OWASP DeepViolet has been included and available in OWASP ZAP for awhile now as an additional add-on component. Briefly the background is that DeepViolet is a TLS/SSL scanning API and set of tools. OWASP ZAP is a Flagship application security scanner and includes some DeepViolet features for it’s TLS/SSL scanning. I decided to post this blog update since it was not clear to me how to use this scanning with ZAP. The following is a short post about how to install and use HttpsInfo(a.k.a DeepViolet) within your ZAP scanning projects.
The following Slide Share deck, OWASP DeepViolet TLS/SSL Java API and Tools, is one I provided to Black Hat staff after my live tool demonstration of the OWASP DeepViolet project at the Black Hat 2016 EU London Tools Arsenal. The deck was never shown at the event but I developed it as a way to communicate the value of the DeepViolet quickly to those who many be interested but did not attend.
So what can you do with DeepViolet?
A picture is worth a thousand words so here is a sample of some of the scanning output.
DeepViolet can run from the command line and included in your shell scripts. A sample of the output looks like the following. DeepViolet can also be included in your own projects as an API. For more information about DeepViolet refer to the following information.OWASP DeepViolet TLS/SSL Scanner Code Project, main OWASP project landing page.
DeepViolet GitHub Project Page, main landing page for GitHub project code/documentation.
DOWNLOAD, current release binaries.
Updated on July 4, 2016
For a copy of the slide deck for this presentation see my follow-up post, OWASP Security Logging Project Presentation – Slide Deck.
Thursday June 30, 2016 4:15pm I am presenting a Lightning Training Session, How to Use OWASP Security Logging with August Detlefsen, Sytze van Koningsveld. The training session will be a mixed format of presentation with hands-on lab exercises.
Attendees will learn about the OWASP Security Logging Project, background and why we need security logging, it’s benefits, how to include it in new projects, upgrading your legacy projects, and much more. In the session we cover each feature and answer audience questions. Bring your laptop and participate in our exercises. Learn first-hand how apply security logging to your projects.
So why would you be interested in our logging project? A brief rundown on the benefits,
Diagnostics/Forensics, for problem determination is often useful to have a history of system state recorded in logs that you can refer to when their problems. Security logging provides some features that log command line arguments, system environment variables, and Java system properties on startup. Security logging also provides an interval logging feature to log key system and user specified metrics every 15-secs. SIEM tools can be integrated to alert on memory problems, etc
Security Focus, door open/closed, user logged in/out, resource allocation, information classification of log messages, a desirable feature for government agencies or government contractors
Compliance, sign log messages, log messages remotely, discourage tampering
Automation Across Several Use-Cases, the project provides automation benefits for standalone or desktop applications as well as up the application stack like Servlets/J2EE. For example, in the application layer provide facilities to pull user id from the HTTPSession and insert it into log4j/logback Mapped Diagnostic Context(MDC) so that users can easily correlate ever log message with the current user that’s logged into the system.
Support for Popular Platforms, are you using Java logging, log4j, logj4 2, or logback? If so, your ready to go since security logging is written to the SLF4J logging interface.
Large Base of Developer Knowledge, security logging is compatible with populator loggers so you can get running quickly.
Legacy Support, security logging includes support to capture streams from your old console logging applications (e.g., System.out/System.err). Alternatively, you may have old commercial code that logs to consoles where you don’t have the source code. In these use cases there are some benefits for intercepting these streams and redirecting them to security logging. You will not realize the full benefits of native logging (e.g., logger inheritance); however, you still receive some ancillary benefits like remote logging, ability to mark messages with an information classification, etc.
There is a lot of cover with the platform. Hope to see you in Rome at our session, seats are filling up fast, register quickly. Usually OWASP provides the session content after the conference so if you can’t attend you still have an opportunity to learn more about the platform.
DeepViolet(DV) open source TLS/SSL DAST tool updated to Beta 4. The major improvement for Beta 4 is the addition of an API so Java designers can implement DV features in their own projects.
Following are a summary of improvements for Beta 4.
- Added API support for those who want to use DeepViolet features in their own Java projects. See package com.mps.deepviolet.api
- Added samples package with sample code to demonstrate new API
- Refactored existing code for the command line support and UI to use the new API.
- 2 new command line options for debugging added, -d and -d2. d turns on Java SSL/TLS debugging. -d2 assigns DV debug logging priority.
- Generated JavaDocs for Public APIs, see com.mps.deepviolet.docs
- javadoc.xml added to generate JavaDocs
- Support for dock icon on OSX for the UI