WatersWorks

Blog archive

Securing Software: OWASP Releases O2 Platform Beta

Today, the Open Web Application Security Project (OWASP) announced the availability of the first major release of its new O2 Platform.

The O2 Platform is, as the project's Web site describes it, "a collection of open source modules that help Web application security professionals maximize their efforts and quickly obtain high visibility into an application's security profile." The OWASP is a not-for-profit organization focused on finding and fighting the causes of insecure software.

The idea is to provide a high level of visibility into an application's security profile by automating "application security knowledge and workflows." An overview of the available modules is available via PDF download.

The guy leading the O2 Platform project is Dinis Cruz, whom I last interviewed about two years ago.The then-pony-tailed (haven't seen his hair lately) security consultant with the Portuguese accent and the London address was known for his fondness for showing conference attendees just how easy it is to bypass the built-in security mechanisms of the .NET and Java runtimes.

Cruz is all over the OWASP. He's the chair of the OWASP Connection Committee, a member of the OWASP Board, and a participant in the OWSAP Global Projects Committee. And he really wants you to try out the new O2 Platform. On his blog, he writes, in bold text, "This is the moment when I'm asking you to PLEASE TRY IT."

He needs feedback, he says, and input on "what you like, what works, what doesn't work, what could be improved." He adds: "There is enough functionality + capabilities + power in this version of O2, that I finally have the confidence to make this direct request for you, knowing that no matter what area of Web Application Security you are involved in, there will be an O2 Script/Module/Tool that will make you more productive."

I couldn't track him down for today's blog, so I thought I'd recall a conversation I had with Cruz in 2007, during which we discussed the security of the Web and the overall responsibly of the developer to create secure software.

"We're now in the process of building a world in which all the code we run on our Web sites has the power to access all of our assets from our desktops and servers," he said. "From a security point of view, this is a very bad development. But we shouldn't use the developers as the scapegoats. They often simply don't have enough visibility into what they are creating to evaluate the security of an application…. It's very hard for the developers to understand all the inputs and everything they need to run their applications. So we need to change the paradigms so that the developers can see what the hell's going on under the hood."

Cruz is a knowledgeable and, though he maybe doesn't always mean to be, funny guy. Don't miss his blog entry "I'm looking for work (O2 related work:) ) and O2's Commercial Ecosystem," in which he declares "I'm probably the only guy in the world that today really knows how to get the most power out of O2," but adds that, of course, he doesn't scale.

You can find out lots more about the OWASP in general here.

Posted by John K. Waters on July 12, 2010