Thursday, 3 September 2009

O2: 'Open Platform for automating application security knowledge and workflows'

O2 (which stands for Ounce Open), soon to become the 'OWASP O2 Platform' , is an open source project designed to improve the productivity and capabilities of security consultants who perform application security engagements.

A good definition is: 'O2 is an Open Platform for automating application security knowledge and workflows'

Although it was originally designed to enhance source code analysis, it has evolved into more of a "static, dynamic, real time" analysis environment and platform.

In a nutshell, O2 is a bunch of (about 25) open source modules/tools that help with the multiple aspects of performing application security engagement (in most cases by extending the capabilities of a several Commercial and Open Source tools).

There is a large number of O2 modules that are designed to work specifically with the Ounce 6.x product (Ounce Labs Static Analysis engine), and several other O2 modules which are 100% independent and can be used using only freely available or Open Source tools.

One of the most powerful features of O2 is its scripting and customization capabilities. Currently O2 supports scripting in
  • any .Net language (with an O2 module dedicated for coding and debugging C#),
  • Java using IKVM
  • Pyhton & Java with a via Jython and
  • Python & .NET via Iron Python.
Everything in O2 is exposed via powerful object models and schemas (which are designed to make the security consultant much more productive).

Ultimately the power of O2 is that you can script the security consultant’s brain and really help him to become more productive.

Here is usual workflow for advanced O2 users:
  • It starts with a PROBLEM (something the security consultant wants to do, but the available tools can't do)
  • in order to figure out a SINGLE SOLUTION for the problem, a number of scripts are written (in O2) to solve (or partially solve) the problem, with the core-objective at this stage being to allow the security consultant to continue with his/hers job (which is completing the security engagement)
  • after a couple generations of 'script writing' , they usually can be automated, and become part of an existing (or new) O2 module
  • eventually this script/module/capability fully matures and becomes a fully working prototype,
  • which might (depending on "customer demands + product roadmap", and, after a rewrite by the product team) end up in a commercial product (by IBM or others) in a format usable by non-security-knowledgeable users
The power of O2 is that it allows the security consultant to be in CONTROL by allowing/empowering him/her to be able to solve their problems NOW (and not when the product team is able to allocate the resources).