General Goals Going Forward

  • Showcase great OWASP projects
  • Provide the best, freely distributable application security tools/documents
  • Ensure that the tools provided are easy to use as possible
  • Continue to document how to use the tools and how the modules were created
  • Align the tools with the OWASP Testing Guide v3 to provide maximum coverage
  • Awesome training environment

330,081 total downloads as of 10/5/2009

~5,094 GB of bandwidth since launch (7/2008)

Most downloads in 1 month = 81,607 (3/2009)

Available Tools: 26 “Significant”

  • Web Scarab
  • Web Goat
  • CAL9000
  • JBroFuzz
  • WSFuzzer
  • Wapiti
  • Burp Suite
  • Paro
  • Spike Proxy
  • Rat Proxy
  • w3af
  • Grendel Scan
  • Nikto
  • nmap
  • Zenmap
  • sqlmap
  • SQL Brute
  • Metasploit
  • ….

OWASP Documents

  • Testing Guide v2 & v3
  • Top 10 for 2007
  • Top 10 for Java Enterprise Edition
  • AppSec FAQ
  • Books (CLASP, Top 10 2007, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review)
  • WASC Threat Classification

Where are we going?

  • Project Tindy (Live CD installed to a virtual hard drive, persistence, VMware, VirtualBox, and Paralles)
  • Project Aqua Dog (OWASP Live CD on a USB drive, VM install + VM engine + USB drive = mobile app sec platform, currently testing, Qemu is the current VM engine)
  • Much easier URL –
  • Community site around OWASP Live CD
  • Online Tool DB (331+ tools)
  • New release will be based on Ubuntu instead of SLAX
  • Create .deb packages for every tool
  • Create a repository for packages
  • Add dependency info to packages
  • Brings the 26,000+ existing packages to the Live CD
  • More fun cool stuff like Wubi (install Ubuntu onto an existing windows desktop to be able to dual-boot without repartitioning windows)

Design Goals

  • Easy for users to keep updated
  • Easy for project lead to keep updated
  • Easy to produce releases (every 6 months)
    • Crank out new .debs when new tool releases
    • Continually updating repository
  • Focused on just application security – not general pen testing
    • Both dynamic and static tools
    • Developer tools also

OWASP Education Project

  • Natural ties between these projects
    • Already being used for training classes
    • Need to coordinate efforts to make sure critical pieces aren’t missing form the OWASP Live CD
    • Training environment could be customized for a particular class thanks to the individual modules
      • Student gets to take the environment home
    • As more modules come online, even more potential for cross pollination
    • Builder tools/docs only expand its reach
    • Kiosk mode?

Crazy Pie in the Sky Idea

  • .deb package + auto update + categories = CD profiles
  • Allows someone to customize the OWASP Live CD to their needs
  • Example Profiles:
    • Whitebox testing
    • Blackbox testing
    • Static analysis
    • Targe specific (Java, .Net)

What have you done for me lately?

  • For Testers/QA testers
    • Wide array of tools, preconfigured and ready to go
    • Nice “jump kit” to keep in your laptop bag
    • Great platform to test or learn the tools
  • For App Sec Professionals
    • Both dynamic and static tool coverage
    • Ability to customize the job your on
  • For Trainers
    • Ready to go environment for students
    • Ability to customize for the class

Get Involved

  • Join the mailing list
  • Post on hte forums
  • Download an ISO or VM
    • Complain or praise, suggest improvements
    • Submit a bug to the Google Code site
  • Create a deb package of a tool
    • How I create the debs will be documented, command by command and I’ll answer questions gladly
  • Suggest missing tools, docs, or links
  • Do a screencast of one of the tools being used on the OWASP Live CD

Learn More

  • Google “OWASP Live CD”
  • Download & Community Site (

Everything is stored in /opt/owasp