Wednesday, July 6, 2011

Getting secure with Mantra: An open source Firefox-based penetration testing kit


Mantra is an open source, browser-based framework for penetration testing and security assessments. It's based on Mozilla's Firefox Web browser, so it's cross-platform, and it's part of the Open Web Application Security Project — OWASP. Techworld Australia recently caught up with project leader Abhi M. Balakrishnan to talk about Mantra and its goals

Could you explain a little bit about what Mantra actually is and what its capabilities are?
Mantra can actually be described as an unofficial distribution of Firefox with some extensions bundled with it; mainly extensions that are designed for security assessments. Being based on a browser, Mantra enjoys a nice graphical user interface. It's also compact, portable and ready to run, and it works with Linux, Windows and Mac OS X. From a developer's point of view, it's an interesting platform since they can develop extensions for Mantra very easily thanks to Mozilla.

How did the project come about?
As information security enthusiasts, we always used to try new tools and techniques out of curiosity. We came across many Firefox extensions which were really impressive, but at the same time we felt that many of these extensions are going unnoticed since there is no ecosystem to support them. Seeing the significance of such an ecosystem, we started this project.
The intention behind developing Mantra was to establish an ecosystem that provides security professionals a platform for manual security assessments. Even though it has miles to go before reaching that level, we feel it satisfies the needs of a security toolkit.

What's the target audience for Mantra? Is it mainly useful for security pros or IT students?
We hope Mantra will be helpful to both students and information security professionals, though our target audience isn't limited to that. Our target audience also includes developers, too, since they can enjoy an ecosystem that lets them showcase their skills. Those who are already developers of security-focused extensions can enjoy a new audience, and those who aren't can see it as an emerging platform where they can put their effort. If a good user base exists within such a system, more and more feature requests will come in, and that can be encouraging for developers.

What do you have planned for the future of Mantra? Is it as feature-complete as you would like, or do you have plans to add to it?
We believe that development is a continuous process of changes and there is always room for improvement. Initially we thought about spending a good amount of time on development and releasing a framework straight out of the box. But it would be like a shot in the dark. So we started with a toolkit and are slowly moving towards a framework. It also helps us to analyse what the user demands are and work on that basis. We have miles to go — lots of things to do.!

Is there a broad development community around the project? Are new developers encouraged to get involved?
Of course, yes — hundreds of active developers and thousands of potential testers. You heard it right. We think each extension developer is part of our development community and each user is a potential tester. We are all in the same boat. We are just a link in this long chain and we do really enjoy being able to contribute to this system. There were lots of experiments going on from Mozilla’s side to make extension development easier and more user-friendly. We hope this can motivate and attract more developers.

Do you have any idea of how widespread usage of Mantra is? Is it used in any education institutions, for example?
Thousands of individual downloads from our repositories and the statistics are always growing. Recently some major security distributions showed their interest on Mantra. Offensive Security has already included Mantra in Backtrack 5. A popular German IT magazine has recently supplied software DVDs that include Mantra. We don’t know whether any institutions are using it or not. But we feel that Mantra can be helpful for students because of its shallow learning curve. Having said that, we don't think Mantra is a one-stop solution for all security assessment related tasks and it never will be. It happily joins the broader security community.

On a more general security related note: Have you been surprised by some of the recent, high-profile security breaches (for example Sony's PSN)?
It was unfortunate to see some of the latest security breach incidents. But at the same time, they can prove a lot. Attackers and security professionals are always in competition. Security professionals need to improve along with attackers to prevent security breaches. It's almost like a win-win situation and it always will be. The chance of security breaches increases when attackers escalate in this competition.

A lot of the recent breaches seem to be based off fairly simple exploits (SQL injections, for example). Do you think tools like Mantra actually make these kinds of attacks more likely? Or do you think they're more likely to encourage organisations to take security more seriously; testing their sites for vulnerabilities for example?
We always used to say that each coin has two sides. Like other security assessment tools out there, Mantra can also be used for both offensive and defensive security tasks. The potential of any tool or technique is limited only by the imagination of the user. At the same time, a tool is never an ultimate solution. There are limitations what a tool can do even though it can help them to do the task more easily.

Are there any fundamental flaws with how organisations, or the IT community as a whole, are approaching IT security at the moment? And do you see any new security risks on the horizon that people should be particularly alert to? For example, the increasing use of smartphones, Cloud computing adoption and so on.
The diversity and frequency of the attacks are increasing day by day. Organisations should see information assurance as an on-going proactive plan that integrates a set of defence mechanism that will protect them from as many types of potential attacks as possible.
It's true that there are no systems out there that are completely secure. But it does not mean that you shouldn't close doors of your house when going out! Instead we should employ mechanisms that can make the attacker’s task tougher. Organisations need to understand how these types of attacks can occur and the scale of impact they can have on business.
Smartphones and Cloud computing are both growing platforms and they are imperfect like anything else. Better security mechanisms have to be introduced and are essential in both areas. Considering the amount of personal and confidential formation that Cloud and smartphones handle, improved security is a necessity.

No comments:

Post a Comment