Black Hat 2016 EU London Slide Deck

The following Slide Share deck, OWASP DeepViolet TLS/SSL Java API and Tools, is one I provided to Black Hat staff after my live tool demonstration of the OWASP DeepViolet project at the Black Hat 2016 EU London Tools Arsenal.  The deck was never shown at the event but I developed it as a way to communicate the value of the DeepViolet quickly to those who many be interested but did not attend.

DeepViolet TLS/SSL Java DAST Tool Added as OWASP Project

July 13, 2016 the DeepViolet TLS/SSL DAST tool became an OWASP incubator project.  I started this project some time back for my own purposes.  I always intended to share this code publicly but I seriously never considered it would be useful to anyone.  Mostly since such great like OpenSSL and Qualys already exist.  It became apparent after being contacted by interested developers and operational teams that there’s still some room to contribute with a new tool in this space.   I petitioned OWASP to add DeepViolet as an OWASP project to increase visibility and attempt to build a team of like minded developers willing to invest in DeepViolet and build a tool we can all use.


So what can you do with DeepViolet?
A picture is worth a thousand words so here is a sample of some of the scanning output.

dv-window.png
Photo 2: DeepViolet Desktop Application View
deepviolet-cmd-line
Photo 3: DeepViolet Command Line View

DeepViolet can run from the command line and included in your shell scripts. A sample of the output looks like the following. DeepViolet can also be included in your own projects as an API. For more information about DeepViolet refer to the following information.OWASP DeepViolet TLS/SSL Scanner Code Project, main OWASP project landing page.
DeepViolet GitHub Project Page, main landing page for GitHub project code/documentation.
DOWNLOAD, current release binaries.

Presenting at OWASP AppSec EU Conference in Rome

Updated on July 4, 2016

For a copy of the slide deck for this presentation see my follow-up post, OWASP Security Logging Project Presentation – Slide Deck.

Thursday June 30, 2016 4:15pm I am presenting a Lightning Training Session, How to Use OWASP Security Logging with August Detlefsen, Sytze van Koningsveld.  The training session will be a mixed format of presentation with hands-on lab exercises.

Attendees will learn about the OWASP Security Logging Project, background and why we need security logging, it’s benefits, how to include it in new projects, upgrading your legacy projects, and much more.  In the session we cover each feature and answer audience questions.  Bring your laptop and participate in our exercises.  Learn first-hand how apply security logging to your projects.

So why would you be interested in our logging project?  A brief rundown on the benefits,

Diagnostics/Forensics, for problem determination is often useful to have a history of system state recorded in logs that you can refer to when their problems.  Security logging provides some features that log command line arguments, system environment variables, and Java system properties on startup.  Security logging also provides an interval logging feature to log key system and user specified metrics every 15-secs.  SIEM tools can be integrated to alert on memory problems, etc

Security Focus, door open/closed, user logged in/out, resource allocation, information classification of log messages, a desirable feature for government agencies or government contractors

Compliance, sign log messages, log messages remotely, discourage tampering

Automation Across Several Use-Cases,  the project provides automation benefits for standalone or desktop applications as well as up the application stack like Servlets/J2EE.  For example, in the application layer provide facilities to pull user id from the HTTPSession and insert it into log4j/logback Mapped Diagnostic Context(MDC) so that users can easily correlate ever log message with the current user that’s logged into the system.

Support for Popular Platforms,  are you using Java logging, log4j, logj4 2, or logback?  If so, your ready to go since security logging is written to the SLF4J logging interface.

Large Base of Developer Knowledge,  security logging is compatible with populator loggers so you can get running quickly.

Legacy Support, security logging includes support to capture streams from your old console logging applications (e.g., System.out/System.err).  Alternatively, you may have old commercial code that logs to consoles where you don’t have the source code.  In these use cases there are some benefits for intercepting these streams and redirecting them to security logging.  You will not realize the full benefits of native logging (e.g., logger inheritance); however, you still receive some ancillary benefits like remote logging, ability to mark messages with an information classification, etc.

There is a lot of cover with the platform.  Hope to see you in Rome at our session, seats are filling up fast, register quickly.  Usually OWASP provides the session content after the conference so if you can’t attend you still have an opportunity to learn more about the platform.

Additional Resources
Wiki, OWASP Security Logging Project
Lightning Training Presentation, How to Use Security Logging Presentation
GitHub Project Site, OWASP Security Logging code

Open Source DeepViolet SSL/TLS Scanning Tool Updated

deepviolet-logoDeepViolet(DV) open source TLS/SSL DAST tool updated to Beta 4.  The major improvement for Beta 4 is the addition of an API so Java designers can implement DV features in their own projects.

Following are a summary of improvements for Beta 4.

  • Added API support for those who want to use DeepViolet features in their own Java projects. See package com.mps.deepviolet.api
  • Added samples package with sample code to demonstrate new API
  • Refactored existing code for the command line support and UI to use the new API.
  • 2 new command line options for debugging added, -d and -d2. d turns on Java SSL/TLS debugging. -d2 assigns DV debug logging priority.
  • Generated JavaDocs for Public APIs, see com.mps.deepviolet.docs
  • javadoc.xml added to generate JavaDocs
  • Support for dock icon on OSX for the UI

To learn more about the DeepViolet refer to the projects GitHub page or click DOWNLOAD to try DeepViolet now.

New Site for Drone Building and Research

IMG_2718.JPGA year or so ago, I was having some success with the Raspberry Pi micro-controller and I was thinking of a cool robot project I could do with the kids.  Of course, I love aircraft so what better robot to build than one that could fly?  This began a year long project of building and learning to be a pilot.  Along the way, this project turned more into a hobby and has probably pushed beyond the interests of many security readers.  My work in this area is probably not appropriate for a security web site.  Also the community interested in building and fly these aircraft are likely not interested in security.

To better respect the attention and interests of both security and multi-rotor builders/pilots I am moving some of my multi-rotor articles and future updates to my new web site,
multirotordreams.com 

Any articles related to the security of multi-rotor aircraft like radio protocols or flight control software will be covered on the security site.  All future builds, configuration, video, etc will be on multirotordreams.com.