The OWASP Foundation
http://www.owasp.org
OWASP WTE:
Application Testing Your Way
Matt Tesauro
WTE and OpenStack Security Project Lead
matt.tesauro@owasp.org
Product Security Engineering Lead
Rackspace, the open cloud company
Twin Cities Chapter

2
Who's this Matt guy anyway?
Broad IT background
Developer, DBA, Sys Admin, Pen Tester, Application
Security professional, CISSP, CEH, RHCE, Linux+
Long history with Linux and Open Source
Contributor to many projects
Leader of OWASP Live CD / WTE
Former OWASP Foundation Board Member
Breaking “the cloud” for Rackspace

OWASP WTE: A History

4
At all started that fine spring day...

5
At all started that summer...

6
At all started that summer...

7
•Current Release
•OWASP WTE Oct 2012
•Previous Releases
•OWASP WTE Sept 2011
•OWASP WTE Feb 2011
•OWASP WTE Beta Jan 2010
•AppSecEU May 2009
•AustinTerrier Feb 2009
•Portugal Release Dec 2008
•SoC Release Sept 2008
•Beta1 and Beta2 releases during the SoC
Note: Not all of these had ISO, VirtualBox and
Vmware versions

8
Other fun facts
~5,094 GB of bandwidth since launch (Jul 2008)
Most downloads in 1 month = 81,607 (Mar 2009)
Overall downloads: 330,081
(as of 2009-10-05)

9

10

11
There's a new kid in town
OWASP WTE
Web
Testing
Environment

12
The project has grown to more than just a Live CD
VMWare installs/appliances
VirtualBox installs
USB Installs
Training Environment
....
Add in the transition to Ubuntu and the possibilities
are endless
(plus the 26,000+ packages in the Ubuntu repos)

13
GOAL
Make application security tools and documentation easily
available and easy to use
Compliment's OWASP goal to make app security visible
Design goals
Easy for users to keep updated
Easy for project lead to keep updated
Easy to produce releases (more on this later)
Focused on just application security – not general pen
testing

What's on WTE

15

16

17

18
31 “Significant” Tools Available
WapitiWeb Goat
CAL9000
JBroFuzz
DirBuster
WebSlayer
WSFuzzerWeb Scarab
OWASP Tools:
a tool for performing all types of security testing on web apps and
web services
an online training environment for hands-on learning about app sec
a collection of web app sec testing tools especially encoding/decoding
a web application fuzzer for requests being made over HTTP
and/or HTTPS.
a fuzzer with HTTP based SOAP services as its main target
audits the security of web apps by performing "black-box" scans
a multi threaded Java app to brute force directory and file names
A tool designed for brute-forcing web applications such as resource
discovery, GET and POST fuzzing, etc
JBroFuzz
a web application fuzzer for requests being made over HTTP
and/or HTTPS.
EnDe
An amazing collection of encoding and decoding tools as well as
many other utilities
ZAP Proxy
A fork of the popular but moribund Paros Proxy

19
Skipfish
Paros
Nmap &
Zenmap
Wireshark
Firefox
Burp Suite
Grendel
Scan
Nikto
sqlmap
SQL Brute
w3af
netcat
Httprint
Spike Proxy
Rat Proxy
Fierce Domain
Scanner
Metasploit
tcpdump
Maltego CE
Other Proxies: Scanners:
Duh:
SQL-i: Others:
Fuzzdb
Wpscan
Red = New in last release

Why is it different?

21

22

23

24
OWASP Documents
Testing Guide v2 & v3
CLASP and OpenSamm
Top 10 for 2010
Top 10 for Java Enterprise Edition
AppSec FAQ
Books – tried to get all of them
CLASP, Top 10 2010, Top 10 + Testing + Legal,
WebGoat and Web Scarab, Guide 2.0, Code Review
Others
WASC Threat Classification, OSTTMM 3.0 & 2.2

25

26

27

28

29

30

What is next?

32

33
Among the new ides for WTE are
Live CDs & Live DVDs
Virtual installs/appliances
A package repository
Can add 1+ tool to any Debian based Linux
# apt-get install owasp-wte-*
Custom remixes of any of the above
Targeted installs
WebGoat Developer Version
Wubi
USB and Kiosk version

34
OWASP Education
Project
Natural ties between these projects
Already being used for training classes
Need to coordinate efforts to make sure critical pieces aren't
missing from the OWASP WTE
Training environment could be customized for a particular class
thanks to the individual modules
Student gets to take the environment home
As more modules come online, even more potential for cross
pollination
Builder tools/docs only expand its reach

35
Builder is where the ROI is
But darn it,
breaking is really fun.
Builder tools coming in future releases.
(Thanks Top Gear!)
Builder vs Breaker

36
Crazy “Pie in the Sky” idea
.deb package + auto update + categories
= WTE profiles
Allows someone to customize
the OWASP WTE to their needs
Example profiles
Whitebox testing
Blackbox testing
Static Analysis
Target specific (Java, .Net, ...)
Profile + VM = custom persistent environment

37
Goals going forward
Showcase great OWASP projects
Provide the best, freely distributable application security
tools/documents in an easy to use package
Ensure that tools provided are easy to use as possible

38
Goals going forward
Continue to document how to use the tools and how
the modules were created
Align the tools with the OWASP Testing Guide v4 to
provide maximum coverage
Add more developer focused tools

39

40
Cloud-ifying WTE
Cloud Provider
Ubuntu / Debian Install
WTE Repository
Fun ensues

41
WTE Cloud - The12 Step
Program
Currently this is all manual
12 steps to get a fully-functional WTE
~30 minutes until you are logged in

42
Step 1: Get a cloud account

43
Step 2: Select Ubuntu/Debian

44
Step 3: Choose Name & RAM

45
Step 4: Start your server

46
Step 5: Install Desktop + WTE

47
Step 6: More installs
Add Repos & apt-get update
Ubuntu partners & WTE
Add a NX Server
ppa:freenx-team (plus a fix)
Add OWASP user
Start GDM

48
Step 7: NX Client setup

49
Step 8: Connect to WTE

50
Step 9: WTE ala Cloud

51
Step 10: Test Connectivity

52
Step 11: Test the Tools

53
Turn Cats into Dogs

54
Step 12: Check your bill

55
Cost Estimates

56
Cost Estimates
Estimated for 40 hours + 1 GB transfer
$4.98
Estimated for M-F by 24 hours + 1 GB
transfer = $15.48
Estimated 30 days by 24 hours + 4 GB
transfer = $88.32

Now what?

58
More Automation
Create a wte-cloud package
Wraps up all tools into 1 package
Make configuration steps into a script
Add to postinst for wte-cloud package
Get setup down to a single step
Ideally all in the wte-cloud package

59
Even More Automation
Python library to abstract away
differences between multiple cloud
provider APIs
Cloud Servers
Cloud Storage
Cloud Load balancers
Supports 24 different providers

60
More Options
Different desktop installs
Minimal
Baseline
Instant WebGoat in the sky
Internal Clouds
OpenStack, Vmware,
VirtualBox (headless)

61
Document, Document
Document
Document and post the current manual
process (coming soon)
Create then document the Libcloud
process
Tutorials for various providers

Problems

63
Current Issues
Yikes AMD64 CPU
sqlmap is missing a dependency
WTE Firefox is for i386
NX server is a bit tricky
The WTE theme gets lost

64
Like what you see,
then get involved?
Join the OWASP mail list
Announcements are there – low traffic
Download an ISO or VM or Cloud instance
Complain or praise, suggest improvements
Submit a bug to the Google Code site

65
How can you get involved?
Suggest missing doc or links
Do a screencast of one of the tools
Suggest some cool new tool
Create a .deb package

66
Learn More...
OWASP Site
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
or just look on the OWASP project page (release quality)
http://www.owasp.org/index.php/Category:OWASP_Project
or Google “OWASP Live CD” or “OWASP WTE”
Download & Community Site
http://AppSecLive.org
Previously: http://mtesauro.com/livecd/

67
Why do
I do this?

68
Questions?
http://http://mango.blender.org/ Independent film produced by the Blender
Foundation using free and open software
Download it free at: Tears of Steel

69

A bit about OWASP

71
OWASP Meritocracy

72
Security
Vulnerabilities
Change Control
Source Code Mgmt
Strategy & Metrics
Policy & Compliance
Education & Training
Threat Assessment
Security Requirements
Secure Architecture
Design Review
Code Review
Remediation
Hardening
...