Wednesday 24 September 2008

OunceLabs releases my research tools under an Open Source license (it’s called O2 and is hosted at CodePlex

Hello, as you probably know I have been consulting with OunceLabs ( for the past 18 Months, and on the last 9 months I have been deeply involved on an internal project which I am very excited about and is now going to be released under an Open Source license (go Ounce!!!)

One of my tasks at OunceLabs was to make their technology 'Work' from the point of view of an advanced security consultant (like me). By 'Work' I mean create a model that uses (sorry for the cliché) People + Process + Ounce Technology whereby the later (Ounce Technology) is used throughout an entire engagement (versus the current model where it is mainly used at the beginning of the engagement or to perform specific analysis).

One of the main criticisms made of Static Code Analysis (like Ounce) is that "they are only good for a couple things and they are not able to find XYZ...." (for example see this list And the reality is (with a couple variations here or there) that criticism is completely true. The 'out-of-the-box' Source-Code scanning technology is designed to target a very different user.

Ironically these tools usually find themselves trapped into a world where its features are too complicated for 'simple' users and, not powerful enough for power users (i.e. the security consultants). Just a caveat, there are a number of very valuable use cases where the 'out-of-the-box' source-code analyzers have enormous value and should be used/bought by clients (which is why Ounce and Fortify have a ton of clients today), but the business case for its use by knowledgeable security consultants is still very weak today (Sep 2008), because even when having access to those tools, these consultants still find themselves spending significant percentage of the engagement time performing manual reviews or writing scripts to cover the tool's blind spots.

So how do you design something that can: a) be used by a knowledgeable security consultant just about 100% of the time, b) adds spectacular value to its work and c) allows him (or her) to discover all types of vulnerabilities?

Easy, instead of automating source code analysis, you automate the security consultant's brain :) . In another word, don't create a solution to 'perform complexity analysis' create a solution to 'enable complexity analysis'.
And that is what O2 (Ounce Open) is :)

O2 has been released under an Apache 2.0 Open Source License and is hosted at CodePlex:

So what is O2?

Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)

Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).

Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.

Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)

The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.
OK, I know, your question now is: technically speaking what is inside O2 and what are the dependencies with Ounce Labs main product (which is not Open Source)?
The quick answer is: There is O2 functionality that can be independently used and there are some features that will require direct (or at a previous point in time) access to a paid Ounce CORE (which is the engine that performs the analysis)
But the bottom line is that even if you don't have access to an Ounce CORE, you can still get a huge amount of value from O2 and use the following features:
  • Powerful Scripting environment to automate a security consultant's brain and perform advanced analysis

  • Standard Vulnerability Assessment Markup Language and a very powerful viewer and analyzer for it (including a very cool GLEE based data flow visualizer)

  • Standard Common Intermediate Representation Language (CIR) and a very powerful viewer and analyzer for it (think of this CIR as an MSIL equivalent (where source code (or something else) is converted into a Intermediate Representation which is then analyzed using common tools))

  • Scalable Regex search tool (able to handle 1MLoc)

  • Multiple Learning resources (since we will publish Ounce dependent materials (for example scans and CIR Dumps) for applications like HacmeBank & WebGoat and also for common frameworks (for example Spring MVC). Talking about Spring MVC, for previous projects I have build a Spring MVC visualizer which I will also publish very soon

  • Web Automation tools (exposed to the scripting environment)

  • And finally, my favorite O2 feature: the O2 Command Line (basically EVERYTHING inside O2 is exposed via a special command line which just rocks :) (I wish all tools had something like this)

If you have access to a CORE, in addition to the above, you will be able to fire up new scans, create the consolidated CIR files and add custom rules

And if you DON'T have access to a CORE today, I'm also very happy to say that Ounce has dropped the common industry BS practice of not providing evaluation versions (and requiring NDAs to be signed and countless hours with Sales guys asking you questions like 'So.... how many applications you want to scam and how much value you think you are going to get out of this tool.....). In marketing-speak this is what the new OunceLabs' CEO publicly said recently: '... we will establish a viral community dedicated to removing many of the most attractive targets for the bad guys, and to do it in a way that every organization can understand and use. Our mission is to ensure that this year, every company will have access to these tools and will be able to afford, deploy, and capitalize on them..' , and in practical terms this means that you can you will be able to very soon request an evaluation download from the OunceLabs website.

Meanwhile you can email me directly ( and I will sort you out with an evaluation version which will allow you to try O2 in all its power.

Hey I'm a happy bunny now, 18 months later, OunceLabs has finally turned the conner and seems genuinely focused in addressing the needs of the security community. This will really help to make a difference on improving the quality and security of the software applications we all use everyday..

Of course that we still have a very long way to go. With tons and tons of frameworks out there which implement its own abstraction layers, and with new versions of base languages (Java & .NET for example) there is a huge amount of work ahead of us.

And remember, O2 is NOT a simple, easy to use tool and stable tool. O2 is a giant prototyping engine and it sort of lives on a Darwinian world where new features are being added all the time J .If you want such stable and reliable tool you need to buy Ounce's OSA (Ounce Security Analyst) :)

So what is the difference between O2 (the open source toolkit) and OSA's (the
Ounce's current GUI for CORE's results)?

Is O2 designed to replace OSA?

No, not at all!

My goal with O2 is to be able to give Ounce engineering team (which btw is really good and I highly respect the work those guys are doing over there) very CLEAR briefs of what I (as a security consultant) need in order to be effective in my work.

So instead of me going to the Ounce engineering team and saying '...Hey guys I need this feature, or I need to you change this for me...', I go '.. hey guys, here is an O2 feature that does what I need it do, so can you please now productize it and make it simple and stable...'

This also solved a big problem that I had which was when in the middle of an engagement, one can't wait for the engineering team to add the feature or 'framework support' that you need (remember that those guys are supposed to be building the 'stable' stuff and you can't really do that in hours or days :) ).

The model works great, and is a win-win situation. I get the ability to solve my problem in real-time during the security engagements, Ounce Engineering gets solid briefs for the development of the next versions of the product (which will be used by users who either don't want the advanced capabilities exposed by O2 or simply don't have the time (for example I still use OSA for projects that I can't spend a lot of time in) and we also are able to much quickly add entry level support to all sorts of languages, frameworks and APIs

Btw, if you are at the OWASP NYC conference today or tomorrow, please pop-in to OunceLab’s booth and I will give you a tour of O2.

Let’s start the party!!!!

Dinis Cruz