Your SlideShare is downloading. ×
0
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Owasp Orizon New Static Analysis In Hi Fi

1,369

Published on

Slideshow used in Owasp AppSec EU '09 in Poland to show Owasp Orizon internals and roadmap

Slideshow used in Owasp AppSec EU '09 in Poland to show Owasp Orizon internals and roadmap

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,369
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide














  • Transcript

    1. The Owasp Orizon project: new static analysis in HiFi Paolo Perego Owasp Orizon Project leader Spike Reply thesp0nge@owasp.org OWASP EU09 Poland Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
    2. Agenda Orizon Framework state of art Building a model round up: the Mirage engine Roadmap ’09 OWASP AppSecEU09 Poland 2
    3. $ whoami Senior consultant @ Spike Reply srl Offense (Application penetration test) Defense  Application Security  Code review  SSDLC design Owasp project leader Owasp Orizon Owasp Source code flaws Top 10 Owasp Italy board member OWASP AppSecEU09 Poland 3
    4. Owasp Orizon framework v1.20 Orizon interface APIs “engine” based report analyze build a model OWASP AppSecEU09 Poland 4
    5. Owasp Orizon framework v1.20: engine Engine commands Command parser are described by a is generated from grammar the grammar using FreeCC start() method Engine is an contains engine abstract class business logic providing a fixed set of APIs for all Orizon engines OWASP AppSecEU09 Poland 5
    6. Owasp Orizon framework v1.20: the Language Pack Parser is almost 100% able to understand the specific language Parser is built using language grammar and FreeCC Ready for Java, C and PHP. Collector take AST from the Next to come: parser and Cobol, C++, C#, retrieve variables, Ruby, Jsp methods, ... OWASP AppSecEU09 Poland 6
    7. Owasp Orizon framework v1.20: build the model Orizon supports more programming languages with an ad hoc “Language Pack” Modeler class uses Language Pack SourceFinder scans collectors to gather the input deciding data and building which files can be the model processed and the language pack to be used OWASP AppSecEU09 Poland 7
    8. Owasp Orizon framework v1.20: analyze Get the model Iterate through all Apply the rules files to be to the model processed Rules management OWASP AppSecEU09 Poland 8
    9. Owasp Orizon framework v1.20: report Formatters manage how to represent the findings in various formats Reporting engine manages the findings to be represented as output OWASP AppSecEU09 Poland 9
    10. It’s showtime... OWASP AppSecEU09 Poland 10
    11. Spot the difference v1.0 v1.18 v1.20 EU Summit ’08 AppSec EU ’09 Summer ’09 Heterogeneous engines Engine based with a standard Engine based with a standard Architecture with a non standard API set of API set of API Supported Java Java, C, PHP Java, C, PHP, C++, Cobol, C# languages Command line with options Command line with a shell Interface specified as parameters accepting commands (OSH) Shell + Web based GUI Sources are translated in Modeling Sources are parsed with an Sources are parsed with an XML and analysis are made approach over there appropriate Language Pack appropriate Language Pack Keyword used Keyword + variable tracking Model None + execution flow Started variable tracking Security check Written in ORL (Orizon Rule Written in ORL (Orizon Rule Written in XML Language) Language) Crawling Partial Yes Yes Static analysis Partial No Yes Dynamic No No No analysis OWASP AppSecEU09 Poland 11
    12. Roadmap  in the short term (3 months): v1.20 collectors must be able to retrieve more information from ASTs new Language Packs (C++, Cobol, C#)  in the mid term (6 to 9 months): v1.50 Modeler will be able to build  data flow diagram  execution flow diagram Owasp Orizon Guide to be released as “alpha” document  in the long term (12 months): v1.80 static analysis will be working dynamic analysis will start OWASP AppSecEU09 Poland 12
    13. Before we leave Thanks to OWASP the Italian chapter and its board the gang: Nishi, Stephen, Jason, Andrés, Alessio, Dinis (http://orizon.sourceforge.net/blog/the-owasp- orizon-team/) my Mom my Wife OWASP AppSecEU09 Poland 13
    14. Some link FreeCC: used to generate all the parsers in Orizon (http://code.google.com/p/freecc/) Owasp Orizon links Homepage: http://www.owasp.org/index.php/ Category:OWASP_Orizon_Project Blog: http://orizon.sourceforge.net/blog/ Twitter: http://twitter.com/OWASPOrizon/ OWASP AppSecEU09 Poland 14

    ×