Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland The Owasp Orizon project: new static analysis in HiFi Paolo Perego Owasp Orizon Project leader Spike Reply

2 OWASP AppSecEU09 Poland Agenda Orizon Framework state of art Building a model round up: the Mirage engine Roadmap 09

3 OWASP AppSecEU09 Poland $ whoami Senior Spike Reply srl Offense (Application penetration test) Defense Application Security Code review SSDLC design Owasp project leader Owasp Orizon Owasp Source code flaws Top 10 Owasp Italy board member

4 OWASP AppSecEU09 Poland Owasp Orizon framework v1.20 engine based build a model analyze report Orizon interface APIs

5 OWASP AppSecEU09 Poland Owasp Orizon framework v1.20: engine Engine commands are described by a grammar Command parser is generated from the grammar using FreeCC Engine is an abstract class providing a fixed set of APIs for all Orizon engines start() method contains engine business logic

6 OWASP AppSecEU09 Poland Owasp Orizon framework v1.20: the Language Pack Parser is built using language grammar and FreeCC Collector take AST from the parser and retrieve variables, methods,... Parser is almost 100% able to understand the specific language Ready for Java, C and PHP. Next to come: Cobol, C++, C#, Ruby, Jsp

7 OWASP AppSecEU09 Poland Owasp Orizon framework v1.20: build the model SourceFinder scans the input deciding which files can be processed and the language pack to be used Orizon supports more programming languages with an ad hoc Language Pack Modeler class uses Language Pack collectors to gather data and building the model

8 OWASP AppSecEU09 Poland Owasp Orizon framework v1.20: analyze Get the model Iterate through all files to be processed Rules management Apply the rules to the model

9 OWASP AppSecEU09 Poland Owasp Orizon framework v1.20: report Formatters manage how to represent the findings in various formats Reporting engine manages the findings to be represented as output

10 OWASP AppSecEU09 Poland Its showtime...

11 OWASP AppSecEU09 Poland Spot the difference v1.0 EU Summit 08 v1.18 AppSec EU 09 v1.20 Summer 09 Architecture Heterogeneous engines with a non standard API Engine based with a standard set of API Supported languages JavaJava, C, PHPJava, C, PHP, C++, Cobol, C# Interface Command line with options specified as parameters Command line with a shell accepting commands (OSH) Shell + Web based GUI Modeling approach Sources are translated in XML and analysis are made over there Sources are parsed with an appropriate Language Pack Model None Keyword used Started variable tracking Keyword + variable tracking + execution flow Security check Written in XML Written in ORL (Orizon Rule Language) Crawling PartialYes Static analysis PartialNoYes Dynamic analysis No

12 OWASP AppSecEU09 Poland Roadmap in the short term (3 months): v1.20 collectors must be able to retrieve more information from ASTs new Language Packs (C++, Cobol, C#) in the mid term (6 to 9 months): v1.50 Modeler will be able to build data flow diagram execution flow diagram Owasp Orizon Guide to be released as alpha document in the long term (12 months): v1.80 static analysis will be working dynamic analysis will start

13 OWASP AppSecEU09 Poland Before we leave Thanks to OWASP the Italian chapter and its board the gang: Nishi, Stephen, Jason, Andrés, Alessio, Dinis ( orizon-team/) orizon-team/ my Mom my Wife

14 OWASP AppSecEU09 Poland Some link FreeCC: used to generate all the parsers in Orizon ( Owasp Orizon links Homepage: Orizon_Project Orizon_Project Blog: Twitter: