Dinis Cruz,January 2009

2

O2 means

Ounce Open

* all images taken from http://images.google.com, use it to find the image source :)

3

O2 allows you to do impossible things ...

4

… and once you see how deep the rabbit hole goes ....

5

… you will see the world in a completely different way

6

You need to know what you are doing ...

7

… and you will get lost ...

8

… but you will be empowered to find your answers.

9

When it works, its like a well oiled machine

10

When it doesn't, it gets messy

11

Some problems will not be solved in a traditional ways...

12

… and you will need to trust your instincts …

13

… when you gain visibility, your clients will love you ...

14

… and the efforts will be worth it:

15

Finally, be warned, too much exposed could have some side effects...

Mark Curphey (http://securitybuddha.com/2007/09/18/mc-borg/)

16

Where does O2 Fit

O2 should be seen as an example of Ounce's extensibility, customization and Openness

17

What can O2 do for advanced users?

• Note: most of current Ounce clients DON'T need O2 today

• O2 can solve the problems that Advanced users WILL have

• Advanced users = Security consultants & Ounce Partners

18

What can O2 do for advanced users 1/3?

• Handle large assessment files & Create separate assessment files based on logical criteria– Unique lost sinks, combinations of source/sink/validators– 500+Mb assessment data– Global analysis of partial scans

• Scan 1MLoc + applications– In fact there is no Theoretical LIMIT on the size of

scanned applications• Mass Rule creation

– For example adding rules for Web Services/APIs– Reality check: once enough custom rules are added

(and 100,000s traces are created), even WebGoat can create problems for OSA

• OSA was designed to minimize False Positives/Negatives

• O2 was designed to maximize visibility and insight into an application's capabilities & behavior

19

What can O2 do for advanced users 2/3?

• Create ALL (+/-95%) possible 'complete' traces (Ounce covers 10%), including support for– Interfaces– Anonymous methods / Delegates, HashMaps, Attributes– Web Services Glue (.Net)– Trace Gluing / Creation of virtual traces (i.e. joining independent

traces from scans)– No more ‘Lost Sinks’ and Type IIs (since there is a rule/trace for

everything)• Advanced findings filtering

– List unique Lost Sinks? Multi-Layered querie– Remove duplicate traces

• Create new findings/traces– programatically manipulated ALL findings data)

• Visualize multiple traces

20

What can O2 for advanced users 3/3?

• Handle any .Net or Java Framework– Web Frameworks (like Spring MVC, MS Enterprise Library)

• Allows analysis of – SOA Applications (via Web Services support)– API analysis (for example Data APIs)

• Rule Packs (creation & import)• Expose 'Object Model' of all O2 capabilities• Programmatic access to the numerous O2 'data' objects:

– Cir, Project, SavedAssessmentFiles, RegEx text search • Create 'Scan Bundles'

– Upload 'Scan Bundles' to Web Service and downloads results (SaaS modle)

21

Reality check on SAST tools market

• What can tools do?

(SAST = Static Application Security Testing)

22

SAST tools need better coverage

• By 'coverage' I mean a complete 'real world' trace (like the one I showed for Hacme Bank: WebLayer → WebService → SQL trace)

• 'Real World' traces go through:– Attributes– Interfaces– Global Variables– Properties and HashMaps (getters and setters)– Web Services– Multiple Languages (C# → SQL)– APIs & Frameworks (which create alternative realities

(ala Spring Framework)– Xml Configuration files, etc...

• The glass is not very full!!!!– For everybody in the SAST space

23

Ounce Technology exposed by O2

• Best example of Ounce's Extensibility, Openness and Technology

• Standard Source Code Assessment File (*.ozasmt)• Standard Source Code representation (Cir Dumps)• Standard Application / Project definition (*.paf, *.ppf)• There are “NON-Ounce dependent” O2 modules to

manipulate all of the above• CIR (Common Intermediate Representation)

– Object model of Analyzed source code

24

SAR: Best O2 module for OSA users

• SAR: Search Assessment Run– 2Mb Web based install

with Auto updates– Can read and process

OSA generated assessment files (ozasmt)

– Can create assessment files(ozasmt) readable by OSA

25

O2 positioning

26

Where O2 adds value 1/2

27

Where O2 adds value 2/2

28

Bottom line on O2

O2 is what the security consultants want! (since it 'automates' their brain)

It also shows that anything is possible

Without O2, SAST technology (Ounce 6.x & current direct competitors) is hard to use by security consultants on any mid-size + application, since it doesn’t provide enough visibility on what is going on

O2 allows the successful analysis of large applications O2 allows the discovery and reporting of ‘insecurity patterns’ (versus #

of vulnerabilities) O2 allows the discovery and reporting of NEW types of vulnerabilities

or NEW exploit paths between source->sink

O2 Modules can be seen as a prototypes for the next generation of Ounce products

29

Demos

• 2 minute O2 install and experience– Will It Scan– Join traces– Search Assessment Run

• OunceOpen Website: http://ounceopen.squarespace.com

30

O2 Roadmap – next months

• New IDE (SharpDevelop based)• Refactoring of main modules into an MVC architecture. This will

allow:– Remote & distributed (server or process) execution– Exposed by Web Services

• VDB Rule support & Ounce Rules Mapped to all traces• CAT.NET, Orizon and Fortify 'translators'• Basic call flow & data flow (via community)

– SQL & Javascript (Client side)• Semi-automated Xml Config Analyzers• Full Framework Mappings and support for Spring .NET and

Sharepoint Mappings/Support• Create 'Real World Assessment' Reports for HacmeBank &

WebGoat

31

That's it :)

• Questions?