Wednesday, September 30, 2009

O2: 'Open Platform for automating application security knowledge and workflows'

Dinis Cruz is a Web Application Security expert and is the chief technology evangelist for the Open Web Application Security Project (OWASP).

Dinis has been blogging about an "open source project designed to improve the productivity and capabilities of security consultants who perform application security engagements".

This project support Python on the JVM through Jython and Python on .NET through IronPython.
 In a nutshell, O2 is a bunch of (about 25) open source modules/tools that help with the multiple aspects of performing application security engagement (in most cases by extending the capabilities of a several Commercial and Open Source tools).

There is a large number of O2 modules that are designed to work specifically with the Ounce 6.x product (Ounce Labs Static Analysis engine), and several other O2 modules which are 100% independent and can be used using only freely available or Open Source tools.

One of the most powerful features of O2 is its scripting and customization capabilities. Currently O2 supports scripting in
any .Net language (with an O2 module dedicated for coding and debugging C#),
  • Java using IKVM
  • Python & Java with a via Jython and
  • Python & .NET via IronPython.
Everything in O2 is exposed via powerful object models and schemas (which are designed to make the security consultant much more productive).
The OUNCE O2 project has a page and code samples on using Python / C#.
I recieved last week a great set of OSA/O2 questions which are better answered here (see also the code samples at the end which are a good examples of the powerful O2 Finding's filtering capabilities).


Using the O2_Tool_Python to write a Python script:

step 1) Open the O2 'Scripts' module (from the 'Loaded O2 Module' menu)
step 2) select a *.py script from the samples on the left hand side
(optional) step 3) save it with a different name (use the properties button to open the save dialog)
step 4) enter the python script below in the source code area (you will need to fix the path to your local webgoat.ozasmt file and O2_Binaries folder)
step 5) select 'IronPython' engine
step 6) click on 'Execute on External Script Engine' (the big red exclamation mark). This will save and execute the code.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.