Interview with Joshua Perrymon the writer of OWASP LabRat
This is a short interview with Joshua Perrymon. Mr. Perrymon is the writer of OWASP LabRat and works at PacketFocus.
1. Who should use your distribution?
The LabRat distribution has wide audience. But to summarize I would say
Penetration Testers, Security Auditors,Students, and anyone interested in
learning about security testing with a focus on applications. WebGoat
version 5 has been included to provide a bootable environment where users
can "hack" the WebGoat application using 20+ lessons in different technical
areas.
Penetration Testers, Security Auditors,Students, and anyone interested in
learning about security testing with a focus on applications. WebGoat
version 5 has been included to provide a bootable environment where users
can "hack" the WebGoat application using 20+ lessons in different technical
areas.
2. What is one thing you would like your distribution to have or do that no
other distribution does?
I think the differentiator for the distribution would be the OWASP
documentation and tools available. No other distribution has really linked
into a resource like OWASP to provide this material. This can be combined
with other open source application testing tools to provide everything
needed to perform professional consulting or just learn about technical
aspects of security in-depth.
But the Distro will be more than just app testing/hacking. My company
PacketFocus does specialty hacking such as RFID, VOIP, BlueTooth, so on.. As
we continue to document these procedures and tools this will be added to the
future versions of the CD. I’m really looking forward to releasing some new
RFID tools on the distro as well.
documentation and tools available. No other distribution has really linked
into a resource like OWASP to provide this material. This can be combined
with other open source application testing tools to provide everything
needed to perform professional consulting or just learn about technical
aspects of security in-depth.
But the Distro will be more than just app testing/hacking. My company
PacketFocus does specialty hacking such as RFID, VOIP, BlueTooth, so on.. As
we continue to document these procedures and tools this will be added to the
future versions of the CD. I’m really looking forward to releasing some new
RFID tools on the distro as well.
3. Why did you decide to make your own live security distribution?
Actually, this is something I have been wanting to do for about 5 years. I
was in charge of security for a large fortune 500 company and I saw the need
to have a portable toolset that contains all the tools we used and also some
documentation. This would also be a great way to get new team members up and
running quickly. I actually started doing a FreeBSD liveCD then but never
got it finished. Over the years I have learned more about liveCD’s and again
I saw the need while working with a team of ethical hackers for a .gov
testing firm. But it wasn’t until I started my own company that I actually
sat down and figured the process out. I informed OWASP that I had a distro
containing a lot of their tools and documents and this got a lot of people
interested. Soon after I won 2nd place in the OWASP Autumn of Code contest
and was awarded $5000US to help fund the development of the project.
was in charge of security for a large fortune 500 company and I saw the need
to have a portable toolset that contains all the tools we used and also some
documentation. This would also be a great way to get new team members up and
running quickly. I actually started doing a FreeBSD liveCD then but never
got it finished. Over the years I have learned more about liveCD’s and again
I saw the need while working with a team of ethical hackers for a .gov
testing firm. But it wasn’t until I started my own company that I actually
sat down and figured the process out. I informed OWASP that I had a distro
containing a lot of their tools and documents and this got a lot of people
interested. Soon after I won 2nd place in the OWASP Autumn of Code contest
and was awarded $5000US to help fund the development of the project.
4. How many man hours go into each release?
That’s hard to say.. I have worked on it so much to get to the first Beta I
couldn’t even list all the time. Countless weekends having my laptop in my
lap while watching sports on TV. If I have to guess I’d say about 4-5 weeks
of time to get everything stable and documented. Now it takes me about 10
hours to do a new release including testing time in VmWare.
couldn’t even list all the time. Countless weekends having my laptop in my
lap while watching sports on TV. If I have to guess I’d say about 4-5 weeks
of time to get everything stable and documented. Now it takes me about 10
hours to do a new release including testing time in VmWare.
5. What is your favorite *nix distribution and why?
I’m a big Debian fan. I guess that it’s just what I learned on and I have
always liked it. I downloaded the Auditor CD many years ago and installed it
on a desktop I had at home. I have also had servers with all Linux versions
installed to test and I just like Debian. Maybe because of the packages and
I just know my way around it and the little quirks.
always liked it. I downloaded the Auditor CD many years ago and installed it
on a desktop I had at home. I have also had servers with all Linux versions
installed to test and I just like Debian. Maybe because of the packages and
I just know my way around it and the little quirks.
6. How do you see live security distributions evolving over the next few
years? What is the biggest upgrade/addition that is planned for your
distribution?
I see live security distributions really gaining traction over the next few
years. Especially with the growth in the security market. We are getting
more and more security guys coming out of school and making transitions so
the live CD’s are a very easy choice when needing to grow a team. It’s very
modular and it also makes sure that everyone has the same tools. The same is
for students- this is a bootable CD that will run on almost any old machine.
The biggest upgrade for the distro is probably the addition of my RFID tools
that I’m developing. I’m doing a lot of conferences/presentations on
"Hacking RFID" and will be adding these tools to the CD so I can take it
with me. I’m funny when I go to hacker type conferences. I usually take a
spare laptop or just pull out my HD and boot to a liveCD if I’m going to be
using a pc for capture the flag or just playing around with.
After the tools are added I am planning to get away from KDE and go back to
a light X just not sure which one yet.
years. Especially with the growth in the security market. We are getting
more and more security guys coming out of school and making transitions so
the live CD’s are a very easy choice when needing to grow a team. It’s very
modular and it also makes sure that everyone has the same tools. The same is
for students- this is a bootable CD that will run on almost any old machine.
The biggest upgrade for the distro is probably the addition of my RFID tools
that I’m developing. I’m doing a lot of conferences/presentations on
"Hacking RFID" and will be adding these tools to the CD so I can take it
with me. I’m funny when I go to hacker type conferences. I usually take a
spare laptop or just pull out my HD and boot to a liveCD if I’m going to be
using a pc for capture the flag or just playing around with.
After the tools are added I am planning to get away from KDE and go back to
a light X just not sure which one yet.