Thursday, 31 December 2009

Happy New Year and Thanks!

Just a small post to wish you all a Happy New Year!

2010 should be a great year, there is a lot in the pipeline and I expect it to be an exciting & productive ride :)

I also want to Thank You for all the support and encouragement

Dinis Cruz

Wednesday, 23 December 2009

Comment on OWASP testing and disclosure levels

I think this is a great idea and one that OWASP is uniquely position to make it happen.

This goes to the heart of what we are trying to do at OWASP since it will help to improve the visibility of an website's security.

But before you continue reading the rest of this post, if you are not aware of PayPal's guidelines for external security researchers, please go and read this (which is linked from

Here is what I like about this schema:
  • (probably the most important) this is NOT dependent on the website's collaboration or participation (i.e. we can implement this independently)
  • It promotes good behavior and security awareness from the website's owner
  • it allows OWASP to raise the bar of entire sections of the online industry, since once we have a number of websites that follow the proposed guidelines, then their competitors will have 'market pressure' to follow it
  • this is something that the entire OWASP community needs (from member companies, to individual members, to owasp leaders, to participants at our conferences or mailing lists). For example, I (as a web user) would like to know when I use a website about that website's security posture. Another good example was when OWASP had to chose a couple months ago which Online-Voting provider we used for our board elections. Since we were paying for that service, the website's security should had been part of the decision making process (and it wasn't since we had no visibility into that website's security)
  • this schema also allows to clarify what is the affected website's point of view regarding their multiple web applications. Let look at a couple examples:
    • The Full Disclosure and Fully Open could be used on Sample Apps. For example the ones published with the Spring Framework (like JPetStore or PetClinc)
    • the Responsible Disclosure and Open Code Review could be used for Open Source applications (in fact the different between Open Code Review and Fully Open could be that for Fully Open the tests can be executed into the actual live website versus a locally executed copy of the website (which will be possible when we have access the source code)
    • the Responsible Disclosure and Open Test is what PayPal is doing
    • the Private Disclosure could be used a first step for companies who want to leverage the good guys security knowledge (for example, a lot of us 'accidentally' discover security vulnerabilities in websites but are not comfortable in reporting them since we are not sure how the website's owner would react (in fact in most cases we don't even know who to contact)). Another source of security issues for this is the XSSed database, or the google searches for the latest Flash/XSS vulnerability.
    • the No Disclosure is an interesting one since I don't expect that companies will 'officially' embrace, but one we (OWASP) could apply based on that companies past behavior (past examples are: MySpace when it sued Sammy, BT with Daniel, the US Gov departments behind with the Gary McKinnon case, etc...)
    • Finally given the current 'hacking laws' the OWASP “Trust Us” Insecurity Program – No testing + no disclosure is what all public websites should be given by default. This would actually be a great way to visually show the current (bad) state of affairs
    • For day to day browsing, a Firefox extension that checked the website's status would be a great way to expose this to a wider audience
I'm sure there is a number of tweaks we will need to do to the classification names, its definitions and the scenarios they cover. 

So I would say that the next step is for us to try to implement this, mark it as Beta for a while, and once it is working, officially launch it.

Who wants to be the project leader?

Tuesday, 22 December 2009

Idea for OWASP Standard for public rating of an WebSite's security profile

Jeff Williams had a great post following the discussion we had at TwitterLand (direct quote from Jeff's email):

I saw some twittering about this sort of thing over the weekend…

The basic idea is that we could create some OWASP standards around the way that companies allow their websites to be tested/scanned/reviewed and how they want to handle disclosure of issues that are discovered. Companies could choose the standard they want to follow and it would encourage people to make that choice explicit and public (visible).

We could do this pretty easily in the OWASP Legal Project – the way that Creative Commons defined some IP licenses and released them. I’m just not sure what the current practices are. Has anyone catalogued a list of companies with either testing or disclosure policies? See Microsoft policies.

Just as an off the top of the head brainstorm, what do you think of these?? Of course we’d have to specify these carefully and fully.
  • Full Disclosure – disclose anything you find
  • Responsible Disclosure – work with us please
  • Private Disclosure – send it to us and pray
  • No Disclosure – we will hunt you down and kill you
  • Fully Open – code review + test all you want
  • Open Code Review – we’ll let you review the source and test all you want**
  • Open Test – test with your account all you want
  • Staged Test–register and we’ll let you test on a non-production system
  • No Testing – you are an evil hacker
** Note: I have already drafted an “OWASP Open Code Review” license that grants people the rights they need to do a source code review without giving up ownership or other legal rights.

We could combine these into a few interesting combinations…
  • OWASP Open Security Program – Fully open review + full disclosure
  • OWASP Shared Security Program – Open testing + responsible disclosure
  • OWASP Private Security Program – Staged Testing + private disclosure
  • OWASP “Trust Us” Insecurity Program – No testing + no disclosure

Note that this is NOT a certification program. This is a way for companies to *declare* their approach to security. Your thoughts welcome…

OWASP Challenges World Governments to Improve Application Security

At the OWASP IBWAS 09 Conference (organized by the Portuguese and Spanish chapters) we had panel on the last day which debated what the Governments should do to improve Web Application Security in 2010. 

You can read the Press releases here in english,  spanish or portuguese.

And here is the contents of the press release with the 5 recommendations:

Madrid, Spain, 15/12/09

Around 40 participants and several dozens of technology students and their teachers have attended the Iberic Web Application Security conference (IBWAS’09) that was held at the Escuela Universitaria de Ingeniería Técnica de Telecomunicación, Universidad Politécnica de Madrid, Spain, on the 10thand 11th of December 2009.

The conference, which was a massive success, was organized by the Spanish and Portuguese OWASP chapters with the aim of bringing together application security experts, researchers, educators and practitioners from the industry and academia to discuss open problems and new solutions in application security.

Through the passionate discussion held in the "Web Application Security: What should Governments do in 2010?" panel, several conclusions have been reached.

These conclusions reflect the decisions made by the panel and are meant to be debated, updated and eventually published by OWASP as a set of recommendations.   

Panel’s conclusions:

  1. We challenge governments to work with OWASP to increase the transparency of web application security, particularly with respect to financial, health and all other systems where data privacy and confidentiality requirements are fundamental
  2. OWASP will seek participation with governments around the globe to develop recommendations for the incorporation of specific application security requirements and the development of suitable certification frameworks within the government software acquisition processes;
  3. We offer our assistance to clarify and modernize computer security laws, allowing the Government, citizens and organizations to make informed decisions about security;
  4. We ask governments to encourage companies to adopt application security standards that, where followed, will help protect us all from security breaches, which might expose confidential information, enable fraudulent transactions and incur legal liability;  
  5. We offer to work with local and national governments to establish application security dashboards providing visibility into spending and support for application security.

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of its materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization.

Friday, 18 December 2009

Latest twitter hack: Any good contacts at twitter security team and management?

I have an OWASP related idea that I would like to present them (... trying to leverage the fact that they should be a little bit focused on security these days...) 

Please make the intro directly to my OWASP email


Friday, 4 December 2009

Setting up some O2 test boxes at a Cloud near you

I need to build a couple test boxes for O2, and was thinking of using Amazon EC2 to set them up.

In the past I have used VPS from ISPs like RackForce, but they can be quite expensive and I need to be able to create a number of new boxes on demand which the VPS guys don't seem to support.

So is the Amazon EC2 the best option?

Has anybody here used it? Any top tips?

One annoying problem I have with Amazon EC2 is that it doesn't seem to be possible to 'suspend' VMs, is that true? Ideally i would like to create a VM and then suspend it (at a low cost) so that I only have it enabled when I need it. I guess another option is to create a custom O2 image that can then be used (again, has anybody here tried to do that for a Windows box? If so, are there any license restriction issues?)

One really cool thing with the Amazon EC2 system is that I can control my instances from my iPhone :)

Wednesday, 2 December 2009

New version of CirViewer (now with Debug Symbols support)

I just published a new version of the CirViewer module which contains a very exciting new capability.

CirViewer now supports the loading and mapping of .NET *.pdb files (i.e. debug symbols) into O2's CIR (ICirData, ICirClass and ICirFunction). If you don't know what CIR is , think of it has an Object-Model representation of source code which you can visualize and easily write scripts against (at this stage O2 only cares about Call-Flow information)

Here are the main links:
There has been substantial changes to this version of CirViewer, so you are advised to uninstall previous versions (or you will have two side-by-side versions since this latest release will not override the previous one (these updates usually override them, but this one will not since, amongst other things, the EXE file name was changed)

If you want to give this new version a test-drive, you will need some .NET Assemblies with the *.pdb located in the same directory and the source code (see video).  To make it easy, you should try first with the hacmeBank Web Services dlls and source code which you can download from: CirViewer-HackMeBank

Please test it and provide feedback to the #O2Platform Mailing List (


Saturday, 21 November 2009

Mr Security Consultant: 'Are You Doing A Good Job' for your clients?

I sometime feel that our industry misses the point on what we (security professionals) are doing here.
In a nutshell, the current 'Web Application Security assessment' world is far from being ‘working’ (see AppScan 2011 for a fictitious story about what (from a technology point of view) these engagements should deliver)
Security Engagements (namely Web Application ones) should not be seen as a games of ‘cat & mouse’ where the ‘ethical attacker’ is trying to break the system!!! (and ultimately prove the client that they (the security consultants) are any good)
My view is that security engagements are ‘knowledge transfer exercises’ where people with specific knowledge in one area (Web Application Security) are helping as much as they can, the people who don’t (Managers, Software Architects, Developers, Clients, etc...), during the short time period that they are involved with the application (i.e. the ‘security engagement period’)
The ultimate goal is Risk Reduction with the “Owners, Builders, Buyers & Users” of the target applications being able to make knowledgeable decisions about the security profile of their application (this is what we at OWASP call ‘visibility’).
To play a 'game' where these experts (i.e. the Security Consultants) are NOT provided AS MUCH INFORMATION AND SUPPORT AS POSSIBLE during their engagements is frankly: inefficient, unproductive and expensive.
Now talking directly to my peers (the security consultants), regardless of the type of test that you are doing, black-box or white-box (and the time allocated to it), sorry, but you are NOT doing a good job for your clients if:
  1. you don’t have access to the source code
  2. you don’t have access to a live instance of the application
  3. you don’t write unit tests for your results
  4. you don’t understand the client's business model
  5. you are not writing WAF rules or patching the app
  6. you are not giving the developers ‘auto code fixers’
    And here is the bottom line; The measurement of our success should NOT be how many vulnerabilities were DISCOVERED, but how many vulnerabilities were FIXED (or MITIGATED) by the client
    We will be doing our job If we are able to implement workflows that allow developers to easily & quickly fix, deploy and test the reported vulnerabilities.

    The rest of this post will look at each of these 6 requirements individually:

    1) If you don’t have the source code, then you are not doing a good job.  
    Regardless of whether you use tools, or if you do it by hand, when doing a black-box assessment, lack of access to the application’s source code you will make you very inefficient.  
    Having access to the source code gives you the ability to understand what is going on and to write proof of concepts much more quickly, efficiently and safely (hands up who have 'bricked a server' or application during a penetration test engagement).  
    It is vital that the client understands the importance of giving you the code. When you are doing a black-box engagement you need to show (in the short-time allocated to the project) to your client what the problems are (and access to the source code will allow you to use your time more effectively).   
    If the client does not have access to the source code of the applications you are testing, that in itself is could be a problem (especially if the client paid for its development)
    Note that when dealing with managed languages like Java or ,Net, one can even get away with only being given access to the application DLL’s, WAR and config files (in most cases a zip of the target web folder is all that is needed)

    2) If you don’t have access to the live instance of the application, then you are not doing a good job.  
    Here is the reverse; if you were doing source code analysis, and, you have access to the code, but you don’t have access to a live instance of the application, you will also not be able to do as good of a job.  
    Because even if your focus is on the static analysis or source code analysis, you need the black-box approach and access to the application so that you can quickly:
      a) understand how the application works, 
      b) understand if the issues your are finding are actually exploitable, and
      c) pragmatically measure how much coverage & visibility your static-analysis efforts (manual or automated) really have
    Please note that you don’t have to find, exploit, write and document a proof of concept for every single problem that you have (just once per vulnerability type or pattern).  
    Since vulnerability exploitation is a good measurement of the exploitability-level of a particular vulnerability, I am a great believer that you need to show (from business owners to developers) these exploits in action (one exploit per insecurity-pattern).

    3) If you don’t write unit tests for your results, you are not doing a good job.  
    This scenario is applicable to both black-box and white-box.  
    The code idea here is that Unit Tests are something that the developers understand.
    A unit test is a repeatable mechanism that allows you to replicate what you have done (i.e. the process of identifying and/or  exploiting the vulnerability).  It can be a positive test or a negative test. You can have a unit test that tests for something that is there or something that isn’t there (see AppScan 2011 for an example of what this could look like in practice).  
    From a security point of view, you should be writing unit tests that fail until the application is secure.  
    This is a great way to communicate with developers and gives management visibility to what is going on.  It also:

    • allows managers to have measurable deliverables,
    • allows the developers to understand where you are coming from and be able to visualize what you are telling them.  
    • allows QA to be able to replicate the problem and confirm its resolution 

    Until you give a developer a unit test, they are unable to relate to what you are doing

    4) If you don’t understand the client's business model , you are not doing a good job.  
    This is very important!  
    In order to provide recommendations to the client (that makes sense to them from a business point of view),  you have to understand the target application and the way the client's business works.  
    If you don’t understand the client's business model, what risks they care about and what is their history in Web Application Security, then you are 'talking in a bubble' and somebody on the client's side (who is probably less prepared than you) is going to have to try to figure out how what your 'mumbo-jumbo-tech-talk-and-presentation actually means to their business.
    Note that from a technical point of view, you (the security consultant) have a much better understanding of the security implications of the issues reported. If you are able to allocate enough time to understand the client's business model, you can cross-map both worlds and give the client a much more accurate representation of that application's risk profile (and what should be done next)

    5) If you are not writing WAF rules or patching the app, you are also not doing a good job.
    The power of writing WAF (Web Application Firewall) rules, is that you are give the client a short-term solution for the problem to be fixed (or depending on the problem and patch, a medium to long term solution). 
    This is very important because when you get into virtual patching, you allow customers to quickly mitigate or reduce the risk, and gives them some breathing space plus the ability to strategically think about what they want to do.  
    It even gives them the ability to not fix it, if that’s what they decide (i.e. they accept the risk).  
    Either case, you have done your job – i.e. you analyzed the application, found security issues, provided practical remediation measures, and helped them (the client) to reduce their  risk exposure.  
    Once the marked evolves a bit more, I think that WAF writing rules, and WAF rules verification will become another profitable service provided my Application Security Consultancy companies (as a preview of how this market will also need to be played under an Open Source umbrella, check out what Breach is doing with the OWASP ModSecurity Core Rule Set Project). 

    6) If you are not giving the developers ‘auto code fixers’, then you are also not doing a good job.  
    A security consultant, especially one that understands programming, is in a much better position to evaluate the security implications of the multiple strategies & techniques that could be used when fixing (at the source code) a particular vulnerability.
    One of the areas that I want to spend resources in the future is actually writing 'auto-code-fixers'.  These 'code aids' would go into the developer IDE and would be exposed like the current IDE's code fixing/re-witing features (I wrote a very sweet PoC for Rational's Software Analyzer product which loaded up an 'O2 massaged' source-code file and provided the developer the option to fix one of the reported findings).  
    Of course some people are not conformable with providing direct code snippets to developers which could end in production environments, (and the developer & its boss will need to tick the box that says ‘I accept responsibility for this’), but by exposing this information to the developers, there is a much better chance that all relevant parties will gain a much better understanding of the root causes of the issue reported, and the suggested (from a security point of view) solutions. 

    Why I had to build O2?

    I had to build O2 because the state-of-the-art tools (both commercial & open-source and both white & black box) where not designed for knowledgeable web application security consultants (like me).

    There is a reason why the adoption rate of these tools is very LOW (by security professionals, developers, software architects, etc..), and even more importantly, there is a a reason why even when they are used, very few people actually get decent (& actionable) results from it. Of course that the sales & marketing departments paint a different story, but most of the current sales result in shelf-ware (and if you have doubts on this statement, I just have one word for you: Frameworks)

    In addition to:

    1. lack of support for Frameworks like Struts, Spring, Enterprise Library, ASP.NET MCV, (heck, most don’t even ‘properly support’ J2EE’s or ASP.NET’s request execution flow),
    2. the customizations made to those Frameworks, and
    3. custom or ‘client / vendor specific’ Frameworks
    ... the reason why those tools don’t work in the real world, is because they (currently) don’t ‘understand’ how the target application works.

    For example, when they DO provide a finding, that finding will only cover a very small part of the entire code flow that creates that vulnerability (for example the URL with the exploit or the internal Source-Sink trace).

    This is why the market perceives these tools as NOT working, and why the security professionals (who should be its MOST active users and promoters) look down on them and ignore them.

    Remember that my objective on my security engagements is to ‘Automate Security Knowledge and Workflows’.

    This way less experience users will be are able to replicate my actions and fix, mitigate or accept (the risk of) the security issues on their applications.

    Application security will never scale if we required everybody to be security experts!!

    Back to O2...

    Historically O2 was built on top of the Ounce’s Labs (now called AppScan Source Edition) product when I was hired (in my 2007) as an independent consultant, and was tasked of using their tool on ‘service-driven’ engagements and provide feedback to the product team.

    After getting my head around on how the Ounce Engine, I was in love with its data-flow analysis and wide coverage (since I was used to doing it by hand), but was very disappointed by its lack of support for Frameworks and for ‘building custom analysis’ on top of those findings (which remember, only represent a small part of the ‘real’ traces & exploit flow).

    So having a programming background, I did what every security consultant does today.

    I wrote scripts ...

    And more scripts & command line tools...

    And more scripts & some GUIs ...

    Who eventually become so complex and feature rich, that I decided that I needed to build a host for those scripts, tools and GUIs.

    And that is when O2 was born :)

    In fact, originally this tool was called F1 (as in the ‘F1 racing car’ vs ‘the normal cars that run on the road’), and was renamed O2 (for Ounce Open) when the Ounce Labs guys made the decision to allow me to Open Source it (which happened Nov 08 (last year) at the OWASP conference in NYC)

    In the beginning, O2’s capabilities were almost 100% dependent on the Ounce’s engine (since originally O2 (i.e. F1) was designed to automate and increase it capabilities). So at this stage, one could not use O2 without a valid (i.e. paid for) Ounce Engine.

    Eventually, as O2’s capabilities matured and (aided by the fact that I was doing other Security Engagements outside of Ounce where I was using & developing O2), the number of features that did NOT require Ounce’s commercial license started to grow. Eventually taking O2 to a level that enormous value can be obtained by ALL users and making O2 worthy of being an OWASP project (and being called ‘A Platform’).

    Today (Nov 09), O2 has reached a maturity level where I (Dinis) can finally perform security engagements with a type of visibility and automation that I could only dream off a couple years ago.

    There are a small number of people (me and the few brave O2 users) that get a LOT of value from O2, the challenge now is to make this scale, and dramatically simplify O2’s workflows so that it can be easily used by new users.

    OWASP Newsletter - Nov 09

    This OWASP Newsletter - Nov 09 is a great step forward for OWASP,

    After a couple half-baked efforts in trying to get OWASP Newsletters in the past , we finally seem to have got it right. 

    Lorna and Kate did a great job on this first issue of the new generation of OWASP newsletters (which I hope will follow the same level of professionalism and regular publication schedule that we achieved with the OWASP podcasts).

    Here is the email sent earlier today by Kate (to owasp-all, OWASP LinkedIn group and a number of other WebAppSec mailing lists):

    After several months in development we are excited to release the first of many OWASP newsletters! We hope you will find the content relevant, interesting, and motivating. Many thanks to Lorna Alamri from the Minnesota chapter for putting together this document.

    As always your feedback is appreciated and if you have articles for upcoming newsletters please forward the information to Lorna at or to me

    Thank you all for your support!

    Kate Hartmann
    OWASP Operations Director
    9175 Guilford Road
    Suite 300
    Columbia, MD 21046
    Skype: kate.hartmann1

    Public reactions to last week's posts

    Following last week post Update #3 on O2 & IBM , I received quite a lot of feedback (both publicly and privately). Finally it seems that people are taking a good look at O2, and due to the public nature of these posts, I am reaching a much far wider internal audience at IBM than it would be possible if I keep these thoughts private.

    Request for help on: OWASP O2 Platform

    (Posted to the owasp-leaders list on 17th/Nov/09)

    Hi there, in case some of you missed this last week, just before my OWASP O2 Platform Presentation at the AppSec DC conference last week I posted 4 blog posts on O2, IBM, and what I think should happen next:

    As you can see, I have moved O2 to OWASP and am driving 100 miles-a-hour into making the OWASP O2 Platform THE standard 'lingua-franca' between multiple Application Security tools (allowing a type of Human+Tool type of analysis, workflow and automation that most people in our industry think it is impossible).

    As R'Snake's says in his comment  this is a great opportunity for IBM. The only way we will have a number of standards in our industry, and any decent tool interoperability, is if we do it openly and collaboratively, with OWASP and O2  strategically positioned to do lead that effort.

    IBM's return or investment is the fact that O2 will make it easier for users to use their products (which leaves the user in a position that they can chose the best tool for the job without worrying those tools (Open Source or Proprietary) talked to each other).

    What I like about the Part I - IBM Application Security related tools & "AppScan 2011"  post - and ignore the IBM references (or replace them with  Open Source or Proprietary equivalents) which are there to show that I could implement most (if not all) of that workflow today using available products and a numbers of O2 Scripts - is that it:

        a) shows the complexity of real world engagements (and I would argue that even that example is a VERY simplified version of reality)
        b) how we are so far away as an industry to 'communicate' and engage with out clients in a way that they get the maximum return in their investment in our services (and improve their security risk profile)

    If you are not interested in O2, IBM or what I am doing, you should at least read the 2nd part of this post
    Part IV - O2 needs to be Commercially Supported and John Steven's blog post on Vendors in an Open-Source Security Community

    The only way OWASP materials will be used by the people that matter (big companies, small companies, software developers, framework developers, governments, etc...) is if OWASP materials can be 'consumed' in professional, efficient and productive way.

    And just like commercial vendors like Red Hat & IBM made the Linux 'commercial ecosystem' work, to really succeed in its mission ("... make application security visible so that people and organizations can make informed decisions about application security risks...") OWASP needs to create a healthy ecosystem of commercially-driven companies (maybe even government or grand funded external organizations) that support and drive is most successful projects.

    Of course that we have to be very careful about how we do this, since we have to make sure that this is done in a way that is 100% compatible with our values. Ironically, the two efforts that are probably closer to this reality (an OWASP project commercially supported by a 3rd party company) are two projects lead by two OWASP Board Members: me with O2 and Jeff with EASPI.

    I think both me an Jeff have the political capital inside OWASP to have some margin for maneuver in creating, testing and fine-tuning the model.

    The good news is that, IF (and it is a big if) we get this right, there are a LOT of OWASP projects that should follow the same path.

    OWASP Project leaders, imagine if you could work for a company that commercially supported your OWASP Project (Tool or Document) and paid you and others to work exclusively on that project and release what was created under OWASP?

    Of course, that if we (me or Jeff) screw this up, and the OWASP community thinks we lost our independence, then we can no longer be Board Members.

    Disclaimer: I'm using Jeff as another example of what I am trying to do with O2 since it is a very similar scenario. BUT, just for the record, as far as I know, Jeff's employer has NOT decided (so far) to commercially support EASPI, and they might never go down that path (that said, I think they will, since at the rate EASPI is maturing, it will just be a matter of time before somebody else (individual or company) gets the funding to do it).

    So here is my request to you (owasp-leaders): Please help me convert the materials created by your project (tool or document) into O2's Open Schemas so we can consume them from a central location (and when applicable be able to 'consume' O2's Open Schemas so that your project can benefit from artifacts created by other OWASP projects). Of course that there is a lot more to O2 than this first step, but achieving good interoperability between OWASP tools would be a great step forward.

    As I explained in my previous email (subject was "Fwd: [Owasp-o2-platform] [SC-L] Static Analysis Findings"), one of O2's powerful features is its ability to quickly consume and process results from external tools.

    I'm happy to help you, and I am sure you will be pleasantly surprised by how easy it is write these parsers (for example Matt Tesauro, can vouch how I wrote the O2 WebScarab Log parser in a short-period, while attending the OWASP Brazilian conference (The objective of that exercise was to show how O2 could create reports based on the special tags supported by the latest version of WebScarab (not the NG one) ))

    A final comment that I would like to make about IBM.

    My feeling is that they, (IBM) want to do the right thing and support O2 (remember that there is a good historical precedent with IBM's support for key Open Source projects like Eclipse (see for tons of more examples), BUT they (IBM) are not sure/convinced about O2's ability to generate a vibrant and productive community.

    So ironically, at the moment YOU (owasp-leader or O2 user) are more important for the short/medium-term future of O2 than I am :)

    Thanks for your help,

    Dinis Cruz


    Friday, 13 November 2009

    Update #3 on O2 & IBM - 13 Nov 09

    I just posted a number of Blog posts related to O2, Ounce Labs and IBM 

    See also:
    I am quite interested in your (the reader) thoughts, so please comment here or email me directly.

    Dinis Cruz
    (@ the OWASP AppSec conference in DC)

    Part IV - O2 needs to be Commercially Supported

    The OWASP O2 Platform is now reaching a critical mass moment where it really needs to be officially supported by a commercial entity:
    • there are a number of corporate users who have used it, love it, but are very worried about its current support model (which is basically me and Ian Spiro)
    • There are a number of commercial and very profitable revenue streams that can only occur if there is an infrastructure & ‘machine’ behind O2
    • O2 has already reached a technology level & quality where it is adding spectacular value to security consultants. The problem is that the current presentation and support level are very basic and non-professional
    • there is a lot of functionality in O2 which just needs to be documented so that new users can find it and know how to use it
    • there are a number of small bugs and issues that need to be solved

    Part III - Why I said NO to IBM ... for now

    Following the Ounce Labs purchase by IBM last summer (see Update on O2 & Ounce & IBMUpdate #2 on O2 & IBM - 02 Sep 09), I have been trying to figure out where is the best place for me and the OWASP O2 Platform in IBM’s world. 

    Part II - Why IBM will ‘solve the problem’

    As one can see from Part I of this post series, IBM is current spending considerable resources and investment in the Application Security space. 

    The question is, will they ‘solve the problem’? I.e. will IBM with all this investment create products (in the next 1 to 2 to 5 years) that will REALLY allow complete, thorough and maybe even ‘scientific’ analysis of Web Applications (& all its dependencies)? 

    Part I - IBM Application Security related tools & "AppScan 2011"

    To start this series of O2 (i.e. the OWASP O2 Platform) related posts, I would like to provide an example (using existing IBM products) of what an ‘Application Security Assessment’ should look like. 

    Tuesday, 10 November 2009

    New O2 Code Drop (09-Oct-09): Struts support, XRules, O2 Config, Search Engine, etc...

    (email sent to the owasp-o2-platform (subscribe here))

    Welcome to the OWASP O2 Platform mailing list (this is the first post to this list :) )

    FYI, I just uploaded to the O2 website a new code drop of the latest updates:

    There are a LOT of new features (which I will try document in follow-up posts), for example:
    • Almost complete Struts support: Import and visualization for web.xml, struts-config.xml, tiles-definition.xml, validation.xml (see the O2StrutsMapping visualizer and exporter)
    • New XRules engine. This is very BIG since for the first time it is possible to write complex rules in a fully dynamic way in O2. For example it was using the XRules module that I was able to create a trace that reads the struts configurations (i.e. the O2StrutsMapping object) and does all sort of mappings between the Action Controllers, the JSPs views and the Ounce's Traces
    • New O2-Config Gui which allows to set up internal config variables (like the Temp Folder). This also includes a sort-of DI (Dependency Injection) which can be used to set up (on load) any static property exposed by O2 Modules
    • Major changes to the O2 Search Engine tool , which makes it REALLY useful (I tend to use it all the time now). For example you can just drop an entire folder (with Gigs of data) and quickly find a file's location , or you can then filter by type of code (.NET or Java) , index it, and do a quick regex search on it
    • DotNet assembly patching using PostSharp. The current version already support a complete workflow of marking an assembly (via Cecil) with specific attributes which are there used by a custom PostSharp script that will Instrument (ala AOP) the dll and place it into the GAC. I have used this version to successfully apply a patch in a vulnerable AspNet application (by 'patching' the vulnerable function in the GAC deployed dll). This version also supports a basic Function Enter/Leave logger, which will be expanded on the next version to be able to create Findings based on the execution flow (just like the current version of the O2 Debugger does (exposed on via the O2 CSharpScripts module))
    • WebScarab: Added support to O2's Findings Viewer to import WebScarab log files (the original version of WebScarab , not the NG one)
    • O2 Findings module: Added ability to save & load the current O2Findings into a binary serialized format
    • O2 Join Traces module: Add GUI to join Ounce generated traces based on interfaces implementations
    • Number of bug fixes and minor changes (like exposing the Ounce MySql IP and address and Port on the Rules Manager)
    • Renamed a number of O2 Modules *.exe files (to make them easier to find)
    • .... I'm sure there is more but I can't remember... :)
    Here are the main links:
    Please try them, and let me know what you think of it

    Dinis Cruz

    Tuesday, 29 September 2009

    OWASP Internals: Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships

    Following the debate started by this thread OWASP Internals: Leaders participation at OWASP conferences I submitted today the proposal below to the OWASP Board which has just been approved :)

    I'm really happy with this model and I hope that this will mean that we will see much more participation from our leaders at our conferences

    Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships

    In recognition of the enormous value provided to OWASP by its leaders (projects, chapters, committee & board members) , and the fact that it is beneficial for all that these leaders actively participate on one or more OWASP-organized conferences (16 in 2009), OWASP would like to propose the following 'operation guidelines' for facilitating the leaders participation at OWASP conferences:

    • All leaders who currently enjoy an 'OWASP Honorary individual membership' (see details below) apply for a 'FREE' participation on as many Conferences he/she is able to attend
    • By 'FREE' we mean that there is NO (i.e. zero) cost for the OWASP leader, but internally OWASP is marking up this cost between $100 USD and $300 USD (depending on the conference) which cover the 'participation costs' of a conference attendee (venue, refreshments, lunch, etc..) .
    • In order to simplify the process and to remove the potential financial burden, this cost will NOT be allocated/paid by the Conference Organizers, but will be covered by (in order of preference):
      • a local chapter that has funds and wants to 'sponsor' a particular leader to attend a conference (in most cases this should be in 'exchange' of a chapter presentation of a debrief of what happened at the conference). See 'Notes for chapter with budgets' below
      • a direct sponsorship of the leader's main employer or 3rd party company that wishes to sponsor OWASP leaders
      • OWASP on the Move funds
    • In order to maximize OWASP resources and efforts, the following would be expected from the OWASP Leader:
      • Submit a presentation proposal with the conference RFP time period (note that a separate thread (& guidelines) will be required to define the recommended process (for conference organizers) to deal with these OWASP Leaders presentations)
      • Allow the conference to include the leader name in its marketing efforts, i.e.: "...come to the XYZ conference where you will be able to meet personally the following OWASP leaders: {name - project}, {name - project}, {name - project}, {name - project} .."
      • Help as much as possible the local organization team (conferences are a LOT of work, and extra pair of hands are always necessary)
      • If there is an OWASP-Stand, help with the 'manning the stand'
      • Actively promote the conference in Blogs, Tweets, local chapters and press
    • To help with the OWASP Leader participation, and if required, OWASP central (i.e. Kate) can send an 'official invitation letter' requesting that the leader's employer allows the conference participation under company's time (versus holiday time)
      • Depending on the level of sponsorship given to the leader by its employer, the conference organizers should add the leader's employer as a conference sponsor (note: at the moment there is no standard name for these type of sponsorships)

    Notes for chapter with budgets:

    The chapters that currently have budget available (see this document for the current list of funds available to local chapters), can and is encouraged (at the discretion of the chapter leader AND its local community) to use its funds to:

    • 'Pay' the OWASP internal conference participation cost (100 USD to 300 USD) of the current Chapter Leader(s)
    • Cover part of the current Chapter Leader(s) travel expenses to attend the conference (the current guidelines are 250 USD for local travel (in US or in Europe) and 500 for International Travel (Europe-> US, in Asia, etc)
    • 'Sponsor' a particular OWASP Project leader to attend the OWASP conference in exchange for a participation at their chapter (this could be a presentation, a training session, etc...)

    Notes on "Who is eligible for OWASP Honorary individual membership'

    Contributions to OWASP are highly valuable, so in order to recognize its effort OWASP is allocating 'Honorary Individual Memberships' (i.e. Free memberships) to:

    • OWASP Board Members
    • OWASP Committee Members
    • OWASP Chapter Leaders*
    • OWASP Projects Leaders*
    • Individuals with Special Contributions to OWASP*

    * The allocation of 'Honorary Individual Memberships' is going to be implemented in two phases

    • 'pre AppSec DC conference' (i.e. now) - For historical reasons OWASP chapter and projects leaders were not made OWASP Members in the past. So in an effort to clean up the past and start with a clean state, the OWASP Projects and Membership Committees is currently creating a list of ALL active and past project and chapter leaders who will be given a Free 1 Year OWASP Individual Membership
    • 'post AppSec DC conference' - from Nov 09, and once a year there after, the OWASP Chapter and Project Committees will be expected to first create a criteria to allocate memberships (based on their contributions over the past year) and then use it to produce an annual list of Individuals who should be allocated an Free 1 Year 'Honorary Individual Membership'. This list should then be submitted for vote and approval

    Honorary members will be given the opportunity, although not required to “donate” the annual dues to the Foundation.

    Friday, 25 September 2009

    WAFs for OWASP crowd to perform independent tests

    Just had this request from one of the best WAF authors & researchers in the world (sorry can't say his name publicly) who asked me this:

    "...I am researching WAF evasion and I need access to a commercial WAF. I am finding a lot of interesting things, but without knowing if they are real problems in production that does not mean much.

    Do you know someone who could be willing to give me access to a non-production box for testing purposes?..."

    From the above, I have two questions:
    1. Anybody form this list can help him? ping me directly and I will put two in touch
    2. Is the WAF industry (both proprietary and open source) mature enough that they can 'lent' an Evaluation WAF (the actual appliance) to OWASP so that OWASP leaders & members can independently evaluate it?
    • If they are, I'm happy to help setting up some rules of engagement, for example: "The WAF will be hosted by an independent (i.e. non WAF vendor) OWASP leader or member", "there are no limitations on the types of Apps that can be 'protected' by the WAF", "if any major issues are discovered, 'responsible disclosure' will be used"

    I think if we do this right, it could be a win-win for everybody

    Dinis Cruz

    Friday, 18 September 2009

    Email to O2 Account holders with tons of O2 related links

    (email just sent to the current O2 website account holders)

    Subject: OWASP O2 Platform update and 'WebEx on using the O2 Spring Mvc Module to exploit vulnerabilities in the PetClinic application'

    Hi O2 User (you are receiving this email because you are one of the 70 accounts currently created at the O2 website (if you don't want to receive this type of updates in the future please let me know and i will delete your account))

    18 Sep - WebEx on using the O2 Spring Mvc Module to exploit vulnerabilities in the PetClinic application

    (post I just published to a number of web app sec security mailing lists)

    I'm going to do an public WebEx on the O2 Spring MVC module tomorrow at 18th Sep at 1pm EST/ 6pm London (see the WebEx details here)

    Not sure if still remember this, but I was one of the authors of the two Security issues reported on the Spring Framework MVC by Ounce Labs last year (see PDF here).

    At the time we didn't really explained how I found those issues, but since then we released the Open Source OWASP O2 Platform which contains the O2 Spring MVC module (link to ClickOnce Install) and attempts to visualize the attack surface and vulnerabilities created by Spring MVC Annotation-Based Controllers (see Spring Documentation here)

    To demonstrate the security implications of Spring MVC's @ModelAttribute I will show a couple vulnerabilities discovered on the PetClinic demo application that ships as an sample application on Spring 2.5 (you can you can download from here the demo materials I am going to use tomorrow (includes all files required to run a local copy of the PetClinic test application)).

    What I really like about the demo that I am going to present, is how I am able to combine both WhiteBox and BlackBox analysis in one single workflow and GUI (i.e. one analysis feeds the other, enabling the quick understanding and exploitation of vulnerabilities in the PetClinic application)

    Note that the issues that I am going to find & demonstrate using the O2 Spring MVC module DO NOT require the Ounce Labs product (static source code analysis engine) to work.

    In fact, I will be doing my demos from a VM image that doesn't have ounce installed :) .

    Of course that there are other types of analysis that you can do if you have access to Ounce's engine (or (eventually) the other engines soon-to-be-supported by O2 (Fortify, Coverity, Armorize, AppScan DE, etc...)), but my point with this presentation is to show how you can do TODAY using the power of the OWASP O2 Platform to perform security engagements on applications that use Spring MVC Annotations-Based Controllers.

    I will try to do these types of WebEx on a regular basis, so if you can't make it tomorrow you can join in the next one :)

    See you at the WebEx

    Dinis Cruz

    Thursday, 17 September 2009

    18 Sep - WebEx: O2 Spring Mvc Module

    I'm going to do another O2 Spring MVC WebEx tomorrow 18th Sep at 1pm EST/ 6pm London (see the details here)

    Not sure if everybody is aware, but I was one of the authors of the two Security issues reported by Ounce Labs last year (see PDF here). At the time we didn't really explained how I found those issues, but since then we released the OWASP O2 Platform which contains the O2 Spring MVC module (link to ClickOnce Install) and attempts to visualize the attack surface and vulnerabilities created by Spring MVC Annotation-Based Controllers (see Spring Documentation here)

    To demonstrate the security implications of Spring MVC's @ModelAttribute I will show a couple vulnerabilities discovered on the PetClick demo application that ships as sample application on Spring 2.5.

    Fortify hands-on demo/session at forthcoming OWASP Northern Virginia Chapter

    So, the adventurous OWASP Virgina Chapter (lead by the uncompromising John Steven) are going into uncharted-OWASP waters in their next chapter meeting.

    You can read more about it on the chapter home page on their [Owasp-wash_dc_va] OWASP Session - Fortify 360 - Thursday, September 17, 2009 mailing list announcement or at the Secure Coding Mailing list

    Basically what they are doing is allowing a vendor (Fortify) to come to an OWASP meeting and present their product! Shock Horror!!! Doesn't this break OWASP values, principles and independence!!!

    Well, it depends :)

    OWASP is not Anti-Vendor! In fact most of OWASP members and users are either direct connected to a vendor or use vendor's products/services (disclosure one of my contacts is with Ounce labs (now IBM)). In fact vendor presentations at OWASP happen ALL the time (see for example this presentation delivered at the last OWASP London chapter Using Surrogates to Protect from Application Data Breach ).

    The issue is not IF OWASP should have 'vendor' presentations but HOW we do them. My view is that as long as the 'snake oil & marketing' content is kept under control, what is presented is an 'accurate' representation of that technology and there is interest of the OWASP community in it, then it is OK.

    The fear is that OWASP become an 'vendor driven' organization and becomes 'infiltrated' with people who have direct & short-term commercial priorities. The good news is that I think OWASP has a long and ingrained tradition of 'keeping the vendors under control' and as we grow we need to create 'environments' where the vendors can show where they add value in a way that is compatible with OWASPs values and principle.

    And in my view, John is trying to create this environment using a 'real-world' case study (btw, this is what I love about OWASP, our leaders have the ability to be proactive and creative (we just need to make sure they are going on the right direction :) ))

    So, back to the subject at hand, here are a couple points and ideas about allowing vendors to provide 'hands-on sessions at OWASP Chapters and conferences' (I would like to see at the end of this thread a nice list of 'rules of engagement' for other chapters/conferences that want to organize similar events):

    1) this is not a new idea, we have had many numerous talks in the past about helping to create at OWASP conferences an 'open & independent lab environment where people can try technology', and in fact I organized a while back a bake-off between WAF vendors in London (see London_Chapter_WAF_event),
    2) The vendor should provide unrestricted and uncontrolled access to the technology to the participants,
    3) On the other hand, since the value derived from these tools is usually very dependent on them being used by 'experienced users' and the fact that there is a section of the OWASP community that is very technical (& historically very skeptical about the REAL value that these tools can provide), the vendor (ideally) in partnership with an independent service provider, should also show how their tool is used in real world scenarios by its users,
    4) The attendees should be allowed to take with them an evaluation version of the product without having to provide any information in return (business cards, names, mobile phones, social security numbers, bank account details, etc... :) )
    5) Pending technologically or licensing problems, the vendor should provide a VMWare/VirtualPC/XEN/OWASP_Live_CD image containing everything needed to evaluate this technology (for windows, I think we could use 30/60/90 day evaluation versions of the required OS)
    6) Pending bandwidth or logistical issues the event should be broadcasted live and remote users should be give access to virtual images
    7) Pending technological or logistical issues the event should be recorded in video/audio and made available to OWASP users
    8) Final and very important, the final decision if one of these events is 'successful and respects OWASP's values and principle', should be made by the local OWASP 'non-vendor' members (i.e. people from local companies that are trying to buy, develop or maintain secure web applications). What I found in the past, is that the threshold for 'vendor pitches' is very dependent on geographical locations (i.e. the same presentation in NYC and in Milan will have very different reviews (and sometimes the non-US chapters tend to be much more 'vendor' friendly)). So I would look at the local chapter (users and leader(s) ) for guidance about the event's outcomes.

    If this is popular, we should make these activities/events into an 'OWASP Project' since we will need to keep a tight control on these rules and ensure that this doesn't get abused.

    BUT, if we get this right, we will be able to leverage much more the energy/motivation that the vendors have in promoting their products, with the energy/motivation of the consulting companies that know how to use those products, and (MORE IMPORTANTLY OF ALL) with the needs, requirements and issues that the users/clients have.

    What do you think? This is a though issue, but it is HAPPENING, so we might as well agree on the 'rules of engagement'

    From the current description of the 'Fortify at Virgina chapter' event, I think they meet just about all the items I propose. Any comments?

    Dinis Cruz

    OWASP Internals: Leaders participation at OWASP conferences

    Email I sent earlier today to the owasp-leaders list with some comments about the idea of 'giving free conference tickets' to active OWASP leaders


    Hey Rex, AppSec DC team and owasp leaders

    First I just would like to second (i.e. agree with) Jeff's earlier email (sent to Rex & AppSec DC team directly) saying that:
    "...From my perspective, the planning of AppSec DC 2009 has been conducted with an extraordinary amount of professionalism and diligence. The Board is 100% behind your efforts. Please let us know how we can help promote the conference and make it an even bigger success. Thank you for all your great work on this..." (Jeff Williams)

    That said :) and on the topic of giving Free attendance to active owasp-leaders, I would like to add a couple more points (which I'm doing here on the owasp-leaders list since (I think) this is owasp community wide issue):

    1. From my (personal) point of view OWASP is about building a great community of talented people which is focused on solving the ('small') problem of application security
    2. Although we have a great community with tons of great people across the world, I don't think we (OWASP as an organization) do ENOUGH to thank our most active contributors (who are, lets not forget, who make OWASP OWASP)
    3. I am also very aware that although we are all quite individual talented/knowledgeable (each with its own unique areas of expertise), there is ONLY SO MUCH we can do as INDIVIDUALS, and is it only when two-or-more OWASPers talk to each other and COLLABORATE that real MAGIC occurs
    4. Taking the view that in order to increase OWASP productivity, quality and 'products' we need "OWASP to work better with OWASP" and "OWASP to work better with the WORLD" (something we are not as good we should be), I view (as a Board member) my responsibility to help making these CONNECTIONS and help taking OWASP to the next level
    5. So when I asked the question on "... 'owasp chapter leaders to have to recruit other two attendees to get a free ticket?.." my objective was not to undermine or put in question the GREAT WORK REX AND THE APPSEC DC ARE DOING, but :) , to 'gently' raise the issue and see if we can help the 'owasp chapter/project' leaders to attend this conference.
    6. before, I describe why I don't agree with having the requirement for owasp-leaders to 'find two ticket buyers', I just want to make clear that this decision falls into the responsibility of the AppSec DC conference since they are the ones that are managing the budget for this conference :) . And remember that NOTHING in OWASP is set in stone, so if something make sense, IS DOABLE and respects OWASP's values, then it is better to change it sooner rater than later
    7. one more point on owasp leaders. As a sign of recognition of their great work and contributions, at the last OWASP board meeting we (finally!!!!!!) decided to make OWASP members ALL active & past owasp project & chapter leaders. There is currently a work thread at 3 Committees (Membership, Chapters and Projects) to try to figure out the criteria to do this, but basically the idea is to give all selected individuals (or companies) the option to: a) receive a free 1 year membership or b) pay for it. The irony is that I (Dinis) am not an OWASP member :) , and the main reasons is because I had no requirement to become one. Now with the forthcoming elections and this offer, I will HAVE to become a member, and I will gladly pay the 50 USD membership fee, since even adding the time I put in OWASP, I still have enough value received from OWASP to justify the 'business expense' of 50 USD :) :)
    8. finally, on the issue of owasp-leaders having to 'find two ticket buyers to get a free ticket for the AppSec DC' (and even other OWASP conferences
    a) OWASP leaders are NOT paid for they contributions, so any successful OWASP leader has stories of sweet,blood,tears, long-hours, etc...
    b) some OWASP leaders are able to 'work' on OWASP while on their employers time (sometime that we still fail to recognize is most cases), but I think it is fair to say that MOST of the work done is executed outside the work environment and in exchange for family/leisure/relaxing/sport time or (for independent contractors) in exchange for working on paid engagements (i.e. there is a significant PERSONAL or (short term) FINANCIAL cost in being an active OWASP leader
    c) we can't underestimate the work and value created by these owasp leaders (both chapters and projects) since they are the reason for our success and for the fact that we have tons of exciting projects, conferences and chapter meetings
    d) although OWASP is not a wealthy organization with Millions of Dollars in funds (like Mozilla or Wikipedia), and there WAS a significant DROP in INCOME of Corporate memberships in 2009 due to the (correct) decision to simplify the corporate membership to 5k USD and allocate 40% of it to the local chapter. That said OWASP DOES have (some available) funds, and it is our (the Board and you all) responsibility to make sure we use those funds wisely
    e) so, on the question of 'giving free conference tickets to OWASP leaders' the question that I would like to see an answer is 'How much does that cost to OWASP?
    f) maybe the solution is to push this cost to the OWASP Board (or even the local chapter if they have funds to support its chapter leader to participate on OWASP AppSec conferences (tickets, travel and accommodation)
    g) back to the topic of the OWASP leader participating on OWASP AppSec conferences:
    - this is something we should actively encourage and promote (it even has 'marketing value' : "come to the OWASP AppSec XYZ conference where you will be able to meet 15 OWASP Project and Chapter leaders!!"
    - they (the leaders) should participate on the keynote OWASP presentation (representing his chapter or project)
    - if it is a project leader he/she should be given a 5m/10m/15m/30m/45m' slot to present his work
    - if it is a chapter leader he/she should be given a 5m/10m/15m/30m/45m' slot to present what happens at his/hers chapter, and give an 'quick' preview of the presentations that happened there on the last 6/12 months
    - we have to remember that in a lot of cases (take Matt Tesauro case) in order to participate on these conferences they have to use their 'Holiday/Vacation' days (which can be quite a large personal sacrifice)
    - as OWASP grows and is more and more successful, we have to make sure that we keep managing the expectations and views of the 'VERY IMPORTANT' OWASP contributors that happen NOT to be involved in a particular conference. I really worry when I hear comments like 'I work so HARD for OWASP and I have to PAY!! to attend a conference that exists (in part) of my contributions!'

    Rex & Others, sorry for only sending these ideas and comments now (in an ideal world I should have been more involved with this conference organization), but as with everybody, I find it very challenging to find the time to participate and contribute as much as I should.

    Again, the AppSec DC team is doing a GREAT Job (in a tough climate) and they deserve our maximum support!!!

    Dinis Cruz