{"id":313,"date":"2009-11-12T16:45:43","date_gmt":"2009-11-12T21:45:43","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=313"},"modified":"2009-11-12T16:31:46","modified_gmt":"2009-11-12T21:31:46","slug":"owasp-live-cd-an-open-environment-for-web-application-security","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/owasp-live-cd-an-open-environment-for-web-application-security\/","title":{"rendered":"OWASP Live CD: An open environment for Web Application Security"},"content":{"rendered":"<p><span style=\"text-decoration: underline;\"><strong>General Goals Going Forward<br \/>\n<\/strong><\/span><\/p>\n<ul>\n<li>Showcase great OWASP projects<\/li>\n<li>Provide the best, freely distributable application security tools\/documents<\/li>\n<li>Ensure that the tools provided are easy to use as possible<\/li>\n<li>Continue to document how to use the tools and how the modules were created<\/li>\n<li>Align the tools with the OWASP Testing Guide v3 to provide maximum coverage<\/li>\n<li>Awesome training environment<\/li>\n<\/ul>\n<p>330,081 total downloads as of 10\/5\/2009<\/p>\n<p>~5,094 GB of bandwidth since launch (7\/2008)<\/p>\n<p>Most downloads in 1 month = 81,607 (3\/2009)<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Available Tools: 26 &#8220;Significant&#8221;<\/strong><\/span><\/p>\n<ul>\n<li>Web Scarab<\/li>\n<li>Web Goat<\/li>\n<li>CAL9000<\/li>\n<li>JBroFuzz<\/li>\n<li>WSFuzzer<\/li>\n<li>Wapiti<\/li>\n<li>Burp Suite<\/li>\n<li>Paro<\/li>\n<li>Spike Proxy<\/li>\n<li>Rat Proxy<\/li>\n<li>w3af<\/li>\n<li>Grendel Scan<\/li>\n<li>Nikto<\/li>\n<li>nmap<\/li>\n<li>Zenmap<\/li>\n<li>sqlmap<\/li>\n<li>SQL Brute<\/li>\n<li>Metasploit<\/li>\n<li>&#8230;.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>OWASP Documents<\/strong><\/span><\/p>\n<ul>\n<li>Testing Guide v2 &amp; v3<\/li>\n<li>CLASP<\/li>\n<li>Top 10 for 2007<\/li>\n<li>Top 10 for Java Enterprise Edition<\/li>\n<li>AppSec FAQ<\/li>\n<li>Books (CLASP, Top 10 2007, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review)<\/li>\n<li>WASC Threat Classification<\/li>\n<li>OSTTMM<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Where are we going?<\/strong><\/span><\/p>\n<ul>\n<li>Project Tindy (Live CD installed to a virtual hard drive, persistence, VMware, VirtualBox, and Paralles)<\/li>\n<li>Project Aqua Dog (OWASP Live CD on a USB drive, VM install + VM engine + USB drive = mobile app sec platform, currently testing, Qemu is the current VM engine)<\/li>\n<li>Much easier URL &#8211; AppSecLive.org<\/li>\n<li>Community site around OWASP Live CD<\/li>\n<li>Online Tool DB (331+ tools)<\/li>\n<li>New release will be based on Ubuntu instead of SLAX<\/li>\n<li>Create .deb packages for every tool<\/li>\n<li>Create a repository for packages<\/li>\n<li>Add dependency info to packages<\/li>\n<li>Brings the 26,000+ existing packages to the Live CD<\/li>\n<li>More fun cool stuff like Wubi (install Ubuntu onto an existing windows desktop to be able to dual-boot without repartitioning windows)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Design Goals<\/strong><\/span><\/p>\n<ul>\n<li>Easy for users to keep updated<\/li>\n<li>Easy for project lead to keep updated<\/li>\n<li>Easy to produce releases (every 6 months)\n<ul>\n<li>Crank out new .debs when new tool releases<\/li>\n<li>Continually updating repository<\/li>\n<\/ul>\n<\/li>\n<li>Focused on just application security &#8211; not general pen testing\n<ul>\n<li>Both dynamic and static tools<\/li>\n<li>Developer tools also<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>OWASP Education Project<\/strong><\/span><\/p>\n<ul>\n<li>Natural ties between these projects\n<ul>\n<li>Already being used for training classes<\/li>\n<li>Need to coordinate efforts to make sure critical pieces aren&#8217;t missing form the OWASP Live CD<\/li>\n<li>Training environment could be customized for a particular class thanks to the individual modules\n<ul>\n<li>Student gets to take the environment home<\/li>\n<\/ul>\n<\/li>\n<li>As more modules come online, even more potential for cross pollination<\/li>\n<li>Builder tools\/docs only expand its reach<\/li>\n<li>Kiosk mode?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Crazy Pie in the Sky Idea<\/strong><\/span><\/p>\n<ul>\n<li>.deb package + auto update + categories = CD profiles<\/li>\n<li>Allows someone to customize the OWASP Live CD to their needs<\/li>\n<li>Example Profiles:\n<ul>\n<li>Whitebox testing<\/li>\n<li>Blackbox testing<\/li>\n<li>Static analysis<\/li>\n<li>Targe specific (Java, .Net)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>What have you done for me lately?<\/strong><\/span><\/p>\n<ul>\n<li>For Testers\/QA testers\n<ul>\n<li>Wide array of tools, preconfigured and ready to go<\/li>\n<li>Nice &#8220;jump kit&#8221; to keep in your laptop bag<\/li>\n<li>Great platform to test or learn the tools<\/li>\n<\/ul>\n<\/li>\n<li>For App Sec Professionals\n<ul>\n<li>Both dynamic and static tool coverage<\/li>\n<li>Ability to customize the job your on<\/li>\n<\/ul>\n<\/li>\n<li>For Trainers\n<ul>\n<li>Ready to go environment for students<\/li>\n<li>Ability to customize for the class<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Get Involved<\/strong><\/span><\/p>\n<ul>\n<li>Join the mailing list<\/li>\n<li>Post on hte AppSecLive.org forums<\/li>\n<li>Download an ISO or VM\n<ul>\n<li>Complain or praise, suggest improvements<\/li>\n<li>Submit a bug to the Google Code site<\/li>\n<\/ul>\n<\/li>\n<li>Create a deb package of a tool\n<ul>\n<li>How I create the debs will be documented, command by command and I&#8217;ll answer questions gladly<\/li>\n<\/ul>\n<\/li>\n<li>Suggest missing tools, docs, or links<\/li>\n<li>Do a screencast of one of the tools being used on the OWASP Live CD<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Learn More<\/strong><\/span><\/p>\n<ul>\n<li>Google &#8220;OWASP Live CD&#8221;<\/li>\n<li>Download &amp; Community Site (http:\/\/AppSecLive.org)<\/li>\n<\/ul>\n<p>Everything is stored in \/opt\/owasp<\/p>\n","protected":false},"excerpt":{"rendered":"<p>General Goals Going Forward Showcase great OWASP projects Provide the best, freely distributable application security tools\/documents Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage Awesome [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307,4],"tags":[327,191,328,12],"class_list":["post-313","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","category-web-app-sec","tag-cd","tag-live","tag-livecd","tag-owasp"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-53","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=313"}],"version-history":[{"count":3,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/313\/revisions"}],"predecessor-version":[{"id":320,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/313\/revisions\/320"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}