....I would like to call your attention to a research project I have been working on for the past 12 months, which recently have been released under an Open Source license.
As some of you know, I have been contracting for a while at Ounce Labs as a security consultant to perform advanced security analysis/reviews of real-world applications. Well, as it is also widely known in the web app sec security industry, tools like Ounce, Fortify, Cat.Net (& others) don't always provide the answers and visibility required by knowledgeable security consultants.
Although the Ounce GUI has some of those limitations, its core engine is REALLY powerful, so what I did, was to build a number of tools that allow power users to REALLY gain visibility into what is going on. Basically I wrote these modules to answer the questions that I had during those engagements. And while buliding those tools, I found a way to 'automate my brain' :)
I called this toolkit O2 (for Ounce Open) and I really credit Ounce Labs for: a) paying me to develop it, and b) release it under an Open Source license. The main O2 website is at http://ounceopen.squarespace.
Now, at the moment, these tools are still in a very 'early beta' state, and they are really customized to the way I (Dinis) like to work. So that the rest of the community can use it, I'm working hard at the moment to break part a lot of the O2 modules and on documenting how it works.
I have to admit that analyzing applications with O2 is VERY addictive and empowering, since finally I am able to 'script my brain' and really gain visibility what is going on.
See this screen shoot for a good example of 'O2 goodness' http://ounceopen.squarespace.
This screenshot represents what I call a 'complete trace' , i.e. a trace that goes from the 'begining of the attack surface' all the way to the' exit point' of the application (in ths example, the trace starts on the web layer (with an Asp.Net page load event) goes though the web services invocation (note how I 'glued two traces together': the web layer invoke with the web services [webmethod]) and ends up on an SQL execute.
That screen shot is from the O2 presentation I posted here: http://ounceopen.squarespace.
To test O2, just open the following links to install (via .NET's Click-Once technology) the main O2 modules:
- SAR (Search Assessment Run) - Installer on http://184.108.40.206/O2_
- O2_CirAnalysis - Installer on http://220.127.116.11/O2_
- O2_CSharpScripts - Installer on http://18.104.22.168/O2_
- O2_WillItScan - Installer on http://22.214.171.124/O2_
For more background info on O2's history and what it can do, please read:
- O2 presentation (Jan 09) (the O2 presentation also linked above)
- OunceLabs releases my research tools under an Open Source license (it's called O2 and is hosted at CodePlex (from my personal blog)
- So what can I do with O2? (from my personal blog)
com/technical-info/- O2 main tech blog
com/o2-challenges-can-you-- Blog with challenges for the O2 community solve/
I am also working with Paolo and Stephen from OWASP's Orizon project to be able to used O2's modules on top of Orizon's results (there is also a 'secret' project to find a way to convert Fortify's XML results into Ounce's XML format)
So yes, in the short term, the plan is that you will be able to use to use O2 on top of Ounce's, Cat.Net, OWASP's Orizon or even Fortify's scanning engine :)
So please give O2 a test drive and give me feedback on what you would like it do to.
If you are not a current Ounce customer, you can use the demo files I posted on the O2 website or, if you want to take Ounce 6.x for a test-drive, please create an account on the O2 website and make a request here https://ounceopen.squarespace.
Looking forward to your comments