SlideShare a Scribd company logo

Owasp o2 platform november 2010

Presentation on the OWASP O2 Platform (longer version) see http://o2platform.com and http://o2platform.wordpress.com

1 of 334
Download to read offline
O2 Platform
Automating Security Knowledge
     through Unit Tests
WHAT IS                       ?
  and the OWASP O2 PLATFORM




                                     O2
                                     developer
                                     senior
                                     consultant
                                     security
                                     consultant

                                    analyst

                                    manager

                                  GEEK-O-METER
is an:

          OPEN

         PLATFORM.




                        O2
                        developer
                        senior
                        consultant
                        security
                        consultant

                       analyst

                       manager

                     GEEK-O-METER
for

AUTOMATING.




                 O2
                 developer
                 senior
                 consultant
                 security
                 consultant

                analyst

                manager

              GEEK-O-METER
APPLICATION SECURITY
                   .




                          O2
                          developer
                          senior
                          consultant
                          security
                          consultant

                         analyst

                         manager

                       GEEK-O-METER
KNOWLEDGE
        .




               O2
               developer
               senior
               consultant
               security
               consultant

              analyst

              manager

            GEEK-O-METER
Ad

Recommended

SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileAbdel Moneim Emad
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
Performance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket SciencePerformance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket ScienceScott Barber
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Jorge Hidalgo
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Jorge Hidalgo
 
Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users SarahCraig7
 
Rational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignRational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignR A Akerkar
 
What's New in Innoslate 4.4?
What's New in Innoslate 4.4?What's New in Innoslate 4.4?
What's New in Innoslate 4.4?SarahCraig7
 

More Related Content

What's hot

Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Jorge Hidalgo
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsKevin Moran
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based ReviewsSarahCraig7
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessTechWell
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 

What's hot (12)

Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonar
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based Reviews
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps Success
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 

Viewers also liked

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Papitha Velumani
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Skycure
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMSkycure
 
Progressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressiveWaste
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing TEST Huddle
 
Securing ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web ApplicationsSecuring ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web ApplicationsMartin Åhlin
 
Gartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMMGartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMMYoussef Afzali
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORTvineetkathan
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 

Viewers also liked (16)

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMM
 
Progressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial Results
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure code
Secure codeSecure code
Secure code
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
Securing ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web ApplicationsSecuring ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web Applications
 
Gartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMMGartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMM
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)
 

Similar to Owasp o2 platform november 2010

You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsKurt Solarte
 
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceDev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceYi-Feng Tzeng
 
BEE Company Presentation 中英文
BEE Company Presentation 中英文BEE Company Presentation 中英文
BEE Company Presentation 中英文Lucas Wang
 
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSTest driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSSven Bernhardt
 
Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Acumen
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a  Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a  Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Ajay Danait
 
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo
 
Latest Resume latest uploaded wala
Latest Resume latest uploaded walaLatest Resume latest uploaded wala
Latest Resume latest uploaded walaAmit Mishra
 
COCOMO methods for software size estimation
COCOMO methods for software size estimationCOCOMO methods for software size estimation
COCOMO methods for software size estimationPramod Parajuli
 
PGK Services Presentation
PGK Services PresentationPGK Services Presentation
PGK Services Presentationkmalec
 
Conjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Be a winner…use requirements engineering p
Be a winner…use requirements engineering pBe a winner…use requirements engineering p
Be a winner…use requirements engineering pSven Krause
 

Similar to Owasp o2 platform november 2010 (20)

10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen Softwareentwicklung10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen Softwareentwicklung
 
Gbf08 muggleton commissioning
Gbf08 muggleton commissioningGbf08 muggleton commissioning
Gbf08 muggleton commissioning
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile Analysts
 
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceDev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and Compliance
 
From Dev to Ops
From Dev to OpsFrom Dev to Ops
From Dev to Ops
 
BEE Company Presentation 中英文
BEE Company Presentation 中英文BEE Company Presentation 中英文
BEE Company Presentation 中英文
 
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSTest driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
 
Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a  Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a  Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Behavior Driven Development (BDD)
Behavior Driven Development (BDD)
 
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
 
SPEC Process Engineering&Construction
SPEC Process Engineering&ConstructionSPEC Process Engineering&Construction
SPEC Process Engineering&Construction
 
Latest Resume latest uploaded wala
Latest Resume latest uploaded walaLatest Resume latest uploaded wala
Latest Resume latest uploaded wala
 
bg Meetup München - DevOps Demystified
bg Meetup München - DevOps Demystifiedbg Meetup München - DevOps Demystified
bg Meetup München - DevOps Demystified
 
COCOMO methods for software size estimation
COCOMO methods for software size estimationCOCOMO methods for software size estimation
COCOMO methods for software size estimation
 
PGK Services Presentation
PGK Services PresentationPGK Services Presentation
PGK Services Presentation
 
Conjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltd
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Be a winner…use requirements engineering p
Be a winner…use requirements engineering pBe a winner…use requirements engineering p
Be a winner…use requirements engineering p
 

More from Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless  Security Workflows - cyber talks - 19th nov 2019Serverless  Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas  - Open Security Summit (Working Session 21th May 2019)Jira schemas  - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019   owasp london 25th febOpen security summit 2019   owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019  - OWASP London 25th febOwasp summit 2019  - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

More from Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless  Security Workflows - cyber talks - 19th nov 2019Serverless  Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas  - Open Security Summit (Working Session 21th May 2019)Jira schemas  - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019   owasp london 25th febOpen security summit 2019   owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019  - OWASP London 25th febOwasp summit 2019  - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Recently uploaded

Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Product School
 
Importance of magazines in education ppt
Importance of magazines in education pptImportance of magazines in education ppt
Importance of magazines in education pptsafnarafeek2002
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...Fwdays
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...MarcovanHurne2
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...htrindia
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxharimaxwell0712
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Product School
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1Inbay UK
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 

Recently uploaded (20)

Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
 
Importance of magazines in education ppt
Importance of magazines in education pptImportance of magazines in education ppt
Importance of magazines in education ppt
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptx
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 

Owasp o2 platform november 2010

  • 1. O2 Platform Automating Security Knowledge through Unit Tests
  • 2. WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 3. is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 4. for AUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 5. APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 6. KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 7. and WORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 8. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 9. is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 10. is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
  • 11. ... and when you start using it ... ... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 12. and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 13. O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 14. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 15. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 16. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. In a nutshell, the pentesting game has changed, and the O2 developer O2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
  • 17. Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 18. Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
  • 19. Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 20. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 21. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. • Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 22. SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 23. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 24. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 25. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 26. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 • We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
  • 27. We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 28. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 29. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 30. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 31. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 32. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 33. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 34. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 35. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 • There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
  • 36. SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 37. SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 38. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 39. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 40. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 41. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 42. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
  • 43. Living in an O2 world
  • 44. WHAT DOES IT LOOK LIKE? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 45. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 46. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 47. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 48. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 49. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 • To answer this, lets look at a number of case developer senior consultant security studies of what O2 can do in the hands of an O2 consultant analyst Power User (i.e in my hands) manager GEEK-O-METER
  • 50. Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 51. Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
  • 52. SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 53. SO WHAT IS O2? • Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 54. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 55. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 56. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 57. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 58. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 59. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 60. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 61. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer • Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
  • 62. Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 63. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 64. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
  • 65. IN PRACTICE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 66. IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 67. IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world • Hopefully this will clear the myth that security consultants still have today that there is no way to automate their workflows and security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 68. Real world O2 usage
  • 69. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 70. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 71. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 72. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 Scripting environment based on C# ExtensionMethods, code refactoring and dynamic compilation of script (and supporting O2 C# files) developer senior consultant security consultant analyst manager GEEK-O-METER
  • 73. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 74. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 75. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant analyst manager GEEK-O-METER
  • 76. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant Created a bunch of O2 modules that solved analyst these and many more problems manager GEEK-O-METER
  • 77. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 78. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 79. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 80. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: Parse the source code to find the ‘formula’ that defines the Web Services in the Frameworks used, and mass-create rules that allow its effective scanning O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 81. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 82. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 83. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 84. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 85. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 86. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 87. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 88. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 89. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 90. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 91. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 92. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 93. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 94. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 95. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 96. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: Found a great C# Browser Automation API (WatiN) and wrote a large API that simplifies WatiN’s behaviour (using extension methods) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 97. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 98. PROBLEM: BlackBox: Deploy payloads in post login pages O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 99. PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 100. PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 101. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 102. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 103. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 104. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 105. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 106. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 107. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 108. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 109. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 110. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 111. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 112. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 113. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 114. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 115. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 116. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 117. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 118. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 119. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 120. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 121. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 122. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 123. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 124. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 125. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 126. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 127. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 128. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 129. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 130. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 131. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 132. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 133. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 134. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 135. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 136. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 137. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 138. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 139. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 140. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 141. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 142. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 143. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 144. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 145. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 146. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 147. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 148. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: Create an API that exposes the application’s behaviour as a set of methods, which can the be invoked in a foreach(var payload in payloads) loop which handles the payload submission and data collection (i.e. screenshots and html data returned) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 149. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 150. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 151. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 152. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: Isolate the original code into a testable component, which is then used to map its entropy behaviour, confirm vulnerable scenario, write “CRSF token generator” and write javascript based exploit/PoC to detect Login timings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 153. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 154. PROBLEM: Create a PoC for the “Google Wireless MAC Address Location exposure” As made famous by Sammy’s “How I meet your girlfriend” presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n
  61. \n
  62. \n
  63. \n
  64. \n
  65. \n
  66. \n
  67. \n
  68. \n
  69. \n
  70. \n
  71. \n
  72. \n
  73. \n
  74. \n
  75. \n
  76. \n
  77. \n
  78. \n
  79. \n
  80. \n
  81. \n
  82. \n
  83. \n
  84. \n
  85. \n
  86. \n
  87. \n
  88. \n
  89. \n
  90. \n
  91. \n
  92. \n
  93. \n
  94. \n
  95. \n
  96. \n
  97. \n
  98. \n
  99. \n
  100. \n
  101. \n
  102. \n
  103. \n
  104. \n
  105. \n
  106. \n
  107. \n
  108. \n
  109. \n
  110. \n
  111. \n
  112. \n
  113. \n
  114. \n
  115. \n
  116. \n
  117. \n
  118. \n
  119. \n
  120. \n
  121. \n
  122. \n
  123. \n
  124. \n
  125. \n
  126. \n
  127. \n
  128. \n
  129. \n
  130. \n
  131. \n
  132. \n
  133. \n
  134. \n
  135. \n
  136. \n
  137. \n
  138. \n
  139. \n
  140. \n
  141. \n
  142. \n
  143. \n
  144. \n
  145. \n
  146. \n
  147. \n
  148. \n
  149. \n
  150. \n
  151. \n
  152. \n
  153. \n
  154. \n
  155. \n
  156. \n
  157. \n
  158. \n
  159. \n
  160. \n
  161. \n
  162. \n
  163. \n
  164. \n
  165. \n
  166. \n
  167. \n
  168. \n
  169. \n
  170. \n
  171. \n
  172. \n
  173. \n
  174. \n
  175. \n
  176. \n
  177. \n
  178. \n
  179. \n
  180. \n
  181. \n
  182. \n
  183. \n
  184. \n
  185. \n
  186. \n
  187. \n
  188. \n
  189. \n
  190. \n
  191. \n
  192. \n
  193. \n
  194. \n
  195. \n
  196. \n
  197. \n
  198. \n
  199. \n
  200. \n
  201. \n
  202. \n
  203. \n
  204. \n
  205. \n
  206. \n
  207. \n
  208. \n
  209. \n
  210. \n
  211. \n
  212. \n
  213. \n
  214. \n
  215. \n
  216. \n
  217. \n
  218. \n
  219. \n
  220. \n
  221. \n
  222. \n
  223. \n
  224. \n
  225. \n
  226. \n
  227. \n
  228. \n
  229. \n
  230. \n
  231. \n
  232. \n
  233. \n
  234. \n
  235. \n
  236. \n
  237. \n
  238. \n
  239. \n
  240. \n
  241. \n
  242. \n
  243. \n
  244. \n
  245. \n
  246. \n
  247. \n
  248. \n
  249. \n
  250. \n
  251. \n
  252. \n
  253. \n
  254. \n
  255. \n
  256. \n
  257. \n
  258. \n
  259. \n
  260. \n
  261. \n
  262. \n
  263. \n
  264. \n
  265. \n
  266. \n
  267. \n
  268. \n
  269. \n
  270. \n
  271. \n
  272. \n
  273. \n
  274. \n
  275. \n
  276. \n