Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
O2 PlatformAutomating Security Knowledge     through Unit Tests
WHAT IS                       ?  and the OWASP O2 PLATFORM                                     O2                         ...
is an:          OPEN         PLATFORM.                        O2                        developer                        s...
forAUTOMATING.                 O2                 developer                 senior                 consultant             ...
APPLICATION SECURITY                   .                          O2                          developer                   ...
KNOWLEDGE        .               O2               developer               senior               consultant               se...
andWORKFLOWS.                O2                developer                senior                consultant                se...
O2   developer   senior   consultant   security   consultant  analyst  managerGEEK-O-METER
is an:            O2            developer            senior            consultant            security            consultan...
is an:         OPEN PLATFORM              for          AUTOMATING    APPLICATION SECURITY          KNOWLEDGE             a...
... and when you start using it ...... you will be able to do impossible things ...                                       ...
and your clients will love you                                    O2                                    developer         ...
O2 Quote, by David Campbell                                 O2                                 developer                  ...
O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all gre...
O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all gre...
O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all gre...
Key message of this presentation                                      O2                                      developer   ...
Key message of this presentation             NO            MORE                                      O2                   ...
Other types of PDF’s                          O2                          developer                          senior       ...
Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Sca...
Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Sca...
SPEAKING DEVS LANGUAGE                            O2                            developer                            senio...
SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow                      ...
SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going ...
SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going ...
SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going ...
We need UnitTests                       O2                       developer                       senior                   ...
We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand                      ...
We need UnitTests• UnitTest are the only ‘language’ we can speak  that the developers will understand• Security-Driven Uni...
We need UnitTests• UnitTest are the only ‘language’ we can speak  that the developers will understand• Security-Driven Uni...
We need UnitTests• UnitTest are the only ‘language’ we can speak  that the developers will understand• Security-Driven Uni...
We need UnitTests• UnitTest are the only ‘language’ we can speak  that the developers will understand• Security-Driven Uni...
We need UnitTests• UnitTest are the only ‘language’ we can speak  that the developers will understand• Security-Driven Uni...
We need UnitTests• UnitTest are the only ‘language’ we can speak  that the developers will understand• Security-Driven Uni...
We need UnitTests• UnitTest are the only ‘language’ we can speak  that the developers will understand• Security-Driven Uni...
SECURITY BY DESIGN & DEFAULT                                  O2                                  developer               ...
SECURITY BY DESIGN & DEFAULT        DELIVERING                                  O2                                  develo...
SECURITY BY DESIGN & DEFAULT        DELIVERING   SECURITY UNIT TESTS                                  O2                  ...
SECURITY BY DESIGN & DEFAULT        DELIVERING   SECURITY UNIT TESTS    WILL ALLOW US TO                                  ...
SECURITY BY DESIGN & DEFAULT        DELIVERING   SECURITY UNIT TESTS    WILL ALLOW US TO    MAKE SECURITY                 ...
SECURITY BY DESIGN & DEFAULT        DELIVERING   SECURITY UNIT TESTS    WILL ALLOW US TO    MAKE SECURITYINVISIBLE/TRANSPA...
SECURITY BY DESIGN & DEFAULT        DELIVERING   SECURITY UNIT TESTS    WILL ALLOW US TO    MAKE SECURITYINVISIBLE/TRANSPA...
What is O2?
SO WHAT IS O2?                    O2                    developer                    senior                    consultant ...
SO WHAT IS O2?• Scripting Engine and development environment                                                    O2        ...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on...
Recapping: OWASP O2 PLATFORM                PLATFORM                                  O2                                  ...
Recapping: OWASP O2 PLATFORM                          PLATFORM      The O2 platform represents a new paradigm for how     ...
Automating myself                       O2                       developer                       senior                   ...
Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment:                                         ...
Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment:      IT IS FASTER FOR ME TO        AUTOM...
THECHALLENGE               O2               developer               senior               consultant               security...
THE PROBLEM WITH FRAMEWORKS• For this discussion a ‘Framework’ is an environment which augments the capabilities of the  c...
SOME TECHNOLOGICAL SOLUTIONS THAT                       STILL NEED TO BE SOLVED• All current (Commercial and Open Source) ...
WHERE WE ARE TODAY                      and WHERE WE NEED TO BE ASAP• Here is the evolution of technologies and were the c...
TO SCALE WE NEEDTARGETED SOLUTIONS                        O2                        developer                        senio...
HOW TO SCALE: AUTOMATE SECURITY KNOWLEDGE• The only way we will be able to scale (and have these solutions used by a wide ...
SPRING FRAMEWORK : SECURITY ANALYSIS PLATFORM• Due to the complexity and ‘realities’ created by the Spring Framework, the ...
SHAREPOINT (MOSS) : SECURITY ANALYSIS PLATFORM• Same think for frameworks & development environments like Microsoft Office ...
SHAREWORKZ SECURITY ANALYSIS PLATFORM• .... and the same thing applies for for applications built on top MOSS (which also ...
OPEN SOURCE SECURITY ANALYSIS PLATFORM• The Open Source community also needs a generic platform made up of only Open Sourc...
Where togo next?              O2              developer              senior              consultant              security ...
Where Next?
Try O2 and Join the community                                   O2                                   developer            ...
Try O2 and Join the community• Go to http://o2platform.com to download O2 and read the documentation                      ...
Try O2 and Join the community• Go to http://o2platform.com to download O2  and read the documentation• Join the O2 Mailing...
Try O2 and Join the community• Go to http://o2platform.com to download O2  and read the documentation• Join the O2 Mailing...
Try O2 and Join the community• Go to http://o2platform.com to download O2  and read the documentation• Join the O2 Mailing...
AnyQuestions               O2               developer               senior               consultant               security...
Upcoming SlideShare
Loading in …5
×

Owasp o2 platform (smaller presentation) august 2011

551 views

Published on

Presentation on the OWASP O2 Platform (shorter version)

see http://o2platform.com and http://o2platform.wordpress.com

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Owasp o2 platform (smaller presentation) august 2011

  1. 1. O2 PlatformAutomating Security Knowledge through Unit Tests
  2. 2. WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  3. 3. is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  4. 4. forAUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  5. 5. APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  6. 6. KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  7. 7. andWORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  8. 8. O2 developer senior consultant security consultant analyst managerGEEK-O-METER
  9. 9. is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  10. 10. is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
  11. 11. ... and when you start using it ...... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  12. 12. and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  13. 13. O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  14. 14. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  15. 15. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve.The O2 framework provides a very flexible set of toolsfor performing greybox testing. The concept ofMethodStreams makes it radically simpler to get all ofthe source for a single method in one place to easilyfollow the taint. O2 also provides a set of blackboxtools to quickly verify your static analysis findings andrapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  16. 16. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve.The O2 framework provides a very flexible set of toolsfor performing greybox testing. The concept ofMethodStreams makes it radically simpler to get all ofthe source for a single method in one place to easilyfollow the taint. O2 also provides a set of blackboxtools to quickly verify your static analysis findings andrapidly develop POC exploits.In a nutshell, the pentesting game has changed, and the O2 developerO2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
  17. 17. Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  18. 18. Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
  19. 19. Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  20. 20. Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  21. 21. Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions.• Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  22. 22. SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  23. 23. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  24. 24. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  25. 25. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF)• The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  26. 26. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF)• The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2• We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
  27. 27. We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  28. 28. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  29. 29. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  30. 30. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  31. 31. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  32. 32. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  33. 33. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  34. 34. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  35. 35. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2• There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
  36. 36. SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  37. 37. SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  38. 38. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  39. 39. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  40. 40. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  41. 41. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITYINVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  42. 42. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITYINVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
  43. 43. What is O2?
  44. 44. SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  45. 45. SO WHAT IS O2?• Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  46. 46. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  47. 47. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  48. 48. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  49. 49. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  50. 50. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  51. 51. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  52. 52. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC)• Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  53. 53. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC)• Data Consumption and API Generation O2 developer• Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
  54. 54. Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  55. 55. Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
  56. 56. Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  57. 57. Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  58. 58. Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
  59. 59. THECHALLENGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  60. 60. THE PROBLEM WITH FRAMEWORKS• For this discussion a ‘Framework’ is an environment which augments the capabilities of the core language implementations (.NET Framework or J2EE). Examples of what I call a Frameworks are: Spring, Struts, Microsoft Enterprise Library, SharePoint, WebSphere Portal, SalesForce API,• Each Framework creates its own ‘reality’ almost like a VM (Virtual Machine), where they (for example Spring MVC) create an abstraction layer between the core language (i.e. Java) and the target application. • So, if the scanning engines (Black Box, White Box, Human Brain) don’t explicitly support frameworks, they will NOT understand how they work they and will NOT be able to find security issues in the applications built on top of those frameworks. • It is like trying to use a C++/Binary analyzer to scan JITTED .NET code (i.e. the assembly representation of .NET code) APP XYZ O2 developer senior consultant security SPRING FRAMEWORK consultant analyst J2EE manager GEEK-O-METER
  61. 61. SOME TECHNOLOGICAL SOLUTIONS THAT STILL NEED TO BE SOLVED• All current (Commercial and Open Source) Static Source Code Analysis tools have most (if not all) of the problems below (some have minor/basic coverage of it)• ANALYSIS ENGINEs - Part 1 • Attributes, Collections & other type of objects that receive taint in A and output it in B • Global Variables • Proper Taint Propagation across strings and between data types • Reflection (which creates ‘Hyper Jumps’ between code paths) • Events • Rules based on assemblies/jars versions and not on signatures • Taint Typing (also applied to business logic)• ANALYSIS ENGINEs - Part II • Rules Management (user-friendly process to mass create, edit, modify, import and export) • Join Traces (between application layers or interfaces or ‘Hyper Jumps’) • Read (and understand) configuration files (who have major impact on the attack surface and exploitability) • Auto Attack Surface Markup • Expose Control Flow • Understand Framework behavior• GlassBox • Integration with WB & BB (driving one tool from the other) O2 • Common Reporting developer senior consultant• Note: this (list above) security consultant IS A VERY SMALL & LIMITED LIST of the technologies / techniques that need to be analyst supported when running (manual or automatic, Black or White) scans. manager These capabilities (either when used by non-expert users or by expert security consultants) GEEK-O-METER allows the security engagement to be accurate, effective, consumable and actionable
  62. 62. WHERE WE ARE TODAY and WHERE WE NEED TO BE ASAP• Here is the evolution of technologies and were the current level of support is: ‘Out of the box‘ • 1996-2000: MainFrames, Web Servers, Java, ASP Classic capabilities • 2000-2004: C/C++, .NET Framework, J2EE, PHP is here • 2004-2006: Struts, Spring Framework, Ajax, Flash, Hibernate, Microsoft Enterprise Library • 2006-2009: lots of web innovation going on, here is a small list: O2 is here Languages & Technologies: Aspect, Web Services, REST, Widgets/Gadgets, AIR, Silverlight, Groovy & Grails, Python, Ruby & Ruby on Rails, JSP EL,Velocity, JSF (Faces), Application Platforms / Frameworks: ASP.NET MVC , SharePoint, IBM WebSphere Portal WebSphere Application Portal, SAP (web stuff)), iPhone & Apple iStore Online Applications: SalesForce, Amazon Web Services, MySpace/FaceBook/Twitter OWASP ‘standards/APIs/frameworks’: ESAPI, SAMM, ASVF, etc... And let’s not forget that most enterprise applications have their OWN frameworks and APIs (and sometimes even VMs) O2 developer • 2010-.... : Chrome, cloud computing (vSphere (VMWare’s cloud), senior consultant Azure (Microsoft’s cloud)), Web 3.0 and next generation of all of the above :) security We need consultant analyst to be here manager ASAP GEEK-O-METER
  63. 63. TO SCALE WE NEEDTARGETED SOLUTIONS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  64. 64. HOW TO SCALE: AUTOMATE SECURITY KNOWLEDGE• The only way we will be able to scale (and have these solutions used by a wide audience (from developer’s upwards), is if we are able to ‘capture + automate’ the knowledge, workflow and wisdom of security consultants. And we need to do this in such a way that repeated analysis by non-technical staff will have the same result has the analysis created by an security expert • In a nutshell ... what we need is to do, is to automate the security expert’s brain ... so that we are able to independently use it in a repeatable and consistently way, and once we have done that (automating their brain) ... we can work on making it very simple to use by non-security experts And due to the complexity of each targeted application / framework ... ... this ‘one button’ solution is only possible if .... WE CREATE TARGETED SOLUTIONS & PRODUCT O2 developer senior (see next 4 slides for an example of what this could look like) consultant security consultant analyst Note that today an ‘Application Security Analysis’ engagement is a very: complex, non-repeatable, non- manager scalable, non-measurable, and very opaque (from the client point of view) process. It is also very hard GEEK-O-METER to calculate its ROI
  65. 65. SPRING FRAMEWORK : SECURITY ANALYSIS PLATFORM• Due to the complexity and ‘realities’ created by the Spring Framework, the only way to deal to analyze/expose its behavior is to create fine-tune ‘packages’ of the available technology O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  66. 66. SHAREPOINT (MOSS) : SECURITY ANALYSIS PLATFORM• Same think for frameworks & development environments like Microsoft Office Sharepoint Server (MOSS). Unless we have a customized engine & technology that understands Sharepoint, it is very hard (if not impossible) to (for example) write secure web parts. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  67. 67. SHAREWORKZ SECURITY ANALYSIS PLATFORM• .... and the same thing applies for for applications built on top MOSS (which also create their own reality and unique class of vulnerabilities (before & after customization) • quote from www.shareworkz.com: “... ShareWorkz helps you get the most from Microsoft SharePoint – quickly! Built in SharePoint Server 2007 Standard Edition, ShareWorkz reduces the time to build and deploy a best practice, enterprise class SharePoint 2007 Solution to 1 month or less...” O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  68. 68. OPEN SOURCE SECURITY ANALYSIS PLATFORM• The Open Source community also needs a generic platform made up of only Open Source or free tools.• This is a very CRITICAL piece of the puzzle, since this is what will enable the wide use of these techniques across the Open Source and Commercial Software development world (it will also allow the Framework developers to be responsible for creating their markups (after all, who better than the Spring developers to help with the development of the “Spring Framework : Security Analysis Platform”) PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  69. 69. Where togo next? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  70. 70. Where Next?
  71. 71. Try O2 and Join the community O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  72. 72. Try O2 and Join the community• Go to http://o2platform.com to download O2 and read the documentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  73. 73. Try O2 and Join the community• Go to http://o2platform.com to download O2 and read the documentation• Join the O2 Mailing list O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  74. 74. Try O2 and Join the community• Go to http://o2platform.com to download O2 and read the documentation• Join the O2 Mailing list• Ask questions O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  75. 75. Try O2 and Join the community• Go to http://o2platform.com to download O2 and read the documentation• Join the O2 Mailing list• Ask questions• Use O2 on your engagements and create Unit Tests for your clients O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  76. 76. AnyQuestions O2 developer senior consultant security consultant analyst manager GEEK-O-METER

×