Thoughts on OWASP Day in Belgium
I am in Brussels airport waiting for a flight back to Toulouse. First off its so good to be back in Europe. Last week I scoured Chicago, SeaTac and Dulles airports for non-toxic food. I just had a nice entrecote, bernaise sauce and half bottle of Chenet. Bliss!
Today was a really good day. Around 100 people, nice venue and really good speakers. I learnt a lot and met some great new people.
PDP spoke about hacking web 2.0. Well worth a read on his web site and a unique story telling approach of future fiction scenarios that I think is really clever and quite powerful. Fair warning PDP: I plan to steal this style at some point!
David Kierznowski spoke about the Technika framework. Super cool idea, one to watch.
Simon Roses Fermerling spoke about Pantera. Very neat, pragmatic and extensible as demonstrated by some new privacy checks he has just built.
I need to hook both up with some of the things / ideas we did at Foundstone such as SiteScope. If SiteScope could produce the site coverage for your test cases I suspect there may be some interesting incremental performance.
Unfortunately I had to leave before the MS SDL, CLASP and Touchpoints presentation which would have been very interesting.
A big thanks and well done done to Sebastien and Erwin for organizing the event (sponsored by Telindus).
Note: Would the guy who told me about the worlds best beer send me a link in the comments here please?
September 6, 2007 at 11:11 pm
I also attended the meeting. First of all, I really liked your style of giving presentations. Where/how did you learn it? It reminds me of (http://www.presentationzen.com/) which I still need to read further. Any pointers would be welcome. I will be looking forward to the release of the OWASP Evaluation and Certification Criteria Draft.
Secondly, I wasn’t the one talking to you about beer but I think I can help you out. He was probably talking about West-Vleteren.
http://beeradvocate.com/beer/profile/313/1545
It’s also difficult for us Belgians to buy. It are really the monks making this beer themselves and not a big brewery. So the supply is limited and you must buy it directly at their small brewery. It’s impossible to get in the supermarket. Sadly. But I must agree, it’s one of the best beers in the world. Close contenders: Rochefort 10 and ‘Donker Kasteelbier’…. and these you can buy in the supermarket. I will be happy to share some with you at the next meeting!
September 7, 2007 at 9:48 am
Whilst taste is highly subjective and individual, some international beer drinkers consider the Westvleteren 12 to be among their favourite beers. The majority of members of BeerAdvocate.com[4] and RateBeer.com[5], two beer rating websites, consistently rate the Westvleteren 12 as their most enjoyable beer (and I’m one of those); the 8 and the Blonde also rank highly on both sites.
In June 2005, when Westvleteren 12 was again highlighted as “Best Beer in the World” in a bi-annual competition on RateBeer.com, news organizations followed this up and articles appeared in the international press, highlighting the beer ranking and the unusual business policies.
The official website of the abbay of Saint Sixtus of Westvleteren : http://www.sintsixtus.be/
September 7, 2007 at 11:56 pm
How do the ideas/concepts/implementations from the TSF (Technika) and Pantera compare?
How do they compare to older projects such as Beretta or new projects such as BlackTop?
The only open-source web application tool I really like is Wfuzz and I’ve only known about it since the recent release. It’s being worked on still, which is nice.
Part of the problem with these open-source tools is that they die off quickly. More about the bad things in open-source security tools on the watchfire blog.
mmm beer
September 8, 2007 at 6:30 am
Technica is more of a test execution framework built ontop of Firebug. Basically some API’s to make building test cases easier.
Panterra is more of a set of components to help building tools. As an example he showed some privacy checks he wrote using it.
I haven’t heard of BlackTop, link ?
I mailed all these guys and Mike Andrews who built SiteScope at Foundstone (a great tool BTW). If only everyone was working on one big framework / tool that could be plug and play for specialities we would have a credible alternative to the commerical web app scanners. As it is I dont think there is the individual horsepower to beat them in anything other than individual specializations. I guess it would be like herding cats but ……i can still dream right !
September 8, 2007 at 11:55 am
Technica is more of a test execution framework built ontop of Firebug. Basically some API’s to make building test cases easier
I could never get Technika to work consistently across websites for me. Sometimes the auto effects would do strange things to certain websites depending on my javascript in the bookmarklet. I haven’t seen or tried the TSF, however.
The fact that TSF is a browser driver, and could become cross-browser really makes it unique. I wonder if it could be used effectively as a security equivalent of YSlow, a Firebug extension that checks for performance problems with websites, provides grades and scores, and discussing ways of improving low graded/rated areas. You would like this idea.
Panterra is more of a set of components to help building tools. As an example he showed some privacy checks he wrote using it
There are so many proxies, but I don’t see how Pantera could become more useful over any of the others. The Matasano crew has shown some interest in Pantera - Ptacek even asked me my opinion on it at the OWASP local chapter in Chicago this past week.
I haven’t heard of BlackTop, link ?
BlackTop seems to be more of a competitor to Fortify Software’s Tracer or Veracode.
There is a tool called Cruiser which I just found out about (from WASC-L via Ory I think) and downloaded earlier this evening. I’m not sure I have a current version of it. There will probably be more information about it (as well as various web application pen-testing techniques) once the OSSTMM v3 is released (i.e. real soon now). Just so you can grab yourself a copy, I got this one from http://indianz.ch. The original open-source web application scanning tool, ELZA (doesn’t rhyme with Nikto), is also very interesting from a research perspective. I know lots of people who still use SPIKEProxy and ELZA for nearly everything. Kind of sad that the old, original tools are ones that still do the best job.
As for website surface area coverage, you may want to check out the Iron Chef talk from BlackHat USA section by Kureha - as well as rgaucher on a completely different method.
I see the commercial web application scanner world a little differently as of late, but I’m still integrating my ideas (it’s worse than before, but it will get better before it gets real bad). You can check out my talk from OWASP Chicago earlier this week where I attempt to predict the future of the problem we’re trying to solve with web application vulnerability scanners (and how to measure them). If I only had the time/resources to work full-time on this research.
September 16, 2007 at 12:11 pm
I’m not too sold on the “one tool/framework” idea as it really could be “herding cats” as Mark points out! The problem that you are going to get is when someone wants to do an update, change something, or add a feature.
What we *really* need (and someone please point me in the right direction if I am missing it) is a *standardized* XML schema. We can have a number of schemas eg. website crawling/mapping, vulnerability description (I have seen some of these, but once again - standardized), testcase descriptions, etc. With these, tools can easily interchange these documents (say, you can use SiteScope to map the site then pass off to WebInspect to do the testing, which passes back the vulns discovered to another tool to produce the report I want).
These tools can then consume whatever data they like, and can add their own without confusing other tools.