Email request for additions and tweaks to the OWASP Live CDSubmitted by mtesauro on Wed, 11/25/2009 - 13:10 |
Here's a few ideas / links / etc. that I wanted to share about the project:
* I can't commend you enough for taking the step from building a one-off Live
CD to making these tools available to users in a trivial manner by packaging
them for general use. While LiveCDs are great for demonstrations and as
introductions to new toolsets, being able to integrate the tools into your
normal package management is ideal. Thank you!
* Tool: soapUI (http://www.soapui.org/license.html) Web services testing
tool, plus mock service generator. I've used this as both a builder and
a breaker tool .... it will build a mock service from a WSDL file that a
developer can use to start building a client. The base version is GPL.
* Project naming: While the initial project was a Live CD, it seems to be
moving towards an "App Sec Testing Environment", with a Live CD as one
incarnation of the environment. When you add in the documentation and
more builder tools, it's no longer just a testing environment, but a more
general purpose "Tool Box" for secure web application development, covering
the whole lifecycle. 'sudo aptitude install owasp-toolbox' would be
a beautiful thing to see.
* For users starting off with app testing tools, having fruitful targets is
tremendously helpful. Commercial tools like Watchfire/IBM's AppScan have
demo sites that can be scanned to show off the full process flow of the
application ... configure, scan, see results, reporting, etc. I've not
started looking at the "Attack Me, LTD" target that's on the DVD, but I
look forward to doing so. This is a critical part of learning these
tools, and again, thank you for making this available.
There are a set of PenTest LiveCDs from http://heorot.net/livecds/ that
may be of interest in a similar vein. One welcome addition to the testing
toolbox would be a set of targets to make use of the tools. Ideally,
providing these as OVF Appliances [1] would make importing them into VMWare
and VirtualBox trivial, and might even provide for complex, multi-machine
configurations.
Additionally, the pairing of tools and targets that can be reconstructed
by novice users flows naturally into building training videos / content
atop the full lab environment.
* Link: http://www.offensive-security.com/metasploit-unleashed/
"... the most complete and in-depth open course about the Metasploit Framework."
I'm a bit uneasy about their recommendation to grab NIST's FDCC Windows XP
images for the testing lab, but aside from that, the training looks quite complete
* One add-on to the set of tools that would be really handy is a list of
the "hidden jewels" of these tools. For example, using SpiderMan w/ w3af,
reading webscarab's conversations into SQLMap, etc. This helps illustrate
where specific tools shine, but also helps people understand that there are
ways to fit the tools together and get an amazing amount of data from
them very quickly.
* Metasploit & w3af: One way to handle the svn updated tools would be to
provide packages for each tagged release (ie. msf-3.2) that handles the
dependencies and installs the released code set, without updates.
Another method would be to provide a package that sorts out the dependencies
for each release, and hooks the SVN update into the post-install process.
For extra bonus points, hooking it into dist-upgrade such that 'aptitude
full-ugprade' will do an SVN update of MSF and w3af (and others) would be
really elegant.
Having separate packages available for both sets would be helpful, especially
if both can be installed simultaneously.
Thank you again for all of the work you've put into making these tools
accessible to everyone! I look forward to seeing the next release and the repositories.
[1] http://www.vmware.com/appliances/getting-started/learn/ovf.html
http://ovfappliances.com/
~~~~~[ and in a follow on email ]~~~~~
two more package requests:
* OpenVPN & related tools
* open{ssl,ssh,vpn}-blacklist
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~