Tuesday 22 February 2011

Couple blog posts on creating O2 Scripts and APIs

Here is a nice sequence of posts that shows how to go from one simple script to a full API (that is easily consumed from another O2 Script):
Hopefully by the 3rd post it will make more sense how the APIs that are consumed from the O2 Scripting environment where created :)

Dinis Cruz

Wednesday 16 February 2011

Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation

I 'soft' published this letter before the OWASP Summit 2011 and I it is time it goes mainstream (note how there are already a number of signatures :) )


To WebAppSec vendors

This request is mainly focused on the commercial vendors of products and services of the following WebAppSec categories: Pen-testing, Code Review, BlackBox Scanning, WhiteBox Scanning and WAFs.

Other software/services categories, including equivalent Open Source tools, are more than welcomed to participate.

Open Letter


Open letter to WebAppSec tool/services vendors: Release your schemas and allow automation

Dear vendor,

Although you provide a product or service that automates (as much as you can) the process of evaluating the security of a particular application, at the moment (Feb 2011) it is very hard to consume, consolidate, integrate and instrument your deliverables and technology.

Our industry (and clients) desperately need to move into a world where we are able to consolidate, analyse and present the results created by multiple tools/services. This would create a scenario where we (for example) are able to deliver to developers (as Unit Tests or Software-as-a-Service) 'complete and integrated' findings (i.e. security findings that contain both WhiteBox and BlackBox findings). We also need to be able to create WAF rules from the findings delivered, and must have the ability to integrate them with other technologies used through the Software Development LifeCycle (e.g. BugTracking, Change Control, Application Modelling/Design Tools, Threat Modelling tools, Knowledge-Base/ELearning solutions, etc...)

At the moment there are numerous companies and projects that are trying to achieve such integration (good luck on their endeavours), but we need an independent base we call all work from.

With this in mind, the following data and artifacts are requested from you and ALL product vendors in this space :

  • The XSD (schemas) for ALL released versions of your product/service (starting with the most recent release and going back as far as possible)
  • Sample XML files (or whatever format the data can be exported) of: vulnerable-by-design and Open Source web applications - To kickstart this process please deliver the results for the following applications:
  • Artifacts created during scanning (for example Internal representations of source code or web applications)
  • Rules used during the scans (to allow the replication of findings and the creation of a core 'industry wide' set of rules)
  • APIs that can be used to instrument and control your scanning engine (please provide as much documentation as possible on the currently supported ways to interact with your product)

With these materials (to be uploaded to a google code repository), the OWASP community will try to create the following standards (reusing as much as possible the great work done by others in this space (MITRE, CWE, NIST, OVAL, etc...):

  • Open Findings Schema
  • Open Rules Schema
  • Open Application Artifacts Schema (which could also be called: Open Scan Targets Schema)
  • Open Intermediate Representation Schema (abstraction layer of code and web assets)

The OWASP Summit 2011 represents a unique opportunity to make this happen, so please either provide the requested data yourselves, or allow your current clients to do so (without the thread of a lawsuit)

The undersigned below, urge you to join these effort and to active participate in this endeavour


If you want to sign , please do it here (on OWASP website)

Tuesday 15 February 2011

OWASP Summit 2011 Results

I'm very proud to announce the Summit 2011 Results, which you can download from here:
As you can see by the Summit's highlights, we achieved an amazing amount of work during the 3 days we were together in Portugal!

Amazingly, we also had a great time, and created/consolidated an enormous amount of friendships/relationships. Just look at the the number of similes (and focused faces) that exist on the Summit's official photo album: https://picasaweb.google.com/owaspphotos/OWASPSummit

I would like to take this opportunity to thank the Summit organization team, the Working Session chairs, the 180 on-site participants and the 1000s remote participants, for working so hard and achieving so much.

Note that this is the first version of this document. There is work already underway to create a much more detailed and comprehensive version of this document, which will be released as a number of books (Summit 2011 Final Report, Browser Security Report 2011, etc...).

Please distribute this document/Press-Release as widely as possible.


Wednesday 2 February 2011

Register your interest in participating in the O2 Platform Working Session at the OWASP Summit

O2 users , please participate remotely on the O2 Working Session that will happen at the Summit. The time-slot and location of this session will depend on how many people are registered (both online and remotely) so if you are going to the Summit or can participate remotely, please register now!

If you are going to be at the Summit, you can add your name here: http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session063 (see 'Working Session Participants' section at the bottom)

If you are going to participate remotely, you can register here : https://spreadsheets.google.com/viewform?formkey=dEptc1BoTVJSQkxBSDhhNHdSaEN1Y3c6MQ (make sure you select the O2 Platform Working Session :) )

This session will focus on exchanging experiences between O2 users and on how to make O2 easier to use and consume. There are a lot of areas that O2 can add value during security reviews, the problem most O2 users have is 'I know that it can be done, but how?'. Another key topic for discussion and debate is the 'No more security reports as PDFs concept' (where after a security engagement, clients should be given Unit Tests, not PDFs)

    1. Define 'What is O2'
    2. Map out easy ways to start using O2
    3. Document success stories and 'real world' O2 usage
    1. Simple user’s guide that shows how to install, configure, and use O2 to do a few simple common things
    2. Detailed workflows for the more complex features
    3. Roadmap for the next version of O2
Fell free to edit the WIKI and add your ideas (if you have an O2 feature wish-list, now is a good time to document it).

Thanks and see you at this session...

Participate remotely on the OWASP Summit

The OWASP Summit is gearing up to be an amazing event.

If you are not able to make it in person to Portugal, then please make the time to participate remotely.

We will have at least 1 professional video/audio feed (provided by Portuguese web company sapo.pt) and most working sessions will have video/audio coverage (technology still to be decided)

If you are going to participate, PLEASE register your interests so that we can (try) to take your needs into account! (important if you are not on a GMT time zone).

For reference, here are the main links:
Please distribute/blog/tweet this info to who you think might/should be interested :)


Tuesday 1 February 2011

list of application security links

A client asked me to recommend a list of application security links. So here they are: