Thursday, 3 September 2009

Update #2 on O2 & IBM - 02 Sep 09

Following Update on O2 & Ounce & IBM here is what is happening (2nd Sep 09) with me & O2 & IBM
  • Over the last couple weeks I've spent quite a lot of time with the multiple IBM AppScan groups/teams, and I have to say that they have a very impressive group of people and technology over there, who is dedicated to solving the "application security assessment problem" and build powerful, simple to use and effective tools for mass usage.

  • Although my contract is not (yet) signed (bunch of legal and processes hoops to jump over) it looks like I will have a deal that allows me to continue to be independent and:

    • continue my active participation at OWASP and its projects
    • continue my active development of O2 (which will now become an OWASP project called 'OWASP O2 Platform'
    • continue to consult with other companies - for example I already have a long term (non IBM) contract to work on MOSS (SharePoint) security and am open for other projects (so if you have interesting and challenging projects where can I be involved on 5 to 10 working days a month, ping me with the offers :) )

  • In terms of where I fit in IBM, there are lots of VERY interesting possibilities, but in the short term the focus will be on using O2 to write 'integration prototypes' between the multiple AppScan products and in helping the Ounce team productizing some of the most mature features of O2

  • As I mentioned above, IBM does have a VERY impressive line-up of products and technologies in the Application Security space. With the Ounce Labs acquisition they now have just about all pieces of the puzzle (the challenge now is integrating them and making them all work as a team)

  • And when I mean ALL pieces, I am thinking much bigger than just static or dynamic analysis. If you look how how Application Security engagements are carried out today, you will see enormous gaps in:
    a) the current workflow,
    b) how data is handled,
    c) how users that access the code & results are authenticated & authorized,
    d) how findings are created,
    e) how findings are presented (to management and developers) ,
    f) how findings are remediated,
    g) how findings are retested,
    g) how findings status is tracked, etc ...

  • What really struck me when I started looking at IBM's software portfolio, namely the Rational tools and the new IBM Jazz platform, is that we can use (for example) a combination of "Jazz Foundation + AppScan / Ounce (i.e. multiple engines) + Rational Team Concert + Rational BuildForce + Rational Test Lab Manager" to create an environment that would REALY allow (in a scalable and repeatable way) to perform "focused, meaningful and actionable" Application Security Assessments.
What is interesting when I look at Jazz and Jazz Foundation (which is licensed with in a 'interestingly weird' not-Open-Source-but-with-source-code-available-and-free-for-selected-Academic-and-Open-Source-projects kind of license) and O2 , is that there are quite a lot of similarities. O2 of course is not as mature as JAZZ in the Authentication/Authorization/Process/Workflow/Colaboration front, but the focus to create a common platform to integrate multiple technologies and tools is similar.

In fact, when looking at both solutions was when I realized that O2 was actually a 'Platform' and could be extended to 'glue' and integrate multiple Open Source projects the same way it already integrates with multiple Source Code (and soon Black Box) analysis tools (both commercial and open source).

The good news is that once O2 is able to 'talk Jazz' and leverage its available services, O2 can actually be one of the 'bridges' into/from the JAZZ world (i.e. once a particular Open Source or Commercial tool is integrated with O2, then it will be 'consumable' from JAZZ)

This is really very exciting times, and I really look forward to what is happening next :)

Here are a couple links with good info on Jazz: