Testing from the Cloud: Is the sky falling?

Similar documents
Testing from the Cloud: Is the sky falling?

OWASP live CD -- The most simple topics

A Samurai-WTF intro to the Zed Attack Proxy

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Web Application Penetration Testing

Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

OWASP ROI: OWASP Austin Chapter. The OWASP Foundation Optimize Security Spending using OWASP

UDS Enterprise Preparing Templates Xubuntu X2Go + UDS Actor

VIRTUALBOX UBUNTU EBOOK

UDS Enterprise Preparing Templates Xubuntu NX * + UDS Actor

ZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation

Notes From The field

Welcome to OWASP Bay Area Application Security Summit July 23rd, OWASP July 23 rd, The OWASP Foundation

DOWNLOAD OR READ : UBUNTU I IN YOU AND YOU IN ME PDF EBOOK EPUB MOBI

Hands-on Security Tools

Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April Matt Tesauro, Infinitiv

N different strategies to automate OWASP ZAP

CSWAE Certified Secure Web Application Engineer

Overview of Web Application Security and Setup

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Manual Of Virtualbox Additions Ubuntu Server 12.04

CAELinux 2013: development and testing Posted by jcugnoni - 06 Apr :45

Apache Manually Install Ubuntu On Windows 8 Themes

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Capture The Flag Challenge Prep Class

Framework for Application Security Testing. September 11th, 2018

CPTE: Certified Penetration Testing Engineer

Ansible Tower Quick Setup Guide

OWASP Romania Chapter

UDS Enterprise- Preparing Templates Xubuntu XRDP UDS Actor

1. Install a Virtual Machine Download Ubuntu Create a New Virtual Machine Seamless Operation between Windows an Linux...

Integrating Tools Into the SDLC

Certified Secure Web Application Engineer

Remote GUI access to a Linux computer using Tightvnc

Working with Ubuntu Linux. Track 2 Workshop June 2010 Pago Pago, American Samoa

How to hack and secure your Java web applications

Secure RESTful Web Services to Mobilize Powerful Website Penetration Testing Tools

KVM Guest Management With Virt-Manager On Ubuntu 8.10

OWASP Broken Web Application Project. When Bad Web Apps are Good

CS197U: A Hands on Introduction to Unix

LGTM Enterprise System Requirements. Release , August 2018

SNOW LICENSE MANAGER (7.X)... 3

ElasterStack 3.2 User Administration Guide - Advanced Zone

Harbor Registry. VMware VMware Inc. All rights reserved.

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation

Linux application virtualization with UDS Enterprise. Versión Rev. 1

Feb 28, :01-02:30 Welcome note & Introduction to OWASP : Somen Das, OWASP BBSR Chapter Lead

How to Deploy an Oracle E-Business Suite System in Minutes Using Oracle VM Templates

Reboot the server and start the hypervisor from the boot menu (Xen amd64 / Debian GNU/Linux, kernel xen-amd64)

Linux Essentials Objectives Topics:

A D V I S O R Y S E R V I C E S. Web Application Assessment

Applies to: SECURE WEB Version 1.3 and above

Technical Manual. Software Quality Analysis as a Service (SQUAAD) Team No.1. Implementers: Aleksandr Chernousov Chris Harman Supicha Phadungslip

Experiences with OracleVM 3.3

How To Manually Install Driver Ubuntu Server On Virtualbox

Perl Install Module Windows Xp From Usb Stick Edition

How to add support for DJVU file format on M$ Windows, Mac, GNU / Linux and FreeBSD

The SHARED hosting plan is designed to meet the advanced hosting needs of businesses who are not yet ready to move on to a server solution.

OPMANTEK NETWORK MANAGEMENT AND IT AUDIT SOFTWARE. Troubleshooting Open-AudIT Discoveries v1 January 2019

How To Install Java On Linux Ubuntu >>>CLICK HERE<<<

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Security. DevOps Bootcamp, OSU, Feb 2015 Kees Cook (pronounced Case )

Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Ensure that the server where you install the Primary Server software meets the following requirements: Item Requirements Additional Details

SNOW LICENSE MANAGER (7.X)... 3

Android System Development Training 4-day session

Manual Updating Ubuntu Server Command Line

Lab 5: Web Attacks using Burp Suite

OWASP InfoSec Romania 2013

Testing at Cloud Speed. Matt Tesauro, SANS AppSec 2013 Austin, TX, April 2013

CTF Workshop. Crim Synopsys, Inc. 1

Project: Configure ArcGIS Server 10 using Microsoft Server 2008 Failover Cluster

Introduction to Ethical Hacking

Introduction to Web Security Dojo Copyright Maven Security Consulting Inc (

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

SQL Server on Linux and Containers

(Ubuntu 10.04), the installation command is slightly different.

SENAITE Community VM Version: 1.1 Date: 2018/01/11

OpenStack Havana All-in-One lab on VMware Workstation

Learning What s New in ArcGIS 10.1 for Server: Administration

Cherwell Service Management

MyCloud Computing Business computing in the cloud, ready to go in minutes

Cloud Computing 1. CSCI 4850/5850 High-Performance Computing Spring 2018

Security Readiness Assessment

Welcome to Linux Foundation E-Learning Training

Xen and CloudStack. Ewan Mellor. Director, Engineering, Open-source Cloud Platforms Citrix Systems

Guide to your Plug Computer

Zadara Enterprise Storage in

OSSAMS -Security Testing Automation and Reporting

Metasploit. Installation Guide Release 4.4

Hack and Slash with Pythonect. Itzik Kotler Creator and Lead Developer of Pythonect and Hackersh

Remove Java Manual Mac Os X Lion Server Mountain

Apache Manually Install Ubuntu From Usb

TELE3119 Trusted Networks Lab 1(a),(b) Sniffing wireless traffic

Secure DevOps: A Puma s Tail

SQL Server vnext on Linux Ubuntu - Part 1

Transcription:

Austin, Feb 2012 The OWASP Foundation http://www.owasp.org Testing from the Cloud: Is the sky falling? Matt Tesauro OWASP Foundation Board Member, WTE Project Lead matt.tesauro@owasp.org Rackspace Application Security Engineer

Who's this Matt guy anyway? Broad IT background Developer, DBA, Sys Admin, Pen Tester, Application Security professional, consultant, CISSP, CEH, RHCE, Linux+ Long history with Linux and Open Source Contributor to many projects Leader of OWASP Live CD / WTE OWASP Foundation Board Member Rackspace Cloud Application Security 2

OWASP WTE: A History

It all started that fine spring day... 4

At all started that summer... 5

Then that summer... 6

Current Release OWASP WTE Sept 2011 Alpha of WTE Cloud Previous Releases OWASP WTE Feb 2011 OWASP WTE Beta Jan 2010 AppSecEU May 2009 AustinTerrier Feb 2009 Portugal Release Dec 2008 SoC Release Sept 2008 Beta1 and Beta2 releases during the SoC Note: Not all had ISO,VirtualBox and Vmware versions 7

Overall downloads: 330,081 (as of 2009-10-05) Other fun facts ~5,094 GB of bandwidth since launch (Jul 2008) Most downloads in 1 month = 81,607 (Mar 2009) 8

There's a new kid in town OWASP WTE Web Testing Environment 9

The project has grown to more than just a Live CD VMWare installs/appliances VirtualBox installs USB Installs Training Environments Pre-packaged tools Cloud??? Add in the transition to Ubuntu/Debian and the possibilities are endless (plus the 26,000+ packages in the repos) 10

GOAL Make application security tools and documentation readily available and easy to use Compliment's OWASP goal to make app security visible Design goals Easy for users to keep updated Easy for project lead to keep updated Easy to produce releases (more on this later) Focused just on application security not general pen testing 11

What's on WTE

13

14

29 Significant Tools Available OWASP Tools: Web Scarab a tool for performing all types of security testing on web apps and web services Web Goat an online training environment for hands-on learning about app sec CAL9000 a collection of web app sec testing tools especially encoding/decoding JBroFuzz a web application fuzzer for requests being made over HTTP and/or HTTPS. EnDe An amazing collection of encoding and decoding tools as well as many other utilities WSFuzzer a fuzzer with HTTP based SOAP services as its main target Wapiti audits the security of web apps by performing "black-box" scans DirBuster a multi threaded Java app to brute force directory and file names WebSlayer A tool designed for brute-forcing web applications such as resource discovery, GET and POST fuzzing, etc ZAP Proxy A fork of the popular but moribund Paros Proxy 15

Other Proxies: Burp Suite Paros Spike Proxy Scanners: SQL-i: Others: w3af sqlmap Grendel Scan SQL Brute Nikto Metasploit Httprint Maltego CE Duh: Rat Proxy nmap Zenmap Firefox netcat Wireshark Fierce Domain Scanner tcpdump 16

Why is it different?

18

19

20

OWASP Documents Testing Guide v2 & v3 CLASP and OpenSamm Top 10 for 2010 Top 10 for Java Enterprise Edition AppSec FAQ Books tried to get all of them CLASP, Top 10 2010, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review Others WASC Threat Classification, OSTTMM 3.0 & 2.2 21

22

23

24

25

26

27

What is next?

29

Cloud-ifying WTE Cloud Provider Ubuntu / Debian Install WTE Repository Fun ensues 30

WTE Cloud The12 Step Program Currently this still mostly manual 12 steps to get a fully-functional WTE ~30 minutes until you are logged in 31

Step 1: Get a cloud account 32

Step 2: Select Ubuntu/Debian 33

Step 3: Choose Name & RAM 34

Step 4: Start your server 35

Step 5: A bit of Prep ssh to your new Linux box Add Ubuntu partners and WTE repos & apt-get update $ ssh root@50.57.234.97 root@wte-test:~# echo "deb http://archive.canonical.com/ubuntu maverick partner" >> /etc/apt/sources.list root@wte-test:~# echo "deb http://appseclive.org/apt/stable /" >> /etc/apt/sources.list root@wte-test:~# apt-get update 36

Step 6: Install Desktop + WTE 37

Step 7: Finish things off... Add a NX Server ppa:freenx-team (plus a fix) ~ or ~ No Machine NX server (free or $) Add OWASP user Start lightdm (graphical login) # useradd --comment "OWASP WTE" --create-home owasp # echo -e "owasp\nowasp" passwd owasp # service lightdm start 38

Step 8: NX Client setup 39

Step 8: Connect to WTE 40

Step 9: WTE ala Cloud 41

Step 9: WTE ala Cloud 42

Step 9: WTE ala Cloud 43

Step 10: Test Connectivity 44

Step 11: Test the Tools 45

Turn Cats into Dogs 46

Step 12: Check your bill 47

Cost Estimates 48

Cost Estimates For 40 hours + 1 GB transfer $4.98 For M-F, 24 hrs + 1 GB transfer = $15.48 For 30 days, 24 hrs + 4 GB transfer = $88.32 49

Now what?

More Automation Make configuration steps into a script Add to postinst for wte-cloud package Get setup down to a single step Ideally all in the wte-cloud package Automate the bling (theme, etc) Test on other Cloud providers 51

Even More Automation Python library to abstract away differences between multiple cloud provider APIs Cloud Servers Cloud Storage Cloud Load balancers Supports 24 different providers 52

More Options Different desktop installs Minimal (Gnome, KDE, XFCE, LXDE...) Tweaked for specific need Instant WebGoat in the sky Internal Clouds OpenStack, VMware, Xen VirtualBox (headless) 53

Document, Document Document Document and post the current manual process (coming soon) Create then document the Libcloud process Tutorials for various providers 54

Problems

Current Issues Yikes! AMD64 CPU Some tools lack a dependency WTE Firefox is for i386 NX server is a bit tricky Either outdated or limited/$ The WTE theme gets lost Need to look at X2go to replace NX 56

How can you get involved? Join the OWASP mail list Announcements are there low traffic Download an ISO or VM or Cloud instance Complain or praise, suggest improvements Submit a bug to the Google Code site 57

How can you get involved? Suggest missing doc or links Do a screencast of one of the tools Suggest some cool new tool Create a.deb package 58

Learn More... OWASP Site http://www.owasp.org/index.php/category:owasp_live_cd_project or just look on the OWASP project page (release quality) http://www.owasp.org/index.php/category:owasp_project or Google OWASP Live CD or OWASP WTE Download & Community Site http://appseclive.org Previously: http://mtesauro.com/livecd/ 59

Why do I do this? 60

Questions? Download it free at: http://www.sintel.org Sintel Independent film produced by the Blender Foundation using free and open software 61

62

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback