If you do a lot of application security you may have already heard of the OWASP Live CD. To quote the website, “The OWASP Live CD (LabRat) is a bootable CD akin to knoppix but dedicated to Application Security. It shall serve as a vehicle and distrubition (sic) medium for OWASP tools and guides.” Pretty cool idea, and I’ve used it before, but a few things came to mind as I was re-reading the documentation this morning.
Firstly, I’d like to see something similar to this, but instead of just being an OWASP collection it should be a collection of ALL web application security tools. That would be a lot more useful. Secondly, it should have a browser that is already tweaked and ready to go with all the extensions that we all tend to use while doing penetration tests. I think that would make a big difference, and it’s one of the reasons I tend not to use pre-canned CDs much for my own testing.
But one other thing came to mind as I was reading this that I think is worth talking about. Why haven’t we seen a secure webserver package? For you to install Apache on your machine you have to download it or run it out of ports (hopefully knowing ahead of time which .so objects you want to compile into it), you have to configure it, to be in the right place, right port, SSL/keys, right security, and right rules if you run mod_security, et al. The permissions are hokey, things like TRACE are turned on by default, the webserver signature is turned on, there are tons of default images to help fingerprinting, blah blah. Why isn’t there a distro of Apache that is built with security in mind out of the box?