OWASP Live CD: An open environment for web application security.

Slides:



Advertisements
Similar presentations
From the eyes of an Administrator A general overview of e-CFunds Administrative Site, including navigation and exploring the features of this powerful.
Advertisements

Quick Training Guide New SpringerLink, August 2010.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Kentico CMS 5.5 R2 What’s New. Highlights Intranet Solution Document management package – WebDAV support – Project & task management – Document libraries.
EDW647 Internet For Educators Setting Up a Gmail Account Roger W. Webster, Ph.D. Department of Computer Science Millersville University (717)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT
Objectives Moodle is an online learning environment where instructors & their students interact. In this workshop you will learn: 1.Configure system requirements.
Server-Side vs. Client-Side Scripting Languages
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
OWASP - Where we are… where we are going
INCOSE.ORG MIGRATION SharePoint 2013 Presented by Betty Morimoto.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Alfresco – An Open Source Content Management System - Bindu Nayar, Bhavana Mohanraj.
PROMOTING YOURSELF MY CENTURY 21 HOMETOWN SITE The My C21 Site program offers no-cost websites for every CENTURY 21 Agent The sites include property search.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EasyBoard Share schedule and ideas in a twinkle. EasyBoard Goals Application features Technologies used Schedule Problems that we can meet Questions?
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Quick Training Guide SpringerLink Interface. Quick Training Guide - New SpringerLink2 Homepage overview Search / Advanced Search Browse by Subject Collection.
Customer Service and Support Sutherland Global Services Consultant Learning Services Microsoft Store.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Google Analytics for Small Business Presented by: Keidra Chaney.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Quick Training Guide New SpringerLink, August 2010.
Web Applications Testing By Jamie Rougvie Supported by.
© 2002 IBM Corporation Confidential | Date | Other Information, if necessary June, 2011 Made available under the Eclipse Public License v Mobile.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Copyright © 2015 Pexus LLC Patriot PS Personal Server Installing Patriot PS ISO Image on.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
You can save your Office documents directly to Google Docs or directly open your online documents in Microsoft Office programs for reading and writing.
The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar Systems Architect, FIS.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Instructional Design Center Embedding Google Documents in Blackboard.
“This improved a lot since I started using Tango (three years ago) from scratch so I'm happy to see the efforts from the developers. Still there is room.
1 April 14, Starting New Open Source Software Projects William Cohen NCSU CSC 591W April 14, 2008.
OWASP Live CD 2008 – Outline Introduction OWASP Live CD 2008 How can you get involved? What's next? The competition.
Visual Mobile Gaming Your Name Sun Campus Ambassador Your Address.
Visual Web & AJAX with Netbeans 6.0 Your Name Sun Campus Ambassador Your Address.
1 January 14, Evaluating Open Source Software William Cohen NCSU CSC 591W January 14, 2008 Based on David Wheeler, “How to Evaluate Open Source.
Getting Started as an EdgeX Developer
Digital India is an enterprise for India's transformation on a scale that is, perhaps, unmatched in human history . “ Narendra Modi ”
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
SEARCH ENGINE OPTIMIZATION
Welcome to the KDE Project
How to open source your Puppet configuration
How to Utilize the Consortium Resources / Community / Training Materials REDCapCon 2017 Sue Lowry University of Minnesota in Minneapolis,
Chris D Hicks Director of IT MCSE, MCP + Internet Security
101.
SEARCH ENGINE OPTIMIZATION
How to Use Members Area of The Ninety-Nines Website
Volume Licensing Download Center
Wes Brooks District 6840 • Asst. Gov. ClubRunner
SpringerLink Training August 2010
Manage your Interest Group
Five Reasons to Use SharePoint 2013 Communities
Tour of OWASP’s projects
Title: Agile Communication Environment Keycode Retrieval System (KRS) User Guide Issue: 0.4 Date: July 2011 Hi and welcome to the Order.
Backtrack Metasploit and SET
Title: MPS500 & Workstation (New System) Keycode Retrieval System (KRS) User Guide Generating and Retrieving Keycode License using URN.
Lessons Learned through the Development and Publication of AstroImageJ
Background We would like to combine existing User guide and Admin guide currently in PDF form into a single HTML master site This master HTML site will.
List of the benefits why WordPress is best platform for building Website.
OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer
PyWBEM Python WBEM Client: Overview #2
Presentation transcript:

OWASP Live CD: An open environment for web application security. Matt Tesauro OWASP Global Projects Committee Member OWASP Live CD Project Lead mtesauro@gmail.com

Presentation Overview Who am I and what's this OWASP Live CD thing anyway? Where are we now? Where are we going? How can I get involved? What else is out there?

Long history with Linux & Open Source About me Varied IT Background Developer, DBA, Sys Admin, Pen Tester, Application Security, CISSP, CEH, RHCE, Linux+ Long history with Linux & Open Source First Linux install ~1998 DBA and Sys Admin was all open source Last full-time commercial OS = Windows 2000 Contributor to many projects, leader of one

Project History and Goals Started as a Summer of Code 2008 project GOAL: Make application security tools and documentation easily available and easy to use Compliment's OWASP goal to make application security visible Design goals Easy for users to keep updated Easy for project lead to keep updated Easy to produce releases (maybe quarterly) Focused on just application security – not general pen testing

Just to be clear... !=

General goals going forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents in an easy to use package Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage

Overall downloads = 170,005 (of 2009-05-05) Where are we now? Current Release AppSecEU May2009 Previous Releases AustinTerrier Feb 2009 Portugal Release Dec 2008 SoC Release Sept 2008 Beta1 and Beta2 releases during the SoC Overall downloads = 170,005 (of 2009-05-05) ~1,998.5 GB of bandwidth since launch (07-2008) April downloads = 17,529 (60.28 GB)

Available Tools 26 “significant” tools OWASP WebScarab v20090122 OWASP WebGoat v5.2 OWASP CAL9000 v2.0 OWASP JBroFuzz v1.2 OWASP DirBuster v0.12 OWASP SQLiX v1.0 OWASP WSFuzzer v1.9.4 OWASP Wapiti v2.0.0-beta Paros Proxy v3.2.13 nmap & Zenmap v 4.76 Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 + 25 addons Burp Suite v1.2 Grendel Scan v1.0 Metasploit v3.2 (svn) w3af + GUI svn 1.0-rc1 Netcats – original + GNU Nikto v2.03 Firece Domain Scanner v1.0.3 Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy v1.4.8-4 Rat Proxy v1.53-beta sqlmap v0.7-rc1 now included!

More on Tools

More on Tools Recon Menu: Scanners Menu:

More on Tools Proxies Menu: Metasploit Menu:

Special features...

Firefox Add-ons there are a few Special features... Firefox Add-ons there are a few

Special features...

Documentation available OWASP Documents Testing Guide v2 & v3 CLASP Top 10 for 2007 Top 10 for Java Enterprise Edition AppSec FAQ Books CLASP, Top 10 2007, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review Others WASC Threat Classification, OSTTMM 3.0 & 2.2

Support Modules OWASP Branding Module Subversion client JRE 6 update 6 Python 2.5.2 Ruby 1.8.1 Graphviz tidy GnuTLS wget, host, dig, openssl, grep, whois

331 tools enumerated & documented Bonus Features 331 tools enumerated & documented Potential Tool list Name, website, License, Installation source, OWASP Tool?, Notes, Page numbers for tools in OWASP testing guide v2 Each addition to SLAX created as a separate module – 37 total Download-able at the Google Code site Download counts vary from 3094 to 12 Use on other SLAX installs or extract (.lzm)

The cool fun stuff ahead Where are we going? The cool fun stuff ahead Project Tindy Project Aqua Dog Builder vs Breaker Auto-update installed tools Website update OWASP Education Project Minor release tweaks Crazy Pie in the Sky idea

Project Tindy & Aqua Dog OWASP Live CD installed to a virtual hard drive Persistence! VMware, Virtual Box & Paralles Project Aqua Dog OWASP Live CD on a USB drive VM install + VM engine + USB drive = mobile app sec platform Currently testing Qemu is the current VM engine

Builder vs Breaker Builder is where the ROI is But darn it, breaking is really fun. Builder tools coming in future releases. (Thanks Top Gear!)

Quick, spell my last name... Website Update Quick, spell my last name... Need a much easier URL – AppSecLive.org Community site around OWASP Live CD Forums, articles, screen casts, etc Online Tool database Seeded with the 331 I've already got Articles and HowTos published by users www.owasp.org will always be its home Content from mtesauro.com -> OWASP site

Website Update

Ubuntu is better! Another minor change SLAX is a good base, except... package management isn't there no scripting or dependencies no method to update via Internet no method to sign modules pre-build modules for dependencies Ubuntu is better! requires making several modules or a mega-module to get a tool installed and other such hackery

Next release: Ubuntu based Will create .deb packages for every tool Will create a repository for packages Addresses the dependency pain Brings the 26,000+ existing packages to the Live CD More fun cool stuff like Wubi

OWASP Education Project Natural ties between these projects Already being used for training classes Need to coordinate efforts to make sure critical pieces aren't missing from the OWASP Live CD Training environment could be customized for a particular class thanks to the individual modules Student gets to take the environment home As more modules come online, even more potential for cross pollination Builder tools/docs only expand its reach Kiosk mode?

Crazy Pie in the Sky idea .deb package + auto update + categories = CD profiles Allows someone to customize the OWASP Live CD to their needs Example profiles Whitebox testing Blackbox testing Static Analysis Target specific (Java, .Net, ...) Profile + VM = custom persistent work environment

How can you get involved? Join the mail list Announcements are there – low traffic Download an ISO or VM Complain or praise Suggest improvements Submit a bug to the Google Code site Create deb package of a tool How I create the debs will be documented, command by command and I'll answer questions gladly Suggest missing docs or links Do a screencast of one of the tools being used on the OWASP Live CD

LabRat v2.1 (Previous OWASP Live CD) What else is out there? LabRat v2.1 (Previous OWASP Live CD) 404 for ISO link Samurai WTF (Web Testing Framework) Slightly fewer tools overall Unique to Samurai: WebShag & MoinMoin Wiki Ubuntu based live CD, looks really nice No .deb packages for most of the tools Currently development release http://samurai.intelguardians.com/ Login info is samurai / samurai Backtrack – has some web app tools

Learn More OWASP Site: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality) http://www.owasp.org/index.php/Category:OWASP_Project or Google “OWASP Live CD” Download & Community Site: http://AppSecLive.org Previously: http://mtesauro.com/livecd/

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.