[Owasp-o2-platform] Feedback

Dinis Cruz dinis at ddplus.net
Tue Nov 24 20:25:53 EST 2009


Thanks Brad for raising this issue, since I think there is a quite a lot of
confusion on this topic.

Historically O2 (and probably until about 9 months ago) was very
inter-dependent with the Ounce's static-analysis engine. This was the main
reason why although O2 was already an Open Source project, it didn't make
sense in my mind to make it an OWASP project.

Today O2's capabilities have grown quite spectacularly, and there is a huge
amount of value that can be achieved with or without the Ounce engine (of
course that until there is a decent Open Source static analysis engine
available, there will always be a number of types of analysis that will be
hard to do without one of the current 'paid-for' tools).

What is interesting is that a lot of the value that I get from Ounce today,
is directly related to a number of O2 modules that allow me to perform
advanced analysis. Some of these modules, namely the ones that provide
support for the Spring MVC and Struts Frameworks, are quite independent from
Ounce's artifacts, and already provide a LOT of value without the need for
any extra 'paid-for' tools.

Just to clarify O2's support for other technologies I just updated this WIKI
page (
http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/O2_Supported_Technologies)
which list represents the current O2 supported technologies and how they can
be consumed by multiple O2 Modules.

Note that adding support for a new technology , tool or framework is usually
quite an easy task (since there are numerous O2 APIs that can be easily
reused or modified), If you have a particular need please lets discuss it
here on this mailing list.

Dinis Cruz


On Wed, Nov 25, 2009 at 12:15 AM, Brad Causey <bradcausey at gmail.com> wrote:

> So I think I've realized that I totally misunderstood the o2 platform.
>
> What tools can O2 interact with that carry an open source license?
> (I'm mostly interested in java and dot-net
>
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
>
> On Tue, Nov 24, 2009 at 6:00 PM, Brad Causey <bradcausey at gmail.com> wrote:
>
>> Ahah!! I do not have the Ounce Security Analyst.
>>
>> Does this mean I'm SOL?
>> I have used Analyst and it is a fantastic tool! Unfortunately I'm
>> restricted to open source.
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>>
>> On Tue, Nov 24, 2009 at 5:55 PM, Matt Parsons <mparsons1980 at gmail.com>wrote:
>>
>>>  I use Ounce and set the setting on Ounce Labs in Preferences to scan
>>> jar files.  See attached screen shots.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Matt Parsons, MSM, CISSP
>>>
>>> 315-559-3588 Blackberry
>>>
>>> 817-294-3789 Home office
>>>
>>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>>
>>> http://www.parsonsisconsulting.com
>>>
>>> http://www.o2-ounceopen.com/o2-power-users/
>>>
>>> http://www.linkedin.com/in/parsonsconsulting
>>>
>>>
>>>
>>> [image: CISSP_logo]
>>>
>>>
>>>
>>>
>>>
>>> *[image: mattcropped]*
>>>
>>>
>>>
>>> *From:* Brad Causey [mailto:bradcausey at gmail.com]
>>> *Sent:* Tuesday, November 24, 2009 5:43 PM
>>>
>>> *To:* Matt Parsons
>>> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
>>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>>
>>>
>>>
>>> Matt,
>>>
>>> This is good stuff, but it assumes you already have a findings file. Once
>>> I get there, this will be most helpful.
>>>
>>> Lets start with what tool you are using from the O2 binaries to ingest
>>> EAR files?
>>>
>>>
>>> -Brad Causey
>>> CISSP, MCSE, C|EH, CIFI, CGSP
>>>
>>> http://www.owasp.org
>>> --
>>> Never underestimate the time, expense, and effort an opponent will expend
>>> to break a code. (Robert Morris)
>>> --
>>>
>>>  On Tue, Nov 24, 2009 at 5:00 PM, Matt Parsons <mparsons1980 at gmail.com>
>>> wrote:
>>>
>>> Brad,
>>>
>>> If you can get this attached is a presentation that I created off of one
>>> of Dinis classes.  Please let me know if you have any questions and if you
>>> receive it.
>>>
>>>
>>>
>>> Dinis,
>>>
>>> Feel free to modify this and post on the 02 website if you see value to
>>> it.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>>
>>>
>>>
>>> Matt Parsons, MSM, CISSP
>>>
>>> 315-559-3588 Blackberry
>>>
>>> 817-294-3789 Home office
>>>
>>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>>
>>> http://www.parsonsisconsulting.com
>>>
>>> http://www.o2-ounceopen.com/o2-power-users/
>>>
>>> http://www.linkedin.com/in/parsonsconsulting
>>>
>>>
>>>
>>> [image: CISSP_logo]
>>>
>>>
>>>
>>>
>>>
>>> *[image: mattcropped]*
>>>
>>>
>>>
>>> *From:* Brad Causey [mailto:bradcausey at gmail.com]
>>> *Sent:* Tuesday, November 24, 2009 4:47 PM
>>> *To:* Matt Parsons
>>> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
>>>
>>>
>>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>>
>>>
>>>
>>> Matt and Dinis,
>>>
>>> Forgive me, but are there "super stupid basic" tutorials out there? I
>>> briefly scoured the sight, and I've got a decent handle on 2 or 3 of the
>>> tools from just playing around with it. Ideally, a getting started document
>>> would be great.
>>>
>>> Matt - What o2 tool do you use, and what are you basic steps to get it
>>> into an oz file so you can view it in O2?
>>>
>>>
>>> -Brad Causey
>>> CISSP, MCSE, C|EH, CIFI, CGSP
>>>
>>> http://www.owasp.org
>>> --
>>> Never underestimate the time, expense, and effort an opponent will expend
>>> to break a code. (Robert Morris)
>>> --
>>>
>>> On Tue, Nov 24, 2009 at 2:34 PM, Matt Parsons <mparsons1980 at gmail.com>
>>> wrote:
>>>
>>> I use Ounce Labs out of the box to scan wars, jars and ears.  I then use
>>> O2 to filter my findings for my clients.   I also scan Dot-net source as
>>> long as it compiles; with Ounce Labs out of the box.   The generic pdf
>>> reports can be created from Ounce Labs.   When I do an assessment I break
>>> the findings up into required, requested, informational, too be
>>> investigated, validation required, validation encoding required and
>>> potentially malicious.    These are all broken up using bundles.
>>>
>>>
>>>
>>> The reports can be tweaked using O2.  But I generally create reports by
>>> API with five lines above and five lines below each context of line of
>>> code.   Let me know if that helps.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>> 1. Scan java source. Such as WAR, JAR,  and EAR.
>>> 2. Scan Dot-net source. Compiled and otherwise.
>>> 3. Create a report from these scans that allows us to prioritize, browse,
>>> etc.
>>>
>>>
>>>
>>> Matt Parsons, MSM, CISSP
>>>
>>> 315-559-3588 Blackberry
>>>
>>> 817-294-3789 Home office
>>>
>>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>>
>>> http://www.parsonsisconsulting.com
>>>
>>> http://www.o2-ounceopen.com/o2-power-users/
>>>
>>> http://www.linkedin.com/in/parsonsconsulting
>>>
>>>
>>>
>>> [image: CISSP_logo]
>>>
>>>
>>>
>>>
>>>
>>> *[image: mattcropped]*
>>>
>>>
>>>
>>> *From:* owasp-o2-platform-bounces at lists.owasp.org [mailto:
>>> owasp-o2-platform-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
>>> *Sent:* Tuesday, November 24, 2009 12:21 PM
>>> *To:* Dinis Cruz
>>> *Cc:* owasp-o2-platform at lists.owasp.org
>>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>>
>>>
>>>
>>> See Inline
>>>
>>> On Tue, Nov 24, 2009 at 12:07 PM, Dinis Cruz <dinis at ddplus.net> wrote:
>>>
>>> This is great news Brad, please dump as much info here regarding what are
>>> your requirements, objectives and deliverables (you can also use the O2
>>> Power-User Blogs which you have an account :) ).
>>>
>>>
>>>
>>>  The best way to 'consume' O2 is to have a very explicit set of problems
>>> that we can use O2 to solve. So Brad, are you able to list 5 items that you
>>> would like to do with O2?
>>>
>>>
>>>
>>> This I can handle:
>>>
>>> 1. Scan java source. Such as WAR, JAR,  and EAR.
>>> 2. Scan Dot-net source. Compiled and otherwise.
>>> 3. Create a report from these scans that allows us to prioritize, browse,
>>> etc.
>>>
>>> Thats about it really. I've looked at findbugs and Yasca but findbugs is
>>> just Java and Yasca's plugins appear broken on the latest release.
>>>
>>>
>>>
>>> Regarding training, there are already a couple commercial options that
>>> are available to you: Bruce or Ian from IBM/Ounce , Cigital (talk to John
>>> Steven since he knows the best ones),  Matt Parsons, and (if you fly
>>> them from Brazil) Wagner from Conviso. There are a couple others power-users
>>> out there, but I'm not sure I can mention their names :)
>>>
>>>
>>>
>>> I would prefer to go through OWASP for this, thoughts?
>>>
>>>
>>>
>>>
>>> On the topic of O2 Users and Companies providing commercial services on
>>> top of O2, I've started a page here (
>>> http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/Active_O2_Users)
>>> and please feel free to add your name (It's a WIKI, just get an account and
>>> start editing)
>>>
>>>
>>> Assuming we finalize our process and make this an authorized tool, we
>>> just might do that. =)
>>>
>>>
>>>
>>>
>>> Dinis
>>>
>>>
>>>
>>> On Mon, Nov 23, 2009 at 2:19 PM, Brad Causey <bradcausey at gmail.com>
>>> wrote:
>>>
>>> I'm firing this into the open forum because hopefully other folks will be
>>> able to get something from it.
>>>
>>> I am creating a standardized code review process manual for my employer.
>>> This will include step-by-step (yay for the reqs in the financial sector)
>>> guide on what needs to be done. Now because we don't have a shi-ton of
>>> coders on our team, we need a tool to assist us. We primarly deal in java
>>> and dot-net. Because of this, O2 came to mind, and I'm proud to say I've
>>> convinced my boss to let me attempt to make O2 the "authorized" tool for
>>> code review, across the organization.
>>>
>>> I will probably end up having to hire a trainer and bring them in to
>>> train the team on O2, but this also drives home the need for some simplistic
>>> interfaces, and good docs.
>>>
>>> I'd like to get with you Dinis, and make this happen, and share what we
>>> create/learn with the O2 mailing list. Anonomized of course. =)
>>>
>>>
>>>
>>>
>>> -Brad Causey
>>> CISSP, MCSE, C|EH, CIFI, CGSP
>>>
>>> http://www.owasp.org
>>> --
>>> Never underestimate the time, expense, and effort an opponent will expend
>>> to break a code. (Robert Morris)
>>> --
>>>
>>> On Sat, Nov 21, 2009 at 10:04 AM, dinis cruz <dinis.cruz at owasp.org>
>>> wrote:
>>>
>>> First of all, a big* Thank You to Rohit*, since feedback like this is
>>> not easy to do, and he is also providing a number of very good ideas (which
>>> I will implement in the very short term)
>>>
>>> I also completely agree with Rohit (and probably most of you that have
>>> tried O2) *that O2's GUI sucks from the point of view of a new user*.
>>>
>>> I really like the idea of 'information hiding' for new users suggested by
>>> Rohit, in fact once I made a bunch of 'analog' (i.e. on paper) sketches
>>> based on the idea of 'rewarding user with features once he 'achieves' a
>>> certain task (just like the games on the iPhone (which my kids play) which
>>> only let you go to the next level once you completed the current one.
>>>
>>> I'm going to provide a much more detailed answer to Rohit (including with
>>> a PoC of the GUI that he described), but please keep feedback like this
>>> coming
>>>
>>> And if you want to be track your requests, you can add them here:
>>> http://code.google.com/p/o2platform/issues/list
>>>
>>> Dinis Cruz
>>>
>>> 2009/11/19 Rohit Sethi <rklists at gmail.com>
>>>
>>>
>>>
>>> Dinis et al, this project is very promising. Although I've known about
>>> O2 for a while now, today was the first time I actually installed the
>>> tool. Dinis, when you demonstrate the capabilities of O2 it's
>>> awe-inspiring, but I imagine many people feel the same way as I do
>>> when they actually install the tool: overwhelmed. I suggest you apply
>>> the principle of "information hiding" to the design of the application
>>> - provide people with a basic, simple view of the application and give
>>> them the option to expand on more advanced features when needed. I
>>> have some ideas for you, but I'm ashamed to say I don't have the
>>> bandwidth to actually implement them :(
>>>
>>> A few specific suggestions:
>>> •       Is there a public bug tracking system? If not this is an
>>> invaluable
>>> tool to solicit feedback and track bugs on an ongoing basis. You
>>> should provide a link to the bug-tracker from the main OWASP O2 page
>>>
>>> •       What was the rationale for creating a new GUI? In particular, why
>>> didn’t you just piggyback off an existing, pluggable IDE like Eclipse?
>>> I'd guess the answer is because O2 is developed (I’m assuming) in .Net
>>> and probably through Visual Studio in order to facilitate GUI widget
>>> development. You’ve created a new look and feel which then requires
>>> the end user to understand the new look and feel in order to make
>>> sense of the application. Although I can appreciate the choice to go
>>> use .Net instead of Java, I wonder if copying some of the GUI
>>> conventions of Eclipse might be useful (more on this later). Note that
>>> I’m no usability expert, but I’d like to share my thoughts anyway. I
>>> would seriously suggest freezing new feature development for a while
>>> and focus on improving usability; once the application is easier to
>>> use, hopefully the user base will grow and so will the pool of
>>> developers willing to pitch in. In general try to minimize the amount
>>> of information in each dialogue box, and provide expandable, grouped
>>> advanced options.
>>>
>>> •       I think O2 would be better served as one application with various
>>> features and extensions, rather than a loosely coupled collection of
>>> modules. Not only will this help lower the learning curve to the
>>> application, it will help clarify the user interface. Going back to
>>> the Eclipse point, why not start with the concept of a “Project”? Each
>>> project relates to an individual application, and is comprised of
>>> several child elements. You can even have a Project Explorer /
>>> Navigation similar to what Eclipse has. Rather than dragging and
>>> dropping source files into different module windows, there should be
>>> one location of source files within the projects and the modules can
>>> reference those source files.
>>> Here’s an example of a potential Project structure:
>>> Project
>>>   -Input
>>>       -Scanner Results (e.g. .ozmat)
>>>       -Source Files (e.g. .class, .xml)
>>>   -Analysis
>>>       -Findings (e.g. Ounce findings)
>>>       -Rules (e.g. Ounce rules)
>>>       -Scripts (e.g. Python, Java, C# scripts, etc.)
>>>       -Intermediate Representation (e.g. CIR objects)
>>>
>>> •       I appreciate the flexibility in offering discrete modules of O2
>>> functionality; however, in its current format, I had a hard time
>>> distinguishing between which functions are "Core O2 functions" and
>>> what were really extensions. I suggest that you create a single GUI
>>> which users can identify as the "O2 application". Similar to IDEs like
>>> Eclipse, users could open the GUI and then select different views or
>>> perspectives based on the features they wish to use. Similarly, I
>>> suggest creating a single Windows installer that installs all Core O2
>>> functions along with the single GUI (e.g. Rules Manager, Join Traces,
>>> O2 Scripts, Findings Query, Findings Viewer, Findings Filter, Search
>>> Assessment Run, etc.). Provide an option for custom installation in
>>> case people want to scale down the features. Provide an interface to
>>> install "extensions" such as Spring MVC or support for CSharpScripts,
>>> etc.
>>> Here’s what I’d recommend for the top level menus of the Core O2
>>> application:
>>>
>>> File
>>>   -New /** starts a new project, perhaps with a wizard to help guide
>>> the user */
>>>   -Open
>>>   -Save
>>>   --------
>>>   -Import /** import findings from various scanners */
>>>   ---------
>>>   -Exit
>>> /** Get rid of restart modules - this might be a useful debugging
>>> concept but doesn't make sense to end users. Somebody should open and
>>> close the app if they need to do this */
>>>
>>>
>>> Edit
>>>  -Cut
>>>  -Copy
>>>  -Paste
>>>  -------
>>>  -Configuration /** opens a dialog window with top level choices on
>>> the left and details on the right, similar to Eclipse Preferences */
>>>      -File System /** Top level choice */
>>>         -File Location
>>>         -Install Directory
>>>         -Temp Directory
>>>         -Executable Directory
>>>      -Module Specific /** One top level choice for each module that
>>> requires configuraiton */
>>>      -Advanced /** Top level choice */
>>>         -(other configuration items from the KO2Config)
>>> /** Provide a radio button on the top to allow users to toggle between
>>> Main configuration and user-specific configuration */
>>> /** Provide standard Save and Cancel buttons on the bottom of the
>>> dialogue window */
>>>
>>>
>>> Modules /** Each should bring up a different dialog box */
>>>   -Search
>>>   -Rules Manager /** don't distinguish between XRules and other kinds
>>> of rules - this is confusing */
>>>   -Log Viewer
>>>   -Trace Joiner
>>>   -Code Reflector
>>>   -Script Editor /** should support  C-Sharp, Python and Java */
>>>   -Findings Manager /** includes Filter and Viewer */
>>>   -Intermediate Representation Viewer  /** or IR Viewer for short,
>>> rather than CIR since this is now platform agnostic */
>>>   -Technology-Specific Modules
>>>       -Spring MVC
>>>       -.Net /**Should include the .Net debugger (the web server
>>> should be part of this functionality rather than a separate module),
>>> .Net Callbacks Maker */
>>>
>>> Windows /** no idea what functionality is supposed to be here */
>>>
>>> Help
>>>  -Online Knowledgebase (or Wiki) /** Link to owasp site */
>>>  -Request Help from O2 Developers
>>>  -About /** include version, developers names and the email address
>>> to provide feedback, don’t need the Send Comment feature */
>>>
>>> •       Do you really need the modules that allow people to run the
>>> scanner
>>> from within O2? I argue this causes too much confusion for it’s actual
>>> value
>>> •       If you use the above-suggested layout, Web Inspect Converter and
>>> other Blackbox scanner import tools should be Wizards to import data
>>> into a project’s Scanner Results rather than new modules
>>>
>>> Cheers,
>>>
>>> --
>>> Rohit Sethi
>>> Security Compass
>>> http://www.securitycompass.com
>>> _______________________________________________
>>> Owasp-o2-platform mailing list
>>> Owasp-o2-platform at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Dinis Cruz
>>>
>>> Blog: http://diniscruz.blogspot.com
>>> Twitter: http://twitter.com/DinisCruz
>>> Web: http://www.owasp.org/index.php/O2
>>>
>>>
>>> _______________________________________________
>>> Owasp-o2-platform mailing list
>>> Owasp-o2-platform at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-o2-platform mailing list
>>> Owasp-o2-platform at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/22a4638d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/22a4638d/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/22a4638d/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/22a4638d/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/22a4638d/attachment-0007.jpe 


More information about the Owasp-o2-platform mailing list