potentially malicious.    These are all broken up using bundles.
>>
>>
>>
>> The reports can be tweaked using O2.  But I generally create reports by
>> API with five lines above and five lines below each context of line of
>> code.   Let me know if that helps.
>>
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> 1. Scan java source. Such as WAR, JAR,  and EAR.
>> 2. Scan Dot-net source. Compiled and otherwise.
>> 3. Create a report from these scans that allows us to prioritize, browse,
>> etc.
>>
>>
>>
>> Matt Parsons, MSM, CISSP
>>
>> 315-559-3588 Blackberry
>>
>> 817-294-3789 Home office
>>
>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>
>> http://www.parsonsisconsulting.com
>>
>> http://www.o2-ounceopen.com/o2-power-users/
>>
>> http://www.linkedin.com/in/parsonsconsulting
>>
>>
>>
>> [image: CISSP_logo]
>>
>>
>>
>>
>>
>> *[image: mattcropped]*
>>
>>
>>
>> *From:* owasp-o2-platform-bounces at lists.owasp.org [mailto:
>> owasp-o2-platform-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
>> *Sent:* Tuesday, November 24, 2009 12:21 PM
>> *To:* Dinis Cruz
>> *Cc:* owasp-o2-platform at lists.owasp.org
>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>
>>
>>
>> See Inline
>>
>> On Tue, Nov 24, 2009 at 12:07 PM, Dinis Cruz <dinis at ddplus.net> wrote:
>>
>> This is great news Brad, please dump as much info here regarding what are
>> your requirements, objectives and deliverables (you can also use the O2
>> Power-User Blogs which you have an account :) ).
>>
>>
>>
>>  The best way to 'consume' O2 is to have a very explicit set of problems
>> that we can use O2 to solve. So Brad, are you able to list 5 items that you
>> would like to do with O2?
>>
>>
>>
>> This I can handle:
>>
>> 1. Scan java source. Such as WAR, JAR,  and EAR.
>> 2. Scan Dot-net source. Compiled and otherwise.
>> 3. Create a report from these scans that allows us to prioritize, browse,
>> etc.
>>
>> Thats about it really. I've looked at findbugs and Yasca but findbugs is
>> just Java and Yasca's plugins appear broken on the latest release.
>>
>>
>>
>> Regarding training, there are already a couple commercial options that are
>> available to you: Bruce or Ian from IBM/Ounce , Cigital (talk to John Steven
>> since he knows the best ones),  Matt Parsons, and (if you fly them from
>> Brazil) Wagner from Conviso. There are a couple others power-users out
>> there, but I'm not sure I can mention their names :)
>>
>>
>>
>> I would prefer to go through OWASP for this, thoughts?
>>
>>
>>
>>
>> On the topic of O2 Users and Companies providing commercial services on
>> top of O2, I've started a page here (
>> http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/Active_O2_Users)
>> and please feel free to add your name (It's a WIKI, just get an account and
>> start editing)
>>
>>
>> Assuming we finalize our process and make this an authorized tool, we just
>> might do that. =)
>>
>>
>>
>>
>> Dinis
>>
>>
>>
>> On Mon, Nov 23, 2009 at 2:19 PM, Brad Causey <bradcausey at gmail.com>
>> wrote:
>>
>> I'm firing this into the open forum because hopefully other folks will be
>> able to get something from it.
>>
>> I am creating a standardized code review process manual for my employer.
>> This will include step-by-step (yay for the reqs in the financial sector)
>> guide on what needs to be done. Now because we don't have a shi-ton of
>> coders on our team, we need a tool to assist us. We primarly deal in java
>> and dot-net. Because of this, O2 came to mind, and I'm proud to say I've
>> convinced my boss to let me attempt to make O2 the "authorized" tool for
>> code review, across the organization.
>>
>> I will probably end up having to hire a trainer and bring them in to train
>> the team on O2, but this also drives home the need for some simplistic
>> interfaces, and good docs.
>>
>> I'd like to get with you Dinis, and make this happen, and share what we
>> create/learn with the O2 mailing list. Anonomized of course. =)
>>
>>
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>> On Sat, Nov 21, 2009 at 10:04 AM, dinis cruz <dinis.cruz at owasp.org>
>> wrote:
>>
>> First of all, a big* Thank You to Rohit*, since feedback like this is not
>> easy to do, and he is also providing a number of very good ideas (which I
>> will implement in the very short term)
>>
>> I also completely agree with Rohit (and probably most of you that have
>> tried O2) *that O2's GUI sucks from the point of view of a new user*.
>>
>> I really like the idea of 'information hiding' for new users suggested by
>> Rohit, in fact once I made a bunch of 'analog' (i.e. on paper) sketches
>> based on the idea of 'rewarding user with features once he 'achieves' a
>> certain task (just like the games on the iPhone (which my kids play) which
>> only let you go to the next level once you completed the current one.
>>
>> I'm going to provide a much more detailed answer to Rohit (including with
>> a PoC of the GUI that he described), but please keep feedback like this
>> coming
>>
>> And if you want to be track your requests, you can add them here:
>> http://code.google.com/p/o2platform/issues/list
>>
>> Dinis Cruz
>>
>> 2009/11/19 Rohit Sethi <rklists at gmail.com>
>>
>>
>>
>> Dinis et al, this project is very promising. Although I've known about
>> O2 for a while now, today was the first time I actually installed the
>> tool. Dinis, when you demonstrate the capabilities of O2 it's
>> awe-inspiring, but I imagine many people feel the same way as I do
>> when they actually install the tool: overwhelmed. I suggest you apply
>> the principle of "information hiding" to the design of the application
>> - provide people with a basic, simple view of the application and give
>> them the option to expand on more advanced features when needed. I
>> have some ideas for you, but I'm ashamed to say I don't have the
>> bandwidth to actually implement them :(
>>
>> A few specific suggestions:
>> •       Is there a public bug tracking system? If not this is an
>> invaluable
>> tool to solicit feedback and track bugs on an ongoing basis. You
>> should provide a link to the bug-tracker from the main OWASP O2 page
>>
>> •       What was the rationale for creating a new GUI? In particular, why
>> didn’t you just piggyback off an existing, pluggable IDE like Eclipse?
>> I'd guess the answer is because O2 is developed (I’m assuming) in .Net
>> and probably through Visual Studio in order to facilitate GUI widget
>> development. You’ve created a new look and feel which then requires
>> the end user to understand the new look and feel in order to make
>> sense of the application. Although I can appreciate the choice to go
>> use .Net instead of Java, I wonder if copying some of the GUI
>> conventions of Eclipse might be useful (more on this later). Note that
>> I’m no usability expert, but I’d like to share my thoughts anyway. I
>> would seriously suggest freezing new feature development for a while
>> and focus on improving usability; once the application is easier to
>> use, hopefully the user base will grow and so will the pool of
>> developers willing to pitch in. In general try to minimize the amount
>> of information in each dialogue box, and provide expandable, grouped
>> advanced options.
>>
>> •       I think O2 would be better served as one application with various
>> features and extensions, rather than a loosely coupled collection of
>> modules. Not only will this help lower the learning curve to the
>> application, it will help clarify the user interface. Going back to
>> the Eclipse point, why not start with the concept of a “Project”? Each
>> project relates to an individual application, and is comprised of
>> several child elements. You can even have a Project Explorer /
>> Navigation similar to what Eclipse has. Rather than dragging and
>> dropping source files into different module windows, there should be
>> one location of source files within the projects and the modules can
>> reference those source files.
>> Here’s an example of a potential Project structure:
>> Project
>>   -Input
>>       -Scanner Results (e.g. .ozmat)
>>       -Source Files (e.g. .class, .xml)
>>   -Analysis
>>       -Findings (e.g. Ounce findings)
>>       -Rules (e.g. Ounce rules)
>>       -Scripts (e.g. Python, Java, C# scripts, etc.)
>>       -Intermediate Representation (e.g. CIR objects)
>>
>> •       I appreciate the flexibility in offering discrete modules of O2
>> functionality; however, in its current format, I had a hard time
>> distinguishing between which functions are "Core O2 functions" and
>> what were really extensions. I suggest that you create a single GUI
>> which users can identify as the "O2 application". Similar to IDEs like
>> Eclipse, users could open the GUI and then select different views or
>> perspectives based on the features they wish to use. Similarly, I
>> suggest creating a single Windows installer that installs all Core O2
>> functions along with the single GUI (e.g. Rules Manager, Join Traces,
>> O2 Scripts, Findings Query, Findings Viewer, Findings Filter, Search
>> Assessment Run, etc.). Provide an option for custom installation in
>> case people want to scale down the features. Provide an interface to
>> install "extensions" such as Spring MVC or support for CSharpScripts,
>> etc.
>> Here’s what I’d recommend for the top level menus of the Core O2
>> application:
>>
>> File
>>   -New /** starts a new project, perhaps with a wizard to help guide
>> the user */
>>   -Open
>>   -Save
>>   --------
>>   -Import /** import findings from various scanners */
>>   ---------
>>   -Exit
>> /** Get rid of restart modules - this might be a useful debugging
>> concept but doesn't make sense to end users. Somebody should open and
>> close the app if they need to do this */
>>
>>
>> Edit
>>  -Cut
>>  -Copy
>>  -Paste
>>  -------
>>  -Configuration /** opens a dialog window with top level choices on
>> the left and details on the right, similar to Eclipse Preferences */
>>      -File System /** Top level choice */
>>         -File Location
>>         -Install Directory
>>         -Temp Directory
>>         -Executable Directory
>>      -Module Specific /** One top level choice for each module that
>> requires configuraiton */
>>      -Advanced /** Top level choice */
>>         -(other configuration items from the KO2Config)
>> /** Provide a radio button on the top to allow users to toggle between
>> Main configuration and user-specific configuration */
>> /** Provide standard Save and Cancel buttons on the bottom of the
>> dialogue window */
>>
>>
>> Modules /** Each should bring up a different dialog box */
>>   -Search
>>   -Rules Manager /** don't distinguish between XRules and other kinds
>> of rules - this is confusing */
>>   -Log Viewer
>>   -Trace Joiner
>>   -Code Reflector
>>   -Script Editor /** should support  C-Sharp, Python and Java */
>>   -Findings Manager /** includes Filter and Viewer */
>>   -Intermediate Representation Viewer  /** or IR Viewer for short,
>> rather than CIR since this is now platform agnostic */
>>   -Technology-Specific Modules
>>       -Spring MVC
>>       -.Net /**Should include the .Net debugger (the web server
>> should be part of this functionality rather than a separate module),
>> .Net Callbacks Maker */
>>
>> Windows /** no idea what functionality is supposed to be here */
>>
>> Help
>>  -Online Knowledgebase (or Wiki) /** Link to owasp site */
>>  -Request Help from O2 Developers
>>  -About /** include version, developers names and the email address
>> to provide feedback, don’t need the Send Comment feature */
>>
>> •       Do you really need the modules that allow people to run the
>> scanner
>> from within O2? I argue this causes too much confusion for it’s actual
>> value
>> •       If you use the above-suggested layout, Web Inspect Converter and
>> other Blackbox scanner import tools should be Wizards to import data
>> into a project’s Scanner Results rather than new modules
>>
>> Cheers,
>>
>> --
>> Rohit Sethi
>> Security Compass
>> http://www.securitycompass.com
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>>
>>
>> --
>>
>> Dinis Cruz
>>
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>>
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/06eebcfc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/06eebcfc/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/06eebcfc/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/06eebcfc/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/06eebcfc/attachment-0007.jpe 


More information about the Owasp-o2-platform mailing list