Friday 30 July 2010

What is going on with you (Jul 2010) and are you at BlackHat / DefCon?

Since I have a number of similar questions on my Inbox, it will be easier to reply to them here :)

No, I'm at at BlackHat and DefCon (I'm an independent contractor now so I have no company to send the bills to and I was not able to get O2 to generate enough revenue to organize a BH/DC gathering)

Regarding what has been going on, here is a selection of blog posts that cover the last couple months:

O2 Platform, ideas on where to start

If you want to delve deeper into O2's world I would say that your first step is to replicate the BlackBox and WhiteBox examples that I have already created and published with O2 (check out the Demo's Tab in the main GUI).

Some pointers:
  • If you are on a 32bit box, I would recommend  that you use the latest version of O2 (which is only available via the ClickOnce install ) since it as a ton of new features
  • Install HacmeBank and WebGoat locally
  • Write a BlackBox script to exploit an SQL Injection in HacmeBank and an XSS in WebGoat
  • From HacmeBank's Source Code, build its MethodStreams and find the SQL Injections on the WebServices, and connect the WebLayer with the WebServices Layer
  • Transform the above scripts in Unit tests
  • Create a document with your experiments containing tons of screenshots about it
  • Create a video with your experiments (and publish it, or send it to me)
If you have any issues, join the O2 Platform mailing list and ask a question.

There is also an Amazon EC2 image that I have with O2 fully configured which I can give you access if you ping me directly

Wednesday 28 July 2010

New funding model for O2's Development

This is the first of a series of blog entries that I will write on the topic of "O2 Funding model and the multiple Business Modules that are (in my point of view) 100% compatible with O2's Open Source positioning."
----- (content from the current version of
With the objective to create a funding source for O2's development, the following Pledges have been set-up at

O2 Specific

Framework specific

Industry sector specific

Not an OWASP activity
Please not that the above pledges are NOT OWASP driven activities and OWASP has no responsibility on the allocation of the funds pledged. This is an experiment to see how this model could be used to generate funds for OWASP Projects.

Thursday 8 July 2010

First major release of the OWASP O2 Platform - please download and try it

After 6 months of dedicated development, I'm happy to announce that I finally published a first major release of the OWASP O2 Platform (with an installer, documentation+videos and a number of key/unique capabilities).

There is a brand new GUI which makes a massive difference in finding the available scripts, tools and APIS that exist inside O2 (if you tried the previous versions you will really appreciate this) . You can see the new GUI and access the download link at this page: 
This is the moment when I'm asking you to PLEASE TRY IT, and provide feedback on: what you like, what works, what doesn't work, what could be improved, etc... (if you want to file a bug, please use this web interface

There is enough functionality + capabilities + power in this version of O2, that I finally have the confidence to make this direct request for you, knowing that no matter what area of Web Application Security you are involved in, there will be an O2 Script/Module/Tool that will make you more productive.

Since the new GUI is very recent, most documentation and videos available start with the previous GUI. But since I can now easily create detailed WIKI documentation pages and/or videos using O2 , my plan is to reply to your questions that way (i.e. with a video or wiki page)

In addition to the new GUI, there are a number of key O2 features and capabilities that I was finally able to piece together last week (for example the creation of a 'complete trace+animation for an HacmeBank vulnerability' packaged as a UnitTest). I will be documenting these in the next days/weeks. I will also be posting soon details about a new funding & commercial-services model for O2 and 3rd party companies.

So, have a go, try it and please post on this list as much details on your 'O2 experience' as possible.

Thanks for the help

I'm looking for work (O2 related work :) ) and O2's Commercial Ecosystem

Now that the OWASP O2 Platform is finally ready for a wider audience, I'm focusing on my next challenge which is to create a vibrant and healthy commercial ecosystem around O2.

Since I'm probably the only guy in the world that today really knows how to get the most power out of O2, and, the one that is able to successfully use it in real-world commercial engagements, if you are looking to hire an O2 expert, the best person for you to hire is me (as you can see below, as the O2 Ecosystem grows, I will also put you in touch with other O2 experts)

Of course that I don't scale, and there is only a small number of security engagements that I can be involved at any given time.

My objective in personalising this request, is so that I can be exposed to new 'O2 related business' opportunities, which I will then push/expose to existing consulting security companies and/or security tool vendors.

Why? Because the higher the 'O2 related revenue streams' that these companies have, the more they will invest in O2 (namely the more time and effort they will put into integrating O2 into their current technology and business practices).

The challenge is how to kickstart this process?

My plan is to:

- Use me (as main O2 developer and reputable (I hope) security consultant) to attract clients that need application security reviews and expertise
- Funnel most of these 'O2 related' engagements to existing 'O2 Platform Accredited Service Providers' and work directly with them in the first couple engagements
- Create a number of 'non services related' revenue streams for O2, which I will then use to build a solid development and support team for O2

So, if you ever wanted to hire me to work on an security engagement or have a problem that you fell O2 can solve, now is the perfect time to talk :)

If you are a security consultancy company and want to be one of these 'O2 Platform Accredited Service Provider', drop me a line or wait for the announcement of how the process will work.

Update on OunceLabs+IBM story and "OWASP O2 Platform is ready for you (after 6 months solid development)"

So what is happening with the OWASP O2 Platform, with me, and why am I only writing this blog post now? (7th of July 2010)

For the past 6 months I have been following an opportunity that I was given by the IBM purchase of OunceLabs and the previous Open Sourcing of my research on static analysis (originally on top of the OunceLabs engine).