The OWASP Foundation
http://www.owasp.org
OWASP WTE:
Application Testing Your Way
Matt Tesauro
WTE and OpenStack Security ...
2
Who's this Matt guy anyway?
Broad IT background
Developer, DBA, Sys Admin, Pen Tester, Application
Security professional...
OWASP WTE: A History
4
At all started that fine spring day...
5
At all started that summer...
6
At all started that summer...
7
•Current Release
•OWASP WTE Oct 2012
•Previous Releases
•OWASP WTE Sept 2011
•OWASP WTE Feb 2011
•OWASP WTE Beta Jan 201...
8
Other fun facts
~5,094 GB of bandwidth since launch (Jul 2008)
Most downloads in 1 month = 81,607 (Mar 2009)
Overall dow...
9
10
11
There's a new kid in town
OWASP WTE
Web
Testing
Environment
12
The project has grown to more than just a Live CD
VMWare installs/appliances
VirtualBox installs
USB Installs
Training ...
13
GOAL
Make application security tools and documentation easily
available and easy to use
Compliment's OWASP goal to ma...
What's on WTE
15
16
17
18
31 “Significant” Tools Available
WapitiWeb Goat
CAL9000
JBroFuzz
DirBuster
WebSlayer
WSFuzzerWeb Scarab
OWASP Tools:
a ...
19
Skipfish
Paros
Nmap &
Zenmap
Wireshark
Firefox
Burp Suite
Grendel
Scan
Nikto
sqlmap
SQL Brute
w3af
netcat
Httprint
Spik...
Why is it different?
21
22
23
24
OWASP Documents
Testing Guide v2 & v3
CLASP and OpenSamm
Top 10 for 2010
Top 10 for Java Enterprise Edition
AppSe...
25
26
27
28
29
30
What is next?
32
33
Among the new ides for WTE are
Live CDs & Live DVDs
Virtual installs/appliances
A package repository
Can add 1+ tool to...
34
OWASP Education
Project
Natural ties between these projects
Already being used for training classes
Need to coordinat...
35
Builder is where the ROI is
But darn it,
breaking is really fun.
Builder tools coming in future releases.
(Thanks Top G...
36
Crazy “Pie in the Sky” idea
.deb package + auto update + categories
= WTE profiles
Allows someone to customize
the OW...
37
Goals going forward
Showcase great OWASP projects
Provide the best, freely distributable application security
tools/d...
38
Goals going forward
Continue to document how to use the tools and how
the modules were created
Align the tools with t...
39
40
Cloud-ifying WTE
Cloud Provider
Ubuntu / Debian Install
WTE Repository
Fun ensues
41
WTE Cloud - The12 Step
Program
Currently this is all manual
12 steps to get a fully-functional WTE
~30 minutes until yo...
42
Step 1: Get a cloud account
43
Step 2: Select Ubuntu/Debian
44
Step 3: Choose Name & RAM
45
Step 4: Start your server
46
Step 5: Install Desktop + WTE
47
Step 6: More installs
Add Repos & apt-get update
Ubuntu partners & WTE
Add a NX Server
ppa:freenx-team (plus a fix)
Add...
48
Step 7: NX Client setup
49
Step 8: Connect to WTE
50
Step 9: WTE ala Cloud
51
Step 10: Test Connectivity
52
Step 11: Test the Tools
53
Turn Cats into Dogs
54
Step 12: Check your bill
55
Cost Estimates
56
Cost Estimates
Estimated for 40 hours + 1 GB transfer
$4.98
Estimated for M-F by 24 hours + 1 GB
transfer = $15.48
Esti...
Now what?
58
More Automation
Create a wte-cloud package
Wraps up all tools into 1 package
Make configuration steps into a script
Add...
59
Even More Automation
Python library to abstract away
differences between multiple cloud
provider APIs
Cloud Servers
Clo...
60
More Options
Different desktop installs
Minimal
Baseline
Instant WebGoat in the sky
Internal Clouds
OpenStack, Vmware,
...
61
Document, Document
Document
Document and post the current manual
process (coming soon)
Create then document the Libclou...
Problems
63
Current Issues
Yikes AMD64 CPU
sqlmap is missing a dependency
WTE Firefox is for i386
NX server is a bit tricky
The WTE...
64
Like what you see,
then get involved?
Join the OWASP mail list
Announcements are there – low traffic
Download an ISO...
65
How can you get involved?
Suggest missing doc or links
Do a screencast of one of the tools
Suggest some cool new too...
66
Learn More...
OWASP Site
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
or just look on the OWASP projec...
67
Why do
I do this?
68
Questions?
http://http://mango.blender.org/ Independent film produced by the Blender
Foundation using free and open sof...
69
A bit about OWASP
71
OWASP Meritocracy
72
Security
Vulnerabilities
Change Control
Source Code Mgmt
Strategy & Metrics
Policy & Compliance
Education & Training
Th...
Upcoming SlideShare
Loading in...5
×

OWASP WTE - Now in the Cloud!

2,068

Published on

OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.

This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,068
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
54
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • http://www.fastcompany.com/multimedia/slideshows/content/autotechnology.html
  • http://www.fastcompany.com/multimedia/slideshows/content/autotechnology.html
  • http://www.fastcompany.com/multimedia/slideshows/content/autotechnology.html
  • http://www.fordinthenews.com/ford-channels-kids-open-source-for-sync-app-development/
    http://wot.motortrend.com/6623001/technology/ford-sync-to-gain-itunes-tagging-via-hd-radio-in-2010/index.html
  • http://news.cnet.com/8301-27080_3-20020547-245.html
  • http://www.itechdiary.com/barbie-video-girl-barbie-doll-is-equipped-with-spy-camera.html
    http://www.youtube.com/watch?v=oEH5pMylo3Q
  • http://aarontestado.i.ph/photo/93/101
  • image from Tom Brennan's trip to OWASP China 2010
  • http://www.usinenouvelle.com/industry/green-hills-software-2777/green-hills-platform-for-medical-devices-p58601.html
    http://www.mathworks.com/company/events/webinars/wbnr33339.html?id=33339&p1=525981126&p2=525981144
    http://www.zdnet.com/blog/projectfailures/heart-pacemakers-vulnerable-to-attack/965
  • http://www.usinenouvelle.com/industry/green-hills-software-2777/green-hills-platform-for-medical-devices-p58601.html
    http://www.mathworks.com/company/events/webinars/wbnr33339.html?id=33339&p1=525981126&p2=525981144
    http://www.zdnet.com/blog/projectfailures/heart-pacemakers-vulnerable-to-attack/965
  • http://www.zdnet.com/blog/projectfailures/heart-pacemakers-vulnerable-to-attack/965
  • http://www.npr.org/blogs/thetwo-way/2009/07/investigators_air_france_fligh.html
    http://en.wikipedia.org/wiki/Air_France_Flight_447
    http://www.lowfaresairline.com/2010/01/2009-an-eventful-year-for-airlines/
  • http://www.xssed.com/news/112/Persistent_XSS_vulnerability_affecting_Twitter_promptly_corrected/
  • http://backseatcuddler.com/2008/12/20/arnold-hints-at-terminator-salvation-cameo/
  • http://backseatcuddler.com/2008/12/20/arnold-hints-at-terminator-salvation-cameo/
  • http://backseatcuddler.com/2008/12/20/arnold-hints-at-terminator-salvation-cameo/
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • How would you feel if your confidential data is stolen? Angry frustrated!!
  • Transcript of "OWASP WTE - Now in the Cloud!"

    1. 1. The OWASP Foundation http://www.owasp.org OWASP WTE: Application Testing Your Way Matt Tesauro WTE and OpenStack Security Project Lead matt.tesauro@owasp.org Product Security Engineering Lead Rackspace, the open cloud company Twin Cities Chapter
    2. 2. 2 Who's this Matt guy anyway? Broad IT background Developer, DBA, Sys Admin, Pen Tester, Application Security professional, CISSP, CEH, RHCE, Linux+ Long history with Linux and Open Source Contributor to many projects Leader of OWASP Live CD / WTE Former OWASP Foundation Board Member Breaking “the cloud” for Rackspace
    3. 3. OWASP WTE: A History
    4. 4. 4 At all started that fine spring day...
    5. 5. 5 At all started that summer...
    6. 6. 6 At all started that summer...
    7. 7. 7 •Current Release •OWASP WTE Oct 2012 •Previous Releases •OWASP WTE Sept 2011 •OWASP WTE Feb 2011 •OWASP WTE Beta Jan 2010 •AppSecEU May 2009 •AustinTerrier Feb 2009 •Portugal Release Dec 2008 •SoC Release Sept 2008 •Beta1 and Beta2 releases during the SoC Note: Not all of these had ISO, VirtualBox and Vmware versions
    8. 8. 8 Other fun facts ~5,094 GB of bandwidth since launch (Jul 2008) Most downloads in 1 month = 81,607 (Mar 2009) Overall downloads: 330,081 (as of 2009-10-05)
    9. 9. 9
    10. 10. 10
    11. 11. 11 There's a new kid in town OWASP WTE Web Testing Environment
    12. 12. 12 The project has grown to more than just a Live CD VMWare installs/appliances VirtualBox installs USB Installs Training Environment .... Add in the transition to Ubuntu and the possibilities are endless (plus the 26,000+ packages in the Ubuntu repos)
    13. 13. 13 GOAL Make application security tools and documentation easily available and easy to use Compliment's OWASP goal to make app security visible Design goals Easy for users to keep updated Easy for project lead to keep updated Easy to produce releases (more on this later) Focused on just application security – not general pen testing
    14. 14. What's on WTE
    15. 15. 15
    16. 16. 16
    17. 17. 17
    18. 18. 18 31 “Significant” Tools Available WapitiWeb Goat CAL9000 JBroFuzz DirBuster WebSlayer WSFuzzerWeb Scarab OWASP Tools: a tool for performing all types of security testing on web apps and web services an online training environment for hands-on learning about app sec a collection of web app sec testing tools especially encoding/decoding a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer with HTTP based SOAP services as its main target audits the security of web apps by performing "black-box" scans a multi threaded Java app to brute force directory and file names A tool designed for brute-forcing web applications such as resource discovery, GET and POST fuzzing, etc JBroFuzz a web application fuzzer for requests being made over HTTP and/or HTTPS. EnDe An amazing collection of encoding and decoding tools as well as many other utilities ZAP Proxy A fork of the popular but moribund Paros Proxy
    19. 19. 19 Skipfish Paros Nmap & Zenmap Wireshark Firefox Burp Suite Grendel Scan Nikto sqlmap SQL Brute w3af netcat Httprint Spike Proxy Rat Proxy Fierce Domain Scanner Metasploit tcpdump Maltego CE Other Proxies: Scanners: Duh: SQL-i: Others: Fuzzdb Wpscan Red = New in last release
    20. 20. Why is it different?
    21. 21. 21
    22. 22. 22
    23. 23. 23
    24. 24. 24 OWASP Documents Testing Guide v2 & v3 CLASP and OpenSamm Top 10 for 2010 Top 10 for Java Enterprise Edition AppSec FAQ Books – tried to get all of them CLASP, Top 10 2010, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review Others WASC Threat Classification, OSTTMM 3.0 & 2.2
    25. 25. 25
    26. 26. 26
    27. 27. 27
    28. 28. 28
    29. 29. 29
    30. 30. 30
    31. 31. What is next?
    32. 32. 32
    33. 33. 33 Among the new ides for WTE are Live CDs & Live DVDs Virtual installs/appliances A package repository Can add 1+ tool to any Debian based Linux # apt-get install owasp-wte-* Custom remixes of any of the above Targeted installs WebGoat Developer Version Wubi USB and Kiosk version
    34. 34. 34 OWASP Education Project Natural ties between these projects Already being used for training classes Need to coordinate efforts to make sure critical pieces aren't missing from the OWASP WTE Training environment could be customized for a particular class thanks to the individual modules Student gets to take the environment home As more modules come online, even more potential for cross pollination Builder tools/docs only expand its reach
    35. 35. 35 Builder is where the ROI is But darn it, breaking is really fun. Builder tools coming in future releases. (Thanks Top Gear!) Builder vs Breaker
    36. 36. 36 Crazy “Pie in the Sky” idea .deb package + auto update + categories = WTE profiles Allows someone to customize the OWASP WTE to their needs Example profiles Whitebox testing Blackbox testing Static Analysis Target specific (Java, .Net, ...) Profile + VM = custom persistent environment
    37. 37. 37 Goals going forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents in an easy to use package Ensure that tools provided are easy to use as possible
    38. 38. 38 Goals going forward Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v4 to provide maximum coverage Add more developer focused tools
    39. 39. 39
    40. 40. 40 Cloud-ifying WTE Cloud Provider Ubuntu / Debian Install WTE Repository Fun ensues
    41. 41. 41 WTE Cloud - The12 Step Program Currently this is all manual 12 steps to get a fully-functional WTE ~30 minutes until you are logged in
    42. 42. 42 Step 1: Get a cloud account
    43. 43. 43 Step 2: Select Ubuntu/Debian
    44. 44. 44 Step 3: Choose Name & RAM
    45. 45. 45 Step 4: Start your server
    46. 46. 46 Step 5: Install Desktop + WTE
    47. 47. 47 Step 6: More installs Add Repos & apt-get update Ubuntu partners & WTE Add a NX Server ppa:freenx-team (plus a fix) Add OWASP user Start GDM
    48. 48. 48 Step 7: NX Client setup
    49. 49. 49 Step 8: Connect to WTE
    50. 50. 50 Step 9: WTE ala Cloud
    51. 51. 51 Step 10: Test Connectivity
    52. 52. 52 Step 11: Test the Tools
    53. 53. 53 Turn Cats into Dogs
    54. 54. 54 Step 12: Check your bill
    55. 55. 55 Cost Estimates
    56. 56. 56 Cost Estimates Estimated for 40 hours + 1 GB transfer $4.98 Estimated for M-F by 24 hours + 1 GB transfer = $15.48 Estimated 30 days by 24 hours + 4 GB transfer = $88.32
    57. 57. Now what?
    58. 58. 58 More Automation Create a wte-cloud package Wraps up all tools into 1 package Make configuration steps into a script Add to postinst for wte-cloud package Get setup down to a single step Ideally all in the wte-cloud package
    59. 59. 59 Even More Automation Python library to abstract away differences between multiple cloud provider APIs Cloud Servers Cloud Storage Cloud Load balancers Supports 24 different providers
    60. 60. 60 More Options Different desktop installs Minimal Baseline Instant WebGoat in the sky Internal Clouds OpenStack, Vmware, VirtualBox (headless)
    61. 61. 61 Document, Document Document Document and post the current manual process (coming soon) Create then document the Libcloud process Tutorials for various providers
    62. 62. Problems
    63. 63. 63 Current Issues Yikes AMD64 CPU sqlmap is missing a dependency WTE Firefox is for i386 NX server is a bit tricky The WTE theme gets lost
    64. 64. 64 Like what you see, then get involved? Join the OWASP mail list Announcements are there – low traffic Download an ISO or VM or Cloud instance Complain or praise, suggest improvements Submit a bug to the Google Code site
    65. 65. 65 How can you get involved? Suggest missing doc or links Do a screencast of one of the tools Suggest some cool new tool Create a .deb package
    66. 66. 66 Learn More... OWASP Site http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality) http://www.owasp.org/index.php/Category:OWASP_Project or Google “OWASP Live CD” or “OWASP WTE” Download & Community Site http://AppSecLive.org Previously: http://mtesauro.com/livecd/
    67. 67. 67 Why do I do this?
    68. 68. 68 Questions? http://http://mango.blender.org/ Independent film produced by the Blender Foundation using free and open software Download it free at: Tears of Steel
    69. 69. 69
    70. 70. A bit about OWASP
    71. 71. 71 OWASP Meritocracy
    72. 72. 72 Security Vulnerabilities Change Control Source Code Mgmt Strategy & Metrics Policy & Compliance Education & Training Threat Assessment Security Requirements Secure Architecture Design Review Code Review Remediation Hardening ...
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×