o2 presentation jan 09 - v1.00
Post on 27-Dec-2014
185 Views
Preview:
DESCRIPTION
TRANSCRIPT
Dinis Cruz,January 2009
2
O2 means
Ounce Open
* all images taken from http://images.google.com, use it to find the image source :)
3
O2 allows you to do impossible things ...
4
… and once you see how deep the rabbit hole goes ....
5
… you will see the world in a completely different way
6
You need to know what you are doing ...
7
… and you will get lost ...
8
… but you will be empowered to find your answers.
9
When it works, its like a well oiled machine
10
When it doesn't, it gets messy
11
Some problems will not be solved in a traditional ways...
12
… and you will need to trust your instincts …
13
… when you gain visibility, your clients will love you ...
14
… and the efforts will be worth it:
15
Finally, be warned, too much exposed could have some side effects...
Mark Curphey (http://securitybuddha.com/2007/09/18/mc-borg/)
16
Where does O2 Fit
O2 should be seen as an example of Ounce's extensibility, customization and Openness
17
What can O2 do for advanced users?
• Note: most of current Ounce clients DON'T need O2 today
• O2 can solve the problems that Advanced users WILL have
• Advanced users = Security consultants & Ounce Partners
18
What can O2 do for advanced users 1/3?
• Handle large assessment files & Create separate assessment files based on logical criteria– Unique lost sinks, combinations of source/sink/validators– 500+Mb assessment data– Global analysis of partial scans
• Scan 1MLoc + applications– In fact there is no Theoretical LIMIT on the size of
scanned applications• Mass Rule creation
– For example adding rules for Web Services/APIs– Reality check: once enough custom rules are added
(and 100,000s traces are created), even WebGoat can create problems for OSA
• OSA was designed to minimize False Positives/Negatives
• O2 was designed to maximize visibility and insight into an application's capabilities & behavior
19
What can O2 do for advanced users 2/3?
• Create ALL (+/-95%) possible 'complete' traces (Ounce covers 10%), including support for– Interfaces– Anonymous methods / Delegates, HashMaps, Attributes– Web Services Glue (.Net)– Trace Gluing / Creation of virtual traces (i.e. joining independent
traces from scans)– No more ‘Lost Sinks’ and Type IIs (since there is a rule/trace for
everything)• Advanced findings filtering
– List unique Lost Sinks? Multi-Layered querie– Remove duplicate traces
• Create new findings/traces– programatically manipulated ALL findings data)
• Visualize multiple traces
20
What can O2 for advanced users 3/3?
• Handle any .Net or Java Framework– Web Frameworks (like Spring MVC, MS Enterprise Library)
• Allows analysis of – SOA Applications (via Web Services support)– API analysis (for example Data APIs)
• Rule Packs (creation & import)• Expose 'Object Model' of all O2 capabilities• Programmatic access to the numerous O2 'data' objects:
– Cir, Project, SavedAssessmentFiles, RegEx text search • Create 'Scan Bundles'
– Upload 'Scan Bundles' to Web Service and downloads results (SaaS modle)
21
Reality check on SAST tools market
• What can tools do?
(SAST = Static Application Security Testing)
22
SAST tools need better coverage
• By 'coverage' I mean a complete 'real world' trace (like the one I showed for Hacme Bank: WebLayer → WebService → SQL trace)
• 'Real World' traces go through:– Attributes– Interfaces– Global Variables– Properties and HashMaps (getters and setters)– Web Services– Multiple Languages (C# → SQL)– APIs & Frameworks (which create alternative realities
(ala Spring Framework)– Xml Configuration files, etc...
• The glass is not very full!!!!– For everybody in the SAST space
23
Ounce Technology exposed by O2
• Best example of Ounce's Extensibility, Openness and Technology
• Standard Source Code Assessment File (*.ozasmt)• Standard Source Code representation (Cir Dumps)• Standard Application / Project definition (*.paf, *.ppf)• There are “NON-Ounce dependent” O2 modules to
manipulate all of the above• CIR (Common Intermediate Representation)
– Object model of Analyzed source code
24
SAR: Best O2 module for OSA users
• SAR: Search Assessment Run– 2Mb Web based install
with Auto updates– Can read and process
OSA generated assessment files (ozasmt)
– Can create assessment files(ozasmt) readable by OSA
25
O2 positioning
26
Where O2 adds value 1/2
27
Where O2 adds value 2/2
28
Bottom line on O2
O2 is what the security consultants want! (since it 'automates' their brain)
It also shows that anything is possible
Without O2, SAST technology (Ounce 6.x & current direct competitors) is hard to use by security consultants on any mid-size + application, since it doesn’t provide enough visibility on what is going on
O2 allows the successful analysis of large applications O2 allows the discovery and reporting of ‘insecurity patterns’ (versus #
of vulnerabilities) O2 allows the discovery and reporting of NEW types of vulnerabilities
or NEW exploit paths between source->sink
O2 Modules can be seen as a prototypes for the next generation of Ounce products
29
Demos
• 2 minute O2 install and experience– Will It Scan– Join traces– Search Assessment Run
• OunceOpen Website: http://ounceopen.squarespace.com
30
O2 Roadmap – next months
• New IDE (SharpDevelop based)• Refactoring of main modules into an MVC architecture. This will
allow:– Remote & distributed (server or process) execution– Exposed by Web Services
• VDB Rule support & Ounce Rules Mapped to all traces• CAT.NET, Orizon and Fortify 'translators'• Basic call flow & data flow (via community)
– SQL & Javascript (Client side)• Semi-automated Xml Config Analyzers• Full Framework Mappings and support for Spring .NET and
Sharepoint Mappings/Support• Create 'Real World Assessment' Reports for HacmeBank &
WebGoat
31
That's it :)
• Questions?
top related