The document summarizes the Owasp Orizon project, which provides a framework for static analysis of code. It describes the current state of the Orizon Framework (v1.20), including how it builds models of code using language packs and analyzes the models using rules. It outlines the roadmap for upcoming versions, including adding additional language support, improving modeling capabilities, and integrating static analysis.
Road towards Owasp Orizon 2.0 (November 2009 update)Paolo Perego
The document provides an update on the OWASP Orizon 2.0 project roadmap. It summarizes the current state of the Orizon 1.19 tool and outlines goals for improving the tool, community, and development process. Key plans for the roadmap include reworking the architecture and implementation, improving usability, adding new features like taint analysis, and releasing version 2.0 by June 2010.
This document summarizes Andrew van der Stock's presentation on Ajax security at the 2006 OWASP AppSec Europe conference. The presentation covered many security issues introduced by Ajax applications, including lack of privacy due to JavaScript being sent in cleartext, session fixation, injection attacks, improper access control, and the need to properly handle errors and audit client-side actions. It emphasized that Ajax applications must use the same authorization and validation techniques as traditional web apps to prevent attacks.
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
This document summarizes OWASP tools that can be used for testing web applications. It discusses the OWASP Live CD, which contains various tools such as WebScarab, WebGoat, CAL9000 and others. It also mentions OWASP proxies, recon tools, scanners and utilities. The document encourages participation in the Google Summer of Code by proposing ideas and developing student projects to be mentored by OWASP.
The document introduces Apache Apollo, a new message broker project that was branched from ActiveMQ. It was created to better utilize high core counts on modern processors. The key components discussed are HawtDispatch, the reactor-based threading model; connectivity support for STOMP, MQTT, JMS, and OpenWire; and the use of LevelDB for storage. Future areas of development are also mentioned.
This presentation was given by Ishad M. Barot, Client Technical Professional, India(West) during Impact India 2012 on the 1st of June at Mumbai. It focuses on how businesses can save time and efforts using the WebSphere Application Server. WAS is much more than just being Open Source
Road towards Owasp Orizon 2.0 (November 2009 update)Paolo Perego
The document provides an update on the OWASP Orizon 2.0 project roadmap. It summarizes the current state of the Orizon 1.19 tool and outlines goals for improving the tool, community, and development process. Key plans for the roadmap include reworking the architecture and implementation, improving usability, adding new features like taint analysis, and releasing version 2.0 by June 2010.
This document summarizes Andrew van der Stock's presentation on Ajax security at the 2006 OWASP AppSec Europe conference. The presentation covered many security issues introduced by Ajax applications, including lack of privacy due to JavaScript being sent in cleartext, session fixation, injection attacks, improper access control, and the need to properly handle errors and audit client-side actions. It emphasized that Ajax applications must use the same authorization and validation techniques as traditional web apps to prevent attacks.
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
This document summarizes OWASP tools that can be used for testing web applications. It discusses the OWASP Live CD, which contains various tools such as WebScarab, WebGoat, CAL9000 and others. It also mentions OWASP proxies, recon tools, scanners and utilities. The document encourages participation in the Google Summer of Code by proposing ideas and developing student projects to be mentored by OWASP.
The document introduces Apache Apollo, a new message broker project that was branched from ActiveMQ. It was created to better utilize high core counts on modern processors. The key components discussed are HawtDispatch, the reactor-based threading model; connectivity support for STOMP, MQTT, JMS, and OpenWire; and the use of LevelDB for storage. Future areas of development are also mentioned.
This presentation was given by Ishad M. Barot, Client Technical Professional, India(West) during Impact India 2012 on the 1st of June at Mumbai. It focuses on how businesses can save time and efforts using the WebSphere Application Server. WAS is much more than just being Open Source
Very few trends in IT have generated as much buzz as cloud computing. This talk will cut through the hype and quickly clarify the ontology for cloud computing. The bulk of the conversation will focus on the open source software that can be used to build compute clouds (infrastructure-as-a-service) and the complimentary open source management tools that can be combined to automate the management of cloud computing environments. The discussion will appeal to anyone who has a good grasp of traditional data center infrastructure but is struggling with the benefits and migration path to a cloud computing environment. Systems administrators and IT generalists will leave the discussion with a general overview of the options at their disposal to effectively build and manage their own cloud computing environments using free and open source software.
[Presented as part of the Open Source Build a Cloud program on 2/28/2012 - http://cloudstack.org/about-cloudstack/cloudstack-events.html?categoryid=6]
Open Source Compiler Construction for the JVMTom Lee
This document discusses building a compiler for a simple language called "Awesome" that targets the Java Virtual Machine (JVM). It recommends writing a stub code generator first for quick feedback before building the full compiler. The compiler will use Scala parser combinators to parse the input into an abstract syntax tree (AST) and then walk the AST to generate equivalent JVM bytecode using the Bytecode Engineering Library (BCEL). The document outlines the overall compiler architecture and next steps to expand the language features supported by the compiler.
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
Overview: Building Open Source Cloud Computing EnvironmentsMark Hinkle
This document provides a summary of open source cloud computing. It begins with an introduction and overview of cloud computing concepts. It then discusses various open source building blocks for cloud computing, including open source hypervisors, compute clouds, storage solutions, and cloud APIs. Finally, it outlines open source tools for managing clouds, including provisioning, configuration management, monitoring, and automation/orchestration tools. The goal is to provide an introduction to developing and managing clouds with open source software.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
This document contains the slides from a presentation given by Andrew van der Stock at OWASP AppSec Europe 2006. The presentation covers several security topics related to Ajax including privacy, authentication, authorization, session management, injection attacks, and auditing. It provides examples of security issues that can arise with Ajax applications and recommendations for addressing those issues.
An overview of changes to OSPRay, focusing on:
Critical API features for practical OSPRay use
Internal changes and the motivation behind them
How to extend OSPRay for advanced use cases
Generating Assertion Code from OCL: A Transformational Approach Based on Simi...Shinpei Hayashi
This document presents an approach for generating assertion code from the Object Constraint Language (OCL) using model transformations. The approach constructs a hierarchy of programming languages based on their structural similarities. This allows rules for translating OCL to be reused across multiple implementation languages, saving approximately 50% of the effort compared to creating individual translators. An evaluation implemented the approach in Maude and demonstrated its ability to generate code for Java, Python, Haskell and O'Haskell from a single OCL specification.
Build a Cloud Day SF - Crash Course on Open Source Cloud ComputingMark Hinkle
This document provides a crash course on open source cloud computing. It discusses the key characteristics of cloud computing including on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also covers the main cloud computing service models (SaaS, PaaS, IaaS), deployment models (public, private, hybrid clouds), and the need for architectural design when using cloud computing. Finally, it recommends several open source tools that can be used to build private clouds, including OpenStack, CloudStack, Eucalyptus, OpenNebula, Xen, KVM, GlusterFS, Ceph, and various provisioning, configuration management, automation and monitoring tools.
Implementing alfresco as a content platform with zaiziAlfresco Software
Zaizi is a consultancy that specializes in implementing Alfresco content management systems. They discuss best practices for developing, testing, packaging, deploying and maintaining Alfresco implementations. This includes using version control, Spring, Maven and JUnit for development, packaging customizations as AMP modules, deploying with Puppet, and monitoring performance with JMX and tools like AppDynamics. The goal is to build reusable modules and a repeatable implementation process.
Abap course chapter 1 introduction and first programMilind Patil
The document discusses an ABAP course, including an introduction to ABAP and a first program exercise. It provides an overview of ABAP, including its history and use in SAP systems. It also outlines prerequisites for ABAP development such as access to the repository, a user profile with development access, assigning programs to packages for transport between systems. The document concludes with information on compiling ABAP programs and transporting code changes.
Nowadays, it is quite common to have build infrastructure that, on every change in a repository, builds your software and runs all your tests. However this is where most development teams stop. This talk demonstrates how you can consistently deploy systems from development to testing, staging and production.
With Bndtools we semantically version bundles in the Eclipse IDE. The continuous build is setup to automatically deploy to a bundle repository and create snapshots of changed bundles compared to a baselined version that is available in a release repository. By hooking up these repositories to Apache ACE, such updates can instantly be deployed to systems in different configurations, allowing you to deploy new features to QA systems, beta users and finally roll them out to all other customers.
This presentation was given at ApacheCon NA 2014, Denver.
Summit 16: The Open Source NFV Eco-system and OPNFV's Role ThereinOPNFV
This document discusses the open source NFV ecosystem and the role of OPNFV within it. It begins by describing how various open source projects contribute pieces to the NFV puzzle. It then outlines OPNFV's goals of composing these projects to create simple and self-managing infrastructure for deploying applications and services. The document details how OPNFV releases like Arno and Brahmaputra have integrated and tested different components and scenarios. It also explains how OPNFV projects work to enhance existing open source software and integrate them in a way that brings developers closer to their goals.
Frank Brockners, OPNFV TSC member and distinguished engineer with Cisco, presented "Deploy it, test it, run your VNF" during the OPNFV mini-summit as part of the 2015 NFV World Congress.
Appium is an open-source test automation framework for use in testing native mobile apps, hybrid and mobile web apps. It allows automation of tests across platforms like Android and iOS. Appium uses the WebDriver protocol for communication and follows a client-server architecture where the client sends commands to the Appium server which then executes them on the mobile device. Appium supports locator strategies like ID, XPath and testing features like parallel test execution across devices. It has advantages such as being free, open-source, supporting multiple platforms and frameworks but also has limitations such as requiring app access and slow test speeds.
ONOS is an open source SDN network operating system that enables service providers to build real SDN/NFV solutions. It provides a distributed control plane for managing network devices and applications through northbound and southbound APIs. ONOS uses a distributed architecture for high availability, scalability, and performance to meet the demands of service provider and enterprise networks. It supports many protocols and has been deployed in production networks around the world.
Introduction to Open Source Cloud Computing", Mark Hinkle, Senior Director Cloud Computing Community, Citrix
Very few trends in IT have generated as much buzz as cloud computing. This session will cut through the hype and clarify what cloud computing is, what the use cases are, and what open source software exists to build and manage clouds. The discussion will appeal to systems administrators, IT generalists, and developers...anybody who wants to create a cloud computing environment on their own hardware in their own data centers and deploy applications to this cloud.
This document provides an overview of open source software and the Apache Software Foundation. It discusses the Apache license and how it differs from GPL. It then introduces several popular Apache projects including Apache Commons, Apache Ant, Apache Axis2, Apache Camel, and Apache Tomcat. For each project, it provides a brief description and links to the project's website. The document uses these examples to illustrate the benefits of applying open source software, such as reducing costs and development time.
This document provides an overview of programming languages and Java. It discusses programming methodologies like procedural, structured, and object-oriented programming. It then covers the history and evolution of programming languages including the development of Java. The rest of the document details features of Java like being portable, secure, and object-oriented. It describes the Java Virtual Machine architecture and how a basic Java program works. Finally, it discusses editions of Java like Java SE, Java EE, and Java ME.
Paolo Perego is a product security engineer who audits open source code packages for security issues. Some of the challenges to open source security include a lack of time and people to audit code. As part of his daily routine, Perego performs static and dynamic analysis on packages to find bugs, writes exploits to help maintainers fix issues, and responsibly discloses vulnerabilities. Through his work, Perego has found and helped fix 4 vulnerabilities. He concludes that open source can be secure if security researchers take the time to understand, review, and help improve code quality.
Very few trends in IT have generated as much buzz as cloud computing. This talk will cut through the hype and quickly clarify the ontology for cloud computing. The bulk of the conversation will focus on the open source software that can be used to build compute clouds (infrastructure-as-a-service) and the complimentary open source management tools that can be combined to automate the management of cloud computing environments. The discussion will appeal to anyone who has a good grasp of traditional data center infrastructure but is struggling with the benefits and migration path to a cloud computing environment. Systems administrators and IT generalists will leave the discussion with a general overview of the options at their disposal to effectively build and manage their own cloud computing environments using free and open source software.
[Presented as part of the Open Source Build a Cloud program on 2/28/2012 - http://cloudstack.org/about-cloudstack/cloudstack-events.html?categoryid=6]
Open Source Compiler Construction for the JVMTom Lee
This document discusses building a compiler for a simple language called "Awesome" that targets the Java Virtual Machine (JVM). It recommends writing a stub code generator first for quick feedback before building the full compiler. The compiler will use Scala parser combinators to parse the input into an abstract syntax tree (AST) and then walk the AST to generate equivalent JVM bytecode using the Bytecode Engineering Library (BCEL). The document outlines the overall compiler architecture and next steps to expand the language features supported by the compiler.
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
Overview: Building Open Source Cloud Computing EnvironmentsMark Hinkle
This document provides a summary of open source cloud computing. It begins with an introduction and overview of cloud computing concepts. It then discusses various open source building blocks for cloud computing, including open source hypervisors, compute clouds, storage solutions, and cloud APIs. Finally, it outlines open source tools for managing clouds, including provisioning, configuration management, monitoring, and automation/orchestration tools. The goal is to provide an introduction to developing and managing clouds with open source software.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
This document contains the slides from a presentation given by Andrew van der Stock at OWASP AppSec Europe 2006. The presentation covers several security topics related to Ajax including privacy, authentication, authorization, session management, injection attacks, and auditing. It provides examples of security issues that can arise with Ajax applications and recommendations for addressing those issues.
An overview of changes to OSPRay, focusing on:
Critical API features for practical OSPRay use
Internal changes and the motivation behind them
How to extend OSPRay for advanced use cases
Generating Assertion Code from OCL: A Transformational Approach Based on Simi...Shinpei Hayashi
This document presents an approach for generating assertion code from the Object Constraint Language (OCL) using model transformations. The approach constructs a hierarchy of programming languages based on their structural similarities. This allows rules for translating OCL to be reused across multiple implementation languages, saving approximately 50% of the effort compared to creating individual translators. An evaluation implemented the approach in Maude and demonstrated its ability to generate code for Java, Python, Haskell and O'Haskell from a single OCL specification.
Build a Cloud Day SF - Crash Course on Open Source Cloud ComputingMark Hinkle
This document provides a crash course on open source cloud computing. It discusses the key characteristics of cloud computing including on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also covers the main cloud computing service models (SaaS, PaaS, IaaS), deployment models (public, private, hybrid clouds), and the need for architectural design when using cloud computing. Finally, it recommends several open source tools that can be used to build private clouds, including OpenStack, CloudStack, Eucalyptus, OpenNebula, Xen, KVM, GlusterFS, Ceph, and various provisioning, configuration management, automation and monitoring tools.
Implementing alfresco as a content platform with zaiziAlfresco Software
Zaizi is a consultancy that specializes in implementing Alfresco content management systems. They discuss best practices for developing, testing, packaging, deploying and maintaining Alfresco implementations. This includes using version control, Spring, Maven and JUnit for development, packaging customizations as AMP modules, deploying with Puppet, and monitoring performance with JMX and tools like AppDynamics. The goal is to build reusable modules and a repeatable implementation process.
Abap course chapter 1 introduction and first programMilind Patil
The document discusses an ABAP course, including an introduction to ABAP and a first program exercise. It provides an overview of ABAP, including its history and use in SAP systems. It also outlines prerequisites for ABAP development such as access to the repository, a user profile with development access, assigning programs to packages for transport between systems. The document concludes with information on compiling ABAP programs and transporting code changes.
Nowadays, it is quite common to have build infrastructure that, on every change in a repository, builds your software and runs all your tests. However this is where most development teams stop. This talk demonstrates how you can consistently deploy systems from development to testing, staging and production.
With Bndtools we semantically version bundles in the Eclipse IDE. The continuous build is setup to automatically deploy to a bundle repository and create snapshots of changed bundles compared to a baselined version that is available in a release repository. By hooking up these repositories to Apache ACE, such updates can instantly be deployed to systems in different configurations, allowing you to deploy new features to QA systems, beta users and finally roll them out to all other customers.
This presentation was given at ApacheCon NA 2014, Denver.
Summit 16: The Open Source NFV Eco-system and OPNFV's Role ThereinOPNFV
This document discusses the open source NFV ecosystem and the role of OPNFV within it. It begins by describing how various open source projects contribute pieces to the NFV puzzle. It then outlines OPNFV's goals of composing these projects to create simple and self-managing infrastructure for deploying applications and services. The document details how OPNFV releases like Arno and Brahmaputra have integrated and tested different components and scenarios. It also explains how OPNFV projects work to enhance existing open source software and integrate them in a way that brings developers closer to their goals.
Frank Brockners, OPNFV TSC member and distinguished engineer with Cisco, presented "Deploy it, test it, run your VNF" during the OPNFV mini-summit as part of the 2015 NFV World Congress.
Appium is an open-source test automation framework for use in testing native mobile apps, hybrid and mobile web apps. It allows automation of tests across platforms like Android and iOS. Appium uses the WebDriver protocol for communication and follows a client-server architecture where the client sends commands to the Appium server which then executes them on the mobile device. Appium supports locator strategies like ID, XPath and testing features like parallel test execution across devices. It has advantages such as being free, open-source, supporting multiple platforms and frameworks but also has limitations such as requiring app access and slow test speeds.
ONOS is an open source SDN network operating system that enables service providers to build real SDN/NFV solutions. It provides a distributed control plane for managing network devices and applications through northbound and southbound APIs. ONOS uses a distributed architecture for high availability, scalability, and performance to meet the demands of service provider and enterprise networks. It supports many protocols and has been deployed in production networks around the world.
Introduction to Open Source Cloud Computing", Mark Hinkle, Senior Director Cloud Computing Community, Citrix
Very few trends in IT have generated as much buzz as cloud computing. This session will cut through the hype and clarify what cloud computing is, what the use cases are, and what open source software exists to build and manage clouds. The discussion will appeal to systems administrators, IT generalists, and developers...anybody who wants to create a cloud computing environment on their own hardware in their own data centers and deploy applications to this cloud.
This document provides an overview of open source software and the Apache Software Foundation. It discusses the Apache license and how it differs from GPL. It then introduces several popular Apache projects including Apache Commons, Apache Ant, Apache Axis2, Apache Camel, and Apache Tomcat. For each project, it provides a brief description and links to the project's website. The document uses these examples to illustrate the benefits of applying open source software, such as reducing costs and development time.
This document provides an overview of programming languages and Java. It discusses programming methodologies like procedural, structured, and object-oriented programming. It then covers the history and evolution of programming languages including the development of Java. The rest of the document details features of Java like being portable, secure, and object-oriented. It describes the Java Virtual Machine architecture and how a basic Java program works. Finally, it discusses editions of Java like Java SE, Java EE, and Java ME.
Similar to Owasp Orizon New Static Analysis In Hi Fi (20)
Paolo Perego is a product security engineer who audits open source code packages for security issues. Some of the challenges to open source security include a lack of time and people to audit code. As part of his daily routine, Perego performs static and dynamic analysis on packages to find bugs, writes exploits to help maintainers fix issues, and responsibly discloses vulnerabilities. Through his work, Perego has found and helped fix 4 vulnerabilities. He concludes that open source can be secure if security researchers take the time to understand, review, and help improve code quality.
This document discusses building an application security (appsec) pipeline. It begins by outlining common unacceptable testing scenarios where tests are done in production without proper preparation. It then introduces the concept of an appsec pipeline, highlighting the need for commitment, an organized software development lifecycle, and an appsec-aware development team. The document recommends key components of an appsec pipeline including a collector tool to manage requests and results, a set of appsec testing tools, an orchestrator to dispatch tests, a ticketing system to track vulnerabilities, and a workflow to integrate all components. It also provides examples of useful tools that could be included in the pipeline.
Picking gem ruby for penetration testersPaolo Perego
The document discusses various techniques for penetration testing and attacking web applications using Ruby tools and libraries. It provides examples of using tools like Anemone for crawling sites, Casper for observing browser requests, Enchant for directory brute forcing, and Ciphersurfer for evaluating SSL configurations. The document encourages attackers to change their mindset and look for vulnerabilities from the perspective of an attacker rather than a developer.
Sicurezza Applicatica Dalla Teoria Alla PraticaPaolo Perego
[Italian language only, sorry]
Presentazione per il security summit dove vengono illustrate le iniziative Owasp per la tematica di code review.
Viene data un'overview sulla code review guide, sul progetto Orizon e sul progetto O2
The document discusses the art of code reviewing. It states that code reviewing involves human skills and engagement with developers rather than just running tools. An effective code review requires understanding use cases, threats, and tool results rather than just reverse engineering code. The document argues that code reviewing can be considered an art that involves human interaction, technical skills, and a passion for security. It offers to demonstrate the process with a live review of open source code using tools like Orizon and FindBugs.
4. Owasp Orizon framework v1.20
Orizon interface APIs
“engine” based
report
analyze
build a
model
OWASP AppSecEU09 Poland 4
5. Owasp Orizon framework v1.20: engine
Engine commands Command parser
are described by a is generated from
grammar the grammar
using FreeCC
start() method
Engine is an
contains engine
abstract class
business logic
providing a fixed
set of APIs for all
Orizon engines
OWASP AppSecEU09 Poland 5
6. Owasp Orizon framework v1.20: the
Language Pack Parser is almost 100%
able to understand the
specific language
Parser is built
using language
grammar and
FreeCC
Ready for Java,
C and PHP.
Collector take
AST from the
Next to come:
parser and
Cobol, C++, C#,
retrieve variables,
Ruby, Jsp
methods, ...
OWASP AppSecEU09 Poland 6
7. Owasp Orizon framework v1.20: build the
model
Orizon supports
more programming
languages with an
ad hoc “Language
Pack”
Modeler class uses
Language Pack
SourceFinder scans collectors to gather
the input deciding data and building
which files can be the model
processed and the
language pack to
be used OWASP AppSecEU09 Poland 7
8. Owasp Orizon framework v1.20: analyze
Get the model
Iterate through all
Apply the rules files to be
to the model processed
Rules
management
OWASP AppSecEU09 Poland 8
9. Owasp Orizon framework v1.20: report
Formatters manage how to
represent the findings in
various formats
Reporting
engine
manages
the findings
to be
represented
as output
OWASP AppSecEU09 Poland 9
11. Spot the difference
v1.0 v1.18 v1.20
EU Summit ’08 AppSec EU ’09 Summer ’09
Heterogeneous engines Engine based with a standard Engine based with a standard
Architecture with a non standard API set of API set of API
Supported Java Java, C, PHP Java, C, PHP, C++, Cobol, C#
languages
Command line with options Command line with a shell
Interface specified as parameters accepting commands (OSH)
Shell + Web based GUI
Sources are translated in
Modeling Sources are parsed with an Sources are parsed with an
XML and analysis are made
approach over there
appropriate Language Pack appropriate Language Pack
Keyword used Keyword + variable tracking
Model None
+ execution flow
Started variable tracking
Security check Written in ORL (Orizon Rule Written in ORL (Orizon Rule
Written in XML
Language) Language)
Crawling Partial Yes Yes
Static analysis Partial No Yes
Dynamic No No No
analysis
OWASP AppSecEU09 Poland 11
12. Roadmap
in the short term (3 months): v1.20
collectors must be able to retrieve more information from
ASTs
new Language Packs (C++, Cobol, C#)
in the mid term (6 to 9 months): v1.50
Modeler will be able to build
data flow diagram
execution flow diagram
Owasp Orizon Guide to be released as “alpha” document
in the long term (12 months): v1.80
static analysis will be working
dynamic analysis will start
OWASP AppSecEU09 Poland 12
13. Before we leave
Thanks to
OWASP
the Italian chapter and its board
the gang: Nishi, Stephen, Jason, Andrés, Alessio,
Dinis (http://orizon.sourceforge.net/blog/the-owasp-
orizon-team/)
my Mom
my Wife
OWASP AppSecEU09 Poland 13
14. Some link
FreeCC: used to generate all the parsers in
Orizon (http://code.google.com/p/freecc/)
Owasp Orizon links
Homepage: http://www.owasp.org/index.php/
Category:OWASP_Orizon_Project
Blog: http://orizon.sourceforge.net/blog/
Twitter: http://twitter.com/OWASPOrizon/
OWASP AppSecEU09 Poland 14