OWASP O2 Platform

From OWASP
Revision as of 05:40, 16 May 2010 by Dinis.cruz (Talk | contribs)

Jump to: navigation, search

NOTE: this O2 site is still under very heavy construction (& most of the content below is related to the previous version of O2)

TRY o2 (most recent published version)

If you want to try/use O2, follow the instructions in this page: Installing O2

There is an external (to OWASP) experimental O2 website which is currently being used to host the help files and documentation pages: http://www.o2-platform.com

NOT up-to-date content

Home Page

About O2 O2Platform on Twitter
O2 is a collection of Open Source modules that help Web Application Security Professionals maximize their efforts and quickly obtain high visibility into an application's security profile. The objective is to 'Automate Application Security Knowledge and Workflows'.

To gain a better understanding of "what is O2?", start with this presentation "What is the OWASP O2 Platform" and then read this presentation "OWASP O2 Platform Modules".

History

Originally O2 (OunceOpen) originated from OunceLabs Advanced Research Team (ART) work, and aims to push to the limit the power of multiple Static Analysis engines.

These tools have been developed by Security Professionals FOR security professionals, and are designed to automate the security consultant's brain.

External (to OWASP) O2 website

O2 has a sister (to OWASP) website which contains additional documentation, downloads and O2-related blogs: http://www.o2-ounceopen.com

Try O2!

Download the latest version of the Binaries, Installers or Source Code (from Files (Binaries, Source and Demos))

Or can install the most commonly used O2 Modulesdirectly from the web (using Click Once) at http://deploy.o2-ounceopen.com/:


For demos try these

Code Repository and Bug Tracking System

O2 uses Google Code for its core repository and bugtracking system: http://code.google.com/p/o2platform/



go back to the main OWASP O2 Platform page


Follow O2Platform on Twitter! or use the #O2Platform hashtag for your tweets


Downloads

Try O2!

Download the latest version of the Binaries, Installers or Source Code (from Files (Binaries, Source and Demos))

Or can install the most commonly used O2 Modulesdirectly from the web (using Click Once) at http://deploy.o2-ounceopen.com/:


For demos try these

Code Repository and Bug Tracking System

O2 uses Google Code for its core repository and bugtracking system: http://code.google.com/p/o2platform/



go back to the main OWASP O2 Platform page

Source Code

O2 @ Google Code

O2's source code is hosted at Google code SVN: http://code.google.com/p/o2platform/

Check out code

Command-line access

Use this command to anonymously check out the latest project source code:

  1. Non-members may check out a read-only working copy anonymously over HTTP.
svn checkout http://o2platform.googlecode.com/svn/trunk/ o2platform-read-only 

Visual Studio SVN

For SVN access, the main O2 developers use Visual Studio 2008 and [1] (which nicely integrates with Visual Studio IDE)



go back to the main OWASP O2 Platform page

"I'm lost! Where do I start?

The objective of this page is to help new O2 users to figure out the best way to start and be productive (on using or contributing to O2)

If you have not done it already, you should subscribe to the OWASP O2 Platform Mailing list using this form (you can read its archives here

I want to understand what is O2

I want to be more involved with O2




go back to the main OWASP O2 Platform page

Sub-Projects

Code Repository & Bug Tracking System

Sub-Projects Pages



go back to the main OWASP O2 Platform page

Supported Technologies

The following list represents the current O2 supported technologies and how they can be consumed by multiple O2 Modules.

Note that adding support for a new technology , tool or framework is usually quite an easy task (since there are numerous O2 APIs that can be easily reused or modified).

If you have a particular need please send a request to the O2 mailing list

Findings Creation

Cir Creation

  • Open Source or Free Tools
    • Using O2 Modules
      • .NET Framework Assemblies (*.dll , *.exe)
      • Java class files (*.class, *.jar. *.war)
  • Requiring Paid-for license
    • Ounce 6.x (now called IBM AppScan Source Edition)
      • .NET, Java, C/C++, VB6, ASP Classic and (under internal beta at the moment) PHP

Trigger Scans

  • Open Source or Free Tools
    • CAT.NET v1.0 (have not tested the latest release)
  • Requiring Paid-for license
    • Ounce 6.x (now called IBM AppScan Source Edition)

Framework Support



go back to the main OWASP O2 Platform page

O2 Documentation

OWASP O2 Platform/WIKI/O2 Documentation

Research

This page contains links to other relevant research in this area:

  • WALA (Watson Libraries for Analysis) - The T. J. Watson Libraries for Analysis (WALA) provide static analysis capabilities for Java bytecode and related languages





go back to the main OWASP O2 Platform page

Mailing list, O2 Presentations

You can join the O2 Platform Mailing list using this form or you can read its archives here. After being subscribed you can email this list using the owasp-o2-platform (at) lists.owasp.org email address

  • OWASP AppSec DC Conference, USA (13-Nov-09) - "OWASP O2 Platform - Open Platform for automating application security knowledge and workflows", Dinis Cruz
In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerabilities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.
  • OWASP AppSec Brazil Conference
  • OWASP AppSec Ireland
  • OWASP London Chapter
  • UK Developer Event (Microsoft Oxford Research Campus)
  • OWASP AppSec Poland Conference
  • Confidence Conference (Poland)

External Blogs & Media References

Blogs



go back to the main OWASP O2 Platform page


Project Details

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What does this OWASP project release offer you?
what is this project?
OWASP O2 Platform Project

Purpose: Collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.
NOTE: most of the O2 Platform content is still on the external website www.o2-ounceopen.com

License: N/A

who is working on this project?
Project Leader: Dinis Cruz @

Project Maintainer: Dinis Cruz @

Project Contributor(s): N/A

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: Subscribe or read the archives

Project Roadmap: To view, click here

Main links:

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact Dinis Cruz @ to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
First Release - Unknown Date - (download)

Release Leader: N/A

Release details: Main links, release roadmap and assessment

Rating: Yellow button.JPG Not Reviewed
To be reviewed under Assessment Criteria v2.0