Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSec NYC’08 The Owasp Orizon Project: towards version 1.0 Paolo Perego Owasp Orizon Project Leader Spike Reply

OWASP Owasp AppSec NYC ’08, New York City – 25th September 2 Agenda  where do we leave in Ghent, last May…  road towards version 1.0

OWASP Owasp AppSec NYC ’08, New York City – 25th September $ whoami  Senior Security Spike Reply Srl  penetration testing  secure application building  code review & source code assessment  Owasp Orizon Project leader  Active member in  Owasp Italian chapter  Owasp Code Review Project 3

OWASP Owasp AppSec NYC ’08, New York City – 25th September Kickoff  A lot of commercial solutions are available for code reviewing  good in finding bugs  skilled support  Expensive  Open source solutions are available too  limited number of security checks  good support from open source community  open 4 Why do I need Orizon?

OWASP Owasp AppSec NYC ’08, New York City – 25th September Some preliminary info  Orizon is code review engine I started back in 2006  It supports  Static analysis  Dynamic analysis via code execution  Orizon  Language independent  The source is translated in XML and then analized  A library with security checks is provided  The library is self contained in Orizon JAR archive  The checks are gathered in “safe coding recipes” in XML 5

OWASP Owasp AppSec NYC ’08, New York City – 25th September Were do we leave in Ghent, last May…  During Owasp AppSec EU’2008  Orizon reached v0.90  Plugins were introduced  A Java SWT Gui were added  Orizon included also Milk embedded into it  Feedbacks were good  Major criticisms (… thanks Dinis)  There is too much noise in translated XML  Building a source object model is a better approach  More effort must be redirected to static analysis 6

OWASP Owasp AppSec NYC ’08, New York City – 25th September Were do we leave in Ghent, last May… 7 Preprocessing Code reviewing Reporting Code crawling XML Translator engine Jericho engineDawn engine Reporting engine Crawler engine Plugin engine

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… the needs for a change  Input file management  Scanning a directory recursively is not supported  Library management  Standalone file is difficult to deploy  Hard to find a default location to the library from orizon path  Translated XML files  Too much noise  Hard to retrieve information to build an object model 8

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… the stack 9 XML Translator factory Reporting engine Dynamic analysis Static analysis Statistics Control Flow Call Graph Data Graph

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… the workflow Session initialization Input type is detected A session Object is created For each input file a SessionInfo object is created as well Preprocessing Scan each file to build AST in memory Parse AST and create 4 different XML files Statistical information Methods and subroutine calls Variable instantiation and changes Control flow Static analysis Security checks are applied in accord to the given translated XML element Source code can be crawled to find some dangerous keywords Reporting Results are represented in different formats XML Plain Text 10

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… session initialization  A Session object is created  Properties collected from command line are stored into the session (-o, -- orizon key=value)  init() method causes  Each input file is associated with a SessionInfo  Each input file is inspected and the correspondent AST is built 11

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… session initialization  Upon creation the XML file names are built  inspect() method will do all the dirty work collecting all the results in the DefaultTranslator object  getStats() and friend will take DefaultTranslator object and creating the XML file 12

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… preprocessing  scan() is the method invoked when creating AST  nameService () methods are the ones creating the XML files 13

OWASP Owasp AppSec NYC ’08, New York City – 25th September DEMO Preprocessing: the newer XML file format generated by Orizon 14

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis  Source code crawling  Introduced in Orizon v0.70  The good: a quick an dirty review can be performed  The bad: results are more prone to false potives 15

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis  The new library  Embedded in Orizon Jar file  Same flaw category layout as Owasp Code Review guide  library.xml is used as library descriptor 16

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis  A cookbook is a source flaws family  A file named cookbook.xml must be present and used as cookbook descriptor  A weight is given to each cookbook to better fine tuning code review score 17

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis  Recipes are XML files containing security checks  Each recipe and each check have got their own weight score  Checks are divided in family  Design  Keyword  Execution 18

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis  org.owasp.orizon.core. Source  Reads translated XML files  Initializes Jericho  Fire up core review 19

OWASP Owasp AppSec NYC ’08, New York City – 25th September DEMO Static analysis 20

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins  An interface is provided and all plugins must implement it  org.owasp.orizon.plugin.Plugin  A loader class  Extract plugin class from a given jar file  Checks if the plugin is intended for this orizon version  Load the class and returns it to Jericho engine 21

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins  Jericho engine will  Instanciate a new object  Run the plugin via start() and stop() methods  The plugin will be called this way 22 <check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" >

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins 23 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader("c:\\users\\thesp0nge\\test.jar"); try { // Plugin p = (Plugin)l.load("Test").newInstance(); Class c = l.load("Test"); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println("here"); } catch (Exception e) { e.printStackTrace(); System.err.println("main: "+ e.getMessage()); return ; }

OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… what’s missing?  Full support for  Local analysis (control flow)  Global analysis (call graph)  Taint propagation  Scoring system in accord to Owasp Code Review Scoring system  GUI for Mac OS X  SWT libraries must be ported to AQUA 24

OWASP Owasp AppSec NYC ’08, New York City – 25th September Roadmap towards version 1.0… 25 2 nd October 2008Orizon v1.0rc1 2 nd birthday party, also code reviewers want to have fun Full support for statistics XML file handling Initial support for local analysis over the source Scoring system released in DRAFT version Owasp Orizon Guide November Owasp Meeting in Portugal Orizon v1.0 Full support for local analysis Initial support for taint propagation 2Q 2009Orizon v1.5 Support for O2 Crif input file format

OWASP Owasp AppSec NYC ’08, New York City – 25th September some links before we leave…  Orizon site:  Orizon blog:  Orizon Owasp: SP_Orizon_Project SP_Orizon_Project  Milk site (for milk and arachne):  Contact me: 26

OWASP Owasp AppSec NYC ’08, New York City – 25th September 27 Q&A

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSec NYC’08 The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply