A good definition is: 'O2 is an Open Platform for automating application security knowledge and workflows'
Although it was originally designed to enhance source code analysis, it has evolved into more of a "static, dynamic, real time" analysis environment and platform.
In a nutshell, O2 is a bunch of (about 25) open source modules/tools that help with the multiple aspects of performing application security engagement (in most cases by extending the capabilities of a several Commercial and Open Source tools).
There is a large number of O2 modules that are designed to work specifically with the Ounce 6.x product (Ounce Labs Static Analysis engine), and several other O2 modules which are 100% independent and can be used using only freely available or Open Source tools.
One of the most powerful features of O2 is its scripting and customization capabilities. Currently O2 supports scripting in
- any .Net language (with an O2 module dedicated for coding and debugging C#),
- Java using IKVM
- Pyhton & Java with a via Jython and
- Python & .NET via Iron Python.
Ultimately the power of O2 is that you can script the security consultant’s brain and really help him to become more productive.
Here is usual workflow for advanced O2 users:
- It starts with a PROBLEM (something the security consultant wants to do, but the available tools can't do)
- in order to figure out a SINGLE SOLUTION for the problem, a number of scripts are written (in O2) to solve (or partially solve) the problem, with the core-objective at this stage being to allow the security consultant to continue with his/hers job (which is completing the security engagement)
- after a couple generations of 'script writing' , they usually can be automated, and become part of an existing (or new) O2 module
- eventually this script/module/capability fully matures and becomes a fully working prototype,
- which might (depending on "customer demands + product roadmap", and, after a rewrite by the product team) end up in a commercial product (by IBM or others) in a format usable by non-security-knowledgeable users