OWASP O2 Platform

Try O2!

Download the latest version of the Binaries, Installers or Source Code (from Files (Binaries, Source and Demos))

• Binaries: _Bin_(O2_Binaries) 09-Nov-09.zip
• Source Code: _SourceCode_O2 09-Nov-09.zip
• MSI Installers: _O2_Installers 09-Nov-09.zip

Or can install the most commonly used O2 Modulesdirectly from the web (using Click Once) at http://deploy.o2-ounceopen.com/:

• O2 Tool - XRules - O2's eXtended rules environment which allows the execution and edition of complex security analysis workflows
• O2 Tool - SpringMVC - Support for Spring's Framework MVC
• O2 Tool - RulesManager - Powerful viewer and editor for Ounce's Rules
• O2_Tool_FindingsViewer - Powerful Filter and Editor for Ozasmt files
• O2_Tool_CirViewer - View and create (for .NET) CIR (Common Intermediate Representation) Objects
• O2_Tool_SearchEngine - RegEx text search based GUI
• O2_Tool_CSharpScripts - Edit and Debug c# Scripts
• O2_Tool_DotNetCallbacksMaker- Automatically create Ounce Rules for .NET Callbacks
• O2_Tool_FindingsQuery - Filter Ozasmt files using LAMDA like queries
• O2_Tool_JavaExecution - Write O2 scripts in Java
• O2_Tool_JoinTraces - Join traces (for example .NET and Web and Web Services layer)
• O2_Tool_Python - Write O2 scripts in Python
• O2_Tool_O2Scripts - O2 scripts editor (includes O2 Object Model)
• O2_WebInspect(PoC of Integrating Ounce's & WebInspect's assessment data)

For demos try these

• O2 demo Pack 25_11_2008.zip
• Updated version of HacmeBank
• Apps To Scan (directory)
• Demo files (directory)
• External tool (usually used when building Test environments or Student VMs)

Code Repository and Bug Tracking System

O2 uses Google Code for its core repository and bugtracking system: http://code.google.com/p/o2platform/

go back to the main OWASP O2 Platform page

O2 @ Google Code

O2's source code is hosted at Google code SVN: http://code.google.com/p/o2platform/

• source code: http://code.google.com/p/o2platform/source/checkout (you can browse the code online)
• bug tracking: http://code.google.com/p/o2platform/issues/list

Check out code

Command-line access

Use this command to anonymously check out the latest project source code:

1. Non-members may check out a read-only working copy anonymously over HTTP.

svn checkout http://o2platform.googlecode.com/svn/trunk/ o2platform-read-only 

Visual Studio SVN

For SVN access, the main O2 developers use Visual Studio 2008 and [1] (which nicely integrates with Visual Studio IDE)

go back to the main OWASP O2 Platform page

The objective of this page is to help new O2 users to figure out the best way to start and be productive (on using or contributing to O2)

If you have not done it already, you should subscribe to the OWASP O2 Platform Mailing list using this form (you can read its archives here

I want to understand what is O2

• start by reading this presentation: "What is the OWASP O2 Platform" and then read this presentation "OWASP O2 Platform Modules"
• download the latest version of the Binaries and demo files

I want to be more involved with O2

• see the page OWASP O2 Platform/WIKI/Tasks_for_helpers for ideas
• write a post to the [owasp-o2-platform@lists.owasp.org] (mailing list) with your questions, ideas or problems
• search for a active O2 user close to you and swap ideas: OWASP O2 Platform/WIKI/Active_O2_Users

go back to the main OWASP O2 Platform page

Code Repository & Bug Tracking System

• http://code.google.com/p/o2platform/
• http://code.google.com/p/o2platform/issues/list

Sub-Projects Pages

• OSSAD - One Security Static Analyzer per Developer

go back to the main OWASP O2 Platform page

The following list represents the current O2 supported technologies and how they can be consumed by multiple O2 Modules.

Note that adding support for a new technology , tool or framework is usually quite an easy task (since there are numerous O2 APIs that can be easily reused or modified).

If you have a particular need please send a request to the O2 mailing list

Findings Creation

• Open Source or Free Tools
  • O2 Tool CSharpScripts - download
  • Microsoft CAT.NET v1.0 (not the latest release)
  • FindBugs - download , see XSD and O2 object model
  • OWASP CodeCrawler - download , see XSD and O2 object model
  • WebScarab logs (original version, not the NG one) - download , see XSD and O2 object model

• Require Paid-for license
  • Ounce 6.x (now called IBM AppScan Source Edition) - see XSD and O2 object mode
  • Ounce 7.x (now called IBM AppScan Source Edition) - see XSD and O2 object mode
  • IBM AppScan developer Edition - see XSD and O2 object mode
  • Fortify (very basic support) - see XSD and O2 object mode

Cir Creation

• Open Source or Free Tools
  • Using O2 Modules
    • .NET Framework Assemblies (*.dll , *.exe)
    • Java class files (*.class, *.jar. *.war)

• Requiring Paid-for license
  • Ounce 6.x (now called IBM AppScan Source Edition)
    • .NET, Java, C/C++, VB6, ASP Classic and (under internal beta at the moment) PHP

Trigger Scans

• Open Source or Free Tools
  • CAT.NET v1.0 (have not tested the latest release)
• Requiring Paid-for license
  • Ounce 6.x (now called IBM AppScan Source Edition)

Framework Support

• Spring Framework (MVC)
• Struts

go back to the main OWASP O2 Platform page

Technologies supported

• Spring Framework (MVC)
• Microsoft CAT.NET

O2 Related Videos

• by Dinis Cruz
  • CirViewer - new .NET source code mappings
  • Guide tour of 'O2 - All Active Projects' solution file.avi
  • Loading and viewing findings, Fixing source code references.avi
  • O2 Tool OzasmtQuery - Intro and main features (Part 1)
  • O2 Tool OzasmtQuery - Viewing Findings and Traces (Part 2)
  • O2 Tool OzasmtQuery - Editing Findings and Traces (Part 3)

O2 Training Materials

• O2 Findings Viewer.PPT (by Matt Parsons)
• Using O2 on: HacmeBank
• Using O2 on: WebGoat

O2 Convertors

• OWASP_O2_Platform/Docs/O2Findings_Schema
  • OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssessmentLoad_OunceV6
  • OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssessmentLoad_OunceV6_1 (needs to be renamed to 7.0)
  • OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_AppScanDE
  • OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_CodeCrawler
  • OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_FindBugs
  • OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_Fortify
  • OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_WebScarab

Misc pages

• • Open Source Projects to Adopt
  • Python

WIKI edition

• OWASP O2 Platform WIKI Edit Helpers
  • WIKI Edit Helpers
• MediaWiki editing resources:
  • http://meta.wikimedia.org/wiki/MediaWiki_FAQ
  • http://meta.wikimedia.org/wiki/Help:Template
  • http://www.mediawiki.org/wiki/Extension:Control_Structure_Functions

go back to the main OWASP O2 Platform page

This page contains links to other relevant research in this area:

• WALA (Watson Libraries for Analysis) - The T. J. Watson Libraries for Analysis (WALA) provide static analysis capabilities for Java bytecode and related languages

go back to the main OWASP O2 Platform page

You can join the O2 Platform Mailing list using this form or you can read its archives here. After being subscribed you can email this list using the owasp-o2-platform (at) lists.owasp.org email address

• OWASP AppSec DC Conference, USA (13-Nov-09) - "OWASP O2 Platform - Open Platform for automating application security knowledge and workflows", Dinis Cruz

In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerabilities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.

• OWASP AppSec Brazil Conference
• OWASP AppSec Ireland
• OWASP London Chapter
• UK Developer Event (Microsoft Oxford Research Campus)
• OWASP AppSec Poland Conference
• Confidence Conference (Poland)

Blogs

• Machinations Over O2, John Steven , 18/Nov/09
• IBM OWASP's O2 and Dinis , Gunter Ollmann , 17/Nov/09
• O2: A brief introduction and why you should care , Daniel Cuthbert, 17/Nov/09
• The Future of O2 , R'Snake Blog ,14/Nov/09
• O2: 'Open Platform for automating application security knowledge and workflows' , Michael Foord, 30/Sep/09

go back to the main OWASP O2 Platform page