OWASP Live CD meets Ubuntu in OWASP WTE
I’ve been the project lead for the OWASP Live CD since April of 2008. There have been over 5 releases since I took over the project but I have to say, except for the first release, this this has to be the one I am most excited about. I call it OWASP WTE or Web Testing Environment and it is so much more then just a Live CD.
I’ve learned several things with all those releases:
- I’m lazy so making a release needs to be easy if its going to happen regularly.
- I don’t use Live CDs very much any more but I do use Virtual machines.
- I’d like to just update or add a tool without creating a completely new release.
- I want my tools a la carte and easy to add to the Linux distribution I’m using.
So I had a bit of a rethink of the project. I needed to go meta – to abstract above just a Live CD and make things more flexible. The first thing I needed to do was stop creating SLAX packages. SLAX is awesome for creating CDs but it’s a pain for VMs. This is especially true when you want to update bits of it or need to cover installation dependencies.
Big move #1 – Switch from SLAX to Ubuntu
For more flexibility and better dependency handling, I also started creating individual Debian (.deb) packages for each tool. Along with that came a repository to allow those packages to be installed via apt. I’ve also automated .deb creation so creating new packages is probably as easy as I can make it.
Big move #2 – Create .debs and a repository to hold the tools
Finally, I wanted releases to be easy to create. What I can do now is do a default install of Ubuntu (10-10 for this release), add the WTE repository, perform a “sudo apt-get install owasp-wte-*”, and BAM I’ve got all the tools installed. There are still a couple of look and feel tweaks I have to do manually but its much faster. I’ve also figured out how to generate an ISO, VirtualBox and VMware installs all from a single VirtualBox virtual machine.
Big move #3 – Choice and lots of it
As a user of OWASP WTE, you have several choices currently: Bootable ISO image, VirtualBox install, VMware install, or add one or all the packages to your current Ubuntu install. OWASP WTE has been tested on Ubuntu 9-10, 10-04 and 10-10. I’ve not (yet) tested them on Debian proper but they should work there too.
There’s more in the works: USB installations, cloud installations, meta-packages to create custom installations, and a bunch more tools are queued up as well.
Big move #4 – Updates!
Now that WTE has a repository (and the VM installations ship with it already set), getting the latest version of the tools is only a “apt-get update; apt-get upgrade” away. Download a VM once, do the updates and you’re always on the latest packages.
So if you want to experience OWASP WTE for yourself, you have some choices:
- Download the ISO, VirtualBox .vdi or VMware .vmdk at AppSecLive.org
- Try out the packages on your existing Ubuntu installation
- Add the following to your /etc/apt/sources.list:
deb http://appseclive.org/apt/stable /
with your preferred editor or
$ sudo echo “deb http://appseclive.org/apt/stable /” >> /etc/apt/sources.list
- Update with
$ sudo apt-get update
- Check out the packages
- Search what’s available with
$ apt-cache search owasp-wte
- Install all of them with
$ sudo apt-get install owasp-wte-*
- Search what’s available with
- Add the following to your /etc/apt/sources.list:
If you have something to say (good or bad), feel free to let me know at:
Enjoy!
– Matt Tesauro
If you enjoyed this post, please consider subscribing to the feed and get future articles delivered to your feed reader.
