Owasp o2 platform november 2010

2,612 views

Published on

Presentation on the OWASP O2 Platform (longer version)

see http://o2platform.com and http://o2platform.wordpress.com

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,612
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
53
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Owasp o2 platform november 2010

    1. 1. O2 PlatformAutomating Security Knowledge through Unit Tests
    2. 2. WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    3. 3. is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    4. 4. forAUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    5. 5. APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    6. 6. KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    7. 7. andWORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    8. 8. O2 developer senior consultant security consultant analyst managerGEEK-O-METER
    9. 9. is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    10. 10. is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
    11. 11. ... and when you start using it ...... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    12. 12. and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    13. 13. O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    14. 14. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    15. 15. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve.The O2 framework provides a very flexible set of toolsfor performing greybox testing. The concept ofMethodStreams makes it radically simpler to get all ofthe source for a single method in one place to easilyfollow the taint. O2 also provides a set of blackboxtools to quickly verify your static analysis findings andrapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    16. 16. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve.The O2 framework provides a very flexible set of toolsfor performing greybox testing. The concept ofMethodStreams makes it radically simpler to get all ofthe source for a single method in one place to easilyfollow the taint. O2 also provides a set of blackboxtools to quickly verify your static analysis findings andrapidly develop POC exploits.In a nutshell, the pentesting game has changed, and the O2 developerO2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
    17. 17. Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    18. 18. Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
    19. 19. Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    20. 20. Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    21. 21. Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions.• Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    22. 22. SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    23. 23. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    24. 24. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    25. 25. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF)• The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    26. 26. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF)• The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2• We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
    27. 27. We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    28. 28. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    29. 29. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    30. 30. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    31. 31. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    32. 32. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    33. 33. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    34. 34. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    35. 35. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2• There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
    36. 36. SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    37. 37. SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    38. 38. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    39. 39. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    40. 40. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    41. 41. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITYINVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    42. 42. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITYINVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
    43. 43. Living in an O2 world
    44. 44. WHAT DOES IT LOOK LIKE? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    45. 45. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    46. 46. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    47. 47. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice?• What type of Unit Tests can be created? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    48. 48. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice?• What type of Unit Tests can be created?• Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    49. 49. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice?• What type of Unit Tests can be created?• Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2• To answer this, lets look at a number of case developer senior consultant security studies of what O2 can do in the hands of an O2 consultant analyst Power User (i.e in my hands) manager GEEK-O-METER
    50. 50. Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    51. 51. Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
    52. 52. SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    53. 53. SO WHAT IS O2?• Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    54. 54. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    55. 55. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    56. 56. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    57. 57. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    58. 58. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    59. 59. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    60. 60. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC)• Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    61. 61. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC)• Data Consumption and API Generation O2 developer• Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
    62. 62. Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    63. 63. Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    64. 64. Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
    65. 65. IN PRACTICE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    66. 66. IN PRACTICE• To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    67. 67. IN PRACTICE• To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world• Hopefully this will clear the myth that security consultants still have today that there is no way to automate their workflows and security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    68. 68. Real world O2 usage
    69. 69. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    70. 70. PROBLEM:Create a scripting environment that:- allows maximum customisation and extensibility,- has Intelisense/CodeComplete,- with full access to rich APIs- allows to quickly create new APIS and new methods- allows one-click execution of scripts createdI’m basically looking for: Strongly Typed Python O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    71. 71. PROBLEM:Create a scripting environment that:- allows maximum customisation and extensibility,- has Intelisense/CodeComplete,- with full access to rich APIs- allows to quickly create new APIS and new methods- allows one-click execution of scripts createdI’m basically looking for: Strongly Typed PythonSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    72. 72. PROBLEM:Create a scripting environment that:- allows maximum customisation and extensibility,- has Intelisense/CodeComplete,- with full access to rich APIs- allows to quickly create new APIS and new methods- allows one-click execution of scripts createdI’m basically looking for: Strongly Typed PythonSOLUTION:O2 Scripting environment based on C#ExtensionMethods, code refactoring anddynamic compilation of script (and supporting O2C# files) developer senior consultant security consultant analyst manager GEEK-O-METER
    73. 73. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    74. 74. PROBLEM:Analyse Source Code Findings (Created byOunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    75. 75. PROBLEM:Analyse Source Code Findings (Created byOunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developerSOLUTION: senior consultant security consultant analyst manager GEEK-O-METER
    76. 76. PROBLEM:Analyse Source Code Findings (Created byOunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developerSOLUTION: senior consultant security consultantCreated a bunch of O2 modules that solved analystthese and many more problems manager GEEK-O-METER
    77. 77. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    78. 78. PROBLEM:Source Code: Handle the lack-of-visibility thatstatic analysis engines have (in this caseAppScan/OunceLabs engine) with identifyingweb services (i.e. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    79. 79. PROBLEM:Source Code: Handle the lack-of-visibility thatstatic analysis engines have (in this caseAppScan/OunceLabs engine) with identifyingweb services (i.e.SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    80. 80. PROBLEM:Source Code: Handle the lack-of-visibility thatstatic analysis engines have (in this caseAppScan/OunceLabs engine) with identifyingweb services (i.e.SOLUTION:Parse the source code to find the ‘formula’ thatdefines the Web Services in the Frameworksused, and mass-create rules that allow itseffective scanning O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    81. 81. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    82. 82. PROBLEM:Analyse an Spring MVC application (fromboth a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    83. 83. PROBLEM:Analyse an Spring MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    84. 84. PROBLEM:Analyse an Spring MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    85. 85. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    86. 86. PROBLEM:Analyse an Struts with Java Facesapplication (from both a BlackBox andWhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    87. 87. PROBLEM:Analyse an Struts with Java Facesapplication (from both a BlackBox andWhiteBox point of view)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    88. 88. PROBLEM:Analyse an Struts with Java Facesapplication (from both a BlackBox andWhiteBox point of view)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    89. 89. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    90. 90. PROBLEM:Analyse an ASP.NET MVC application (fromboth a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    91. 91. PROBLEM:Analyse an ASP.NET MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    92. 92. PROBLEM:Analyse an ASP.NET MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    93. 93. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    94. 94. PROBLEM:Automating Browser actions: list fields, enterdata, click on buttons, manipulate html/javascript, etc... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    95. 95. PROBLEM:Automating Browser actions: list fields, enterdata, click on buttons, manipulate html/javascript, etc...SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    96. 96. PROBLEM:Automating Browser actions: list fields, enterdata, click on buttons, manipulate html/javascript, etc...SOLUTION:Found a great C# Browser Automation API(WatiN) and wrote a large API that simplifiesWatiN’s behaviour (using extension methods) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    97. 97. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    98. 98. PROBLEM:BlackBox: Deploy payloads in post login pages O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    99. 99. PROBLEM:BlackBox: Deploy payloads in post login pagesSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    100. 100. PROBLEM:BlackBox: Deploy payloads in post login pagesSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    101. 101. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    102. 102. PROBLEM:BlackBox: Test for reflected vulnerabilities, forexample XSS where there are two unique (andcomplex) web-browsing paths: one to put thepayload and one to confirm exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    103. 103. PROBLEM:BlackBox: Test for reflected vulnerabilities, forexample XSS where there are two unique (andcomplex) web-browsing paths: one to put thepayload and one to confirm exploitabilitySOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    104. 104. PROBLEM:BlackBox: Test for reflected vulnerabilities, forexample XSS where there are two unique (andcomplex) web-browsing paths: one to put thepayload and one to confirm exploitabilitySOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    105. 105. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    106. 106. PROBLEM:BlackBox: Easily create XSS PoCs that arespecific to the application and are much morethan the ALERT pop-up box that nobodyoutside the WebAppSecurity space understand’sit implication O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    107. 107. PROBLEM:BlackBox: Easily create XSS PoCs that arespecific to the application and are much morethan the ALERT pop-up box that nobodyoutside the WebAppSecurity space understand’sit implicationSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    108. 108. PROBLEM:BlackBox: Easily create XSS PoCs that arespecific to the application and are much morethan the ALERT pop-up box that nobodyoutside the WebAppSecurity space understand’sit implicationSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    109. 109. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    110. 110. PROBLEM:BlackBox: Create exploit that leverages datainside ASP.NET Viewstate O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    111. 111. PROBLEM:BlackBox: Create exploit that leverages datainside ASP.NET ViewstateSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    112. 112. PROBLEM:BlackBox: Create exploit that leverages datainside ASP.NET ViewstateSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    113. 113. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    114. 114. PROBLEM:BlackBox: Confirm that an XSS vulnerability hasbeen fixed, by retesting the original payload(with its automation) using the FuzzDBdatabase O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    115. 115. PROBLEM:BlackBox: Confirm that an XSS vulnerability hasbeen fixed, by retesting the original payload(with its automation) using the FuzzDBdatabaseSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    116. 116. PROBLEM:BlackBox: Confirm that an XSS vulnerability hasbeen fixed, by retesting the original payload(with its automation) using the FuzzDBdatabaseSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    117. 117. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    118. 118. PROBLEM:BlackBox: Try to open (in web browser) all filesavailable in the web app’s root (i.e. file system),and create authorisation mapping table formultiple users O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    119. 119. PROBLEM:BlackBox: Try to open (in web browser) all filesavailable in the web app’s root (i.e. file system),and create authorisation mapping table formultiple usersSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    120. 120. PROBLEM:BlackBox: Try to open (in web browser) all filesavailable in the web app’s root (i.e. file system),and create authorisation mapping table formultiple usersSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    121. 121. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    122. 122. PROBLEM:BlackBox: Automatically Test/Fuzz WebServiceswhere each request needs to be a valid XML/SOAP request (or the payloads will never reachthe application) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    123. 123. PROBLEM:BlackBox: Automatically Test/Fuzz WebServiceswhere each request needs to be a valid XML/SOAP request (or the payloads will never reachthe application)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    124. 124. PROBLEM:BlackBox: Automatically Test/Fuzz WebServiceswhere each request needs to be a valid XML/SOAP request (or the payloads will never reachthe application)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    125. 125. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    126. 126. PROBLEM:BlackBox: perform brute force authentication(username & password) attacks in multipleforms, each having unique signatures, behavioursand workflows O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    127. 127. PROBLEM:BlackBox: perform brute force authentication(username & password) attacks in multipleforms, each having unique signatures, behavioursand workflowsSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    128. 128. PROBLEM:BlackBox: perform brute force authentication(username & password) attacks in multipleforms, each having unique signatures, behavioursand workflowsSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    129. 129. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    130. 130. PROBLEM:BlackBox: Perform multiple requests, where foreach request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTMLAfter completion, visualise and analyse the createddata O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    131. 131. PROBLEM:BlackBox: Perform multiple requests, where foreach request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTMLAfter completion, visualise and analyse the createddataSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    132. 132. PROBLEM:BlackBox: Perform multiple requests, where foreach request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTMLAfter completion, visualise and analyse the createddataSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    133. 133. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    134. 134. PROBLEM:BlackBox: Give developers the ability toreproduce the security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    135. 135. PROBLEM:BlackBox: Give developers the ability toreproduce the security findingsSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    136. 136. PROBLEM:BlackBox: Give developers the ability toreproduce the security findingsSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    137. 137. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    138. 138. PROBLEM:BlackBox: Show developers the multiple waysand variations that a particular vulnerability canbe exploited O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    139. 139. PROBLEM:BlackBox: Show developers the multiple waysand variations that a particular vulnerability canbe exploitedSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    140. 140. PROBLEM:BlackBox: Show developers the multiple waysand variations that a particular vulnerability canbe exploitedSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    141. 141. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    142. 142. PROBLEM:Show end-client (and developers) the testsmade during the security and its coverage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    143. 143. PROBLEM:Show end-client (and developers) the testsmade during the security and its coverageSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    144. 144. PROBLEM:Show end-client (and developers) the testsmade during the security and its coverageSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    145. 145. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    146. 146. PROBLEM:BlackBox: test for CRSF on complex webapplications with multiple workflows andcomplex state O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    147. 147. PROBLEM:BlackBox: test for CRSF on complex webapplications with multiple workflows andcomplex stateSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    148. 148. PROBLEM:BlackBox: test for CRSF on complex webapplications with multiple workflows andcomplex stateSOLUTION:Create an API that exposes the application’sbehaviour as a set of methods, which can the beinvoked in a foreach(var payload in payloads) loopwhich handles the payload submission and datacollection (i.e. screenshots and html datareturned) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
    149. 149. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER

    ×