The O2 Platform is like a Microscope

Dennis Groove gave a really nice answer today on how he views the O2 Platform: "...O2 is in my humble opinion a tool not dissimilar from a microscope, it allows you to see what can not be seen. So yes, it does allow you to identify security vulnerabilities via static analysis and other methods. However, that is not really using the tool to its full potential..."

Here is the question asked on the O2 Platform mailing list:

I am going to perform a security test on the project, I think O2 is a good tools for security test, is there some test scenario or test result that relate to security vulnerability?

Here is the full answer:

O2 is in my humble opinion a tool not dissimilar from a microscope, it allows you to see what can not be seen. So yes, it does allow you to identify security vulnerabilities via static analysis and other methods. However, that is not really using the tool to its full potential. As an example the following is an actual use case:

We examined over 5,000 user accounts of a client with O2.

You can not view this on a 'screen' nor can you verify any given account has the correct 'access control'. How do you 'verify' that the accounts have the correct permissions?

O2 allowed us to do this statistically. We could see six strong groups to which most 'accounts' belonged. We could also see over 3000 exceptions to the groups. So this indicates you have 3000 problems!

There are 3000 use cases 3:5 that don't fit the 'normal' mode! So a new model is required. If you go looking for security issues, it is always in the edge cases; there are 3000 of them here. This is just in user provisioning alone.

So how could you even 'see' this otherwise? Only O2 allows you to do something like this currently.

O2 does this and so much, much more.

And I completely agree with Dennis, the key to start using O2 is to know what Question to ask!

One day all this info will be consolidated on a O2 Platform website, meanwhile here are a good number of links to start looking:

• O2 Platform page in this blog (includes download link)
• The beginning of  book on O2 Platform's Web Automation capabilities
• 'How to start using the O2 Platform and its scripting capabilities?' (and how I used the O2 Platform to solve a hard integration problem in May 2013) 
• 39 Videos
• A presentation on the O2 Platform
• Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform 
• Where Is .NET Headed? and the cost for Microsoft of ignoring the O2 Platform 
• 211 O2 Platform related posts on this blog
• 100+ O2 Platform related posts on http://o2platform.wordpress.com