Mantra  is an open source, browser-based framework for penetration testing and  security assessments. It's based on Mozilla's Firefox Web browser, so  it's cross-platform, and it's part of the Open Web Application Security Project — OWASP. Techworld Australia recently caught up with project leader Abhi M. Balakrishnan to talk about Mantra and its goals
Could you explain a little bit about what Mantra actually is and what its capabilities are? 
Mantra  can actually be described as an unofficial distribution of Firefox with  some extensions bundled with it; mainly extensions that are designed  for security assessments. Being based on a browser, Mantra enjoys a nice  graphical user interface. It's also compact, portable and ready to run,  and it works with Linux, Windows and Mac OS X. From a developer's point  of view, it's an interesting platform since they can develop extensions  for Mantra very easily thanks to Mozilla.
How did the project come about? 
As  information security enthusiasts, we always used to try new tools and  techniques out of curiosity. We came across many Firefox extensions  which were really impressive, but at the same time we felt that many of  these extensions are going unnoticed since there is no ecosystem to  support them. Seeing the significance of such an ecosystem, we started  this project.
The intention behind developing  Mantra was to establish an ecosystem that provides security  professionals a platform for manual security assessments. Even though it  has miles to go before reaching that level, we feel it satisfies the  needs of a security toolkit.
What's the target audience for Mantra? Is it mainly useful for security pros or IT students?
We  hope Mantra will be helpful to both students and information security  professionals, though our target audience isn't limited to that. Our  target audience also includes developers, too, since they can enjoy an  ecosystem that lets them showcase their skills. Those who are already  developers of security-focused extensions can enjoy a new audience, and  those who aren't can see it as an emerging platform where they can put  their effort. If a good user base exists within such a system, more and  more feature requests will come in, and that can be encouraging for  developers.
What do you have planned for the  future of Mantra? Is it as feature-complete as you would like, or do you  have plans to add to it?
We believe that  development is a continuous process of changes and there is always room  for improvement. Initially we thought about spending a good amount of  time on development and releasing a framework straight out of the box.  But it would be like a shot in the dark. So we started with a toolkit  and are slowly moving towards a framework. It also helps us to analyse  what the user demands are and work on that basis. We have miles to go —  lots of things to do.!
Is there a broad development community around the project? Are new developers encouraged to get involved?
Of  course, yes — hundreds of active developers and thousands of potential  testers. You heard it right. We think each extension developer is part  of our development community and each user is a potential tester. We are  all in the same boat. We are just a link in this long chain and we do  really enjoy being able to contribute to this system. There were lots of  experiments going on from Mozilla’s side to make extension development  easier and more user-friendly. We hope this can motivate and attract  more developers.
Do you have any idea of how widespread usage of Mantra is? Is it used in any education institutions, for example?
Thousands  of individual downloads from our repositories and the statistics are  always growing. Recently some major security distributions showed their  interest on Mantra. Offensive Security has already included Mantra in  Backtrack 5. A popular German IT magazine has recently supplied software  DVDs that include Mantra. We don’t know whether any institutions are  using it or not. But we feel that Mantra can be helpful for students  because of its shallow learning curve. Having said that, we don't think  Mantra is a one-stop solution for all security assessment related tasks  and it never will be. It happily joins the broader security community.
On  a more general security related note: Have you been surprised by some  of the recent, high-profile security breaches (for example Sony's PSN)?
It  was unfortunate to see some of the latest security breach incidents.  But at the same time, they can prove a lot. Attackers and security  professionals are always in competition. Security professionals need to  improve along with attackers to prevent security breaches. It's almost  like a win-win situation and it always will be. The chance of security  breaches increases when attackers escalate in this competition.
A  lot of the recent breaches seem to be based off fairly simple exploits  (SQL injections, for example). Do you think tools like Mantra actually  make these kinds of attacks more likely? Or do you think they're more  likely to encourage organisations to take security more seriously;  testing their sites for vulnerabilities for example?
We  always used to say that each coin has two sides. Like other security  assessment tools out there, Mantra can also be used for both offensive  and defensive security tasks. The potential of any tool or technique is  limited only by the imagination of the user. At the same time, a tool is  never an ultimate solution. There are limitations what a tool can do  even though it can help them to do the task more easily.
Are  there any fundamental flaws with how organisations, or the IT community  as a whole, are approaching IT security at the moment? And do you see  any new security risks on the horizon that people should be particularly  alert to? For example, the increasing use of smartphones, Cloud  computing adoption and so on.
The diversity  and frequency of the attacks are increasing day by day. Organisations  should see information assurance as an on-going proactive plan that  integrates a set of defence mechanism that will protect them from as  many types of potential attacks as possible.
It's  true that there are no systems out there that are completely secure.  But it does not mean that you shouldn't close doors of your house when  going out! Instead we should employ mechanisms that can make the  attacker’s task tougher. Organisations need to understand how these  types of attacks can occur and the scale of impact they can have on  business.
Smartphones and Cloud computing are  both growing platforms and they are imperfect like anything else. Better  security mechanisms have to be introduced and are essential in both  areas. Considering the amount of personal and confidential formation  that Cloud and smartphones handle, improved security is a necessity.
 
No comments:
Post a Comment