Difference between revisions of "OWASP O2 Platform"

Revision as of 23:41, 16 November 2009

NOTE: this OWASP section of O2 is still under very heavy construction, so for now, please see http://www.o2-ounceopen.com for the latest O2-related updates and downloads

Home Page

O2 is a collection of Open Source modules that help Web Application Security Professionals maximize their efforts and quickly obtain high visibility into an application's security profile. The objective is to 'Automate Application Security Knowledge and Workflows'.

To gain a better understanding of "what is O2?", start with this presentation "What is the OWASP O2 Platform" and then read this presentation "OWASP O2 Platform Modules".

History

Originally O2 (OunceOpen) originated from OunceLabs Advanced Research Team (ART) work, and aims to push to the limit the power of multiple Static Analysis engines.

These tools have been developed by Security Professionals FOR security professionals, and are designed to automate the security consultant's brain.

External (to OWASP) O2 website

O2 has a sister (to OWASP) website which contains additional documentation, downloads and O2-related blogs: http://www.o2-ounceopen.com

Try O2!

Download the latest version of the Binaries, Installers or Source Code (from Files (Binaries, Source and Demos))

• Binaries: _Bin_(O2_Binaries) 09-Nov-09.zip
• Source Code: _SourceCode_O2 09-Nov-09.zip
• MSI Installers: _O2_Installers 09-Nov-09.zip

Or can install the most commonly used O2 Modulesdirectly from the web (using Click Once) at http://deploy.o2-ounceopen.com/:

• O2 Tool - XRules - O2's eXtended rules environment which allows the execution and edition of complex security analysis workflows
• O2 Tool - SpringMVC - Support for Spring's Framework MVC
• O2 Tool - RulesManager - Powerful viewer and editor for Ounce's Rules
• O2_Tool_FindingsViewer - Powerful Filter and Editor for Ozasmt files
• O2_Tool_CirViewer - View and create (for .NET) CIR (Common Intermediate Representation) Objects
• O2_Tool_SearchEngine - RegEx text search based GUI
• O2_Tool_CSharpScripts - Edit and Debug c# Scripts
• O2_Tool_DotNetCallbacksMaker- Automatically create Ounce Rules for .NET Callbacks
• O2_Tool_FindingsQuery - Filter Ozasmt files using LAMDA like queries
• O2_Tool_JavaExecution - Write O2 scripts in Java
• O2_Tool_JoinTraces - Join traces (for example .NET and Web and Web Services layer)
• O2_Tool_Python - Write O2 scripts in Python
• O2_Tool_O2Scripts - O2 scripts editor (includes O2 Object Model)
• O2_WebInspect(PoC of Integrating Ounce's & WebInspect's assessment data)

For demos try these

• O2 demo Pack 25_11_2008.zip
• Updated version of HacmeBank
• Apps To Scan (directory)
• Demo files (directory)
• External tool (usually used when building Test environments or Student VMs)

Code Repository and Bug Tracking System

O2 uses Google Code for its core repository and bugtracking system: http://code.google.com/p/o2platform/

go back to the main OWASP O2 Platform page

Sub-Projects

• OSSAD - One Security Static Analyzer per Developer

Supported Technologies

• Spring Framework (MVC)

O2 Documentation

OWASP O2 Platform/WIKI/O2 Documentation

Research

This page contains links to other relevant research in this area:

• WALA (Watson Libraries for Analysis) - The T. J. Watson Libraries for Analysis (WALA) provide static analysis capabilities for Java bytecode and related languages

go back to the main OWASP O2 Platform page

Mailing list, O2 Presentations

You can join the O2 Platform Mailing list using this form or you can read its archives here. After being subscribed you can email this list using the owasp-o2-platform (at) lists.owasp.org email address

• OWASP AppSec DC Conference, USA (13-Nov-09) - "OWASP O2 Platform - Open Platform for automating application security knowledge and workflows", Dinis Cruz

In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.

• OWASP AppSec Brazil Conference
• OWASP AppSec Ireland
• OWASP London Chapter
• UK Developer Event (Microsoft Oxford Research Campus)
• OWASP AppSec Poland Conference
• Confidence Conference (Poland)

O2 on Twitter & references

O2Platform on Twitter

External References & Blog posts'

Blogs

• Machinations Over O2, John Steven , 18/Nov/09
• IBM OWASP's O2 and Dinis , Gunter Ollmann , 17/Nov/09
• O2: A brief introduction and why you should care , Daniel Cuthbert, 17/Nov/09
• The Future of O2 , R'Snake Blog ,14/Nov/09
• O2: 'Open Platform for automating application security knowledge and workflows' , Michael Foord, 30/Sep/09

go back to the main OWASP O2 Platform page

Project Details