Following the Ounce Labs purchase by IBM last summer (see Update on O2 & Ounce & IBMUpdate #2 on O2 & IBM - 02 Sep 09), I have been trying to figure out where is the best place for me and the OWASP O2 Platform in IBM’s world.
After much thinking, I came to the conclusion that the IBM’s tools division (namely the AppScan group) is not the best fit for me. That group (and the multiple tools they work) is currently to fragmented and focused on their own project deliverables (there is some effort in creating ‘standardize components’ between those tools, but that is moving at IBM speed).
With Ounce Labs I had a very flexible consulting contract which allowed me to keep my independence and professional integrity, since I was focused on ‘making the Ounce Labs product work in the real world’ (which I did). The known limitations of the tools in this space (Ounce Labs included) were the main driver for the creation of the OWASP O2 Platform, and I do have a lot to thank to Ounce for giving me this opportunity and (more importantly) to release O2 under and Open Source license.
Part of the original plan was that I would prototype my ideas into ‘fully working’ tools, which could then be shown/given to the Ounce development team, who would then implement them into features of the main product. This workflow has a large number of advantages for all parties, since the security consultant (i.e. me) was able to solve his problem in a very short time-frame (hours or days) and the development team was able to visualize the problems their users have and its respective solutions.
I fell that I achieved that for Ounce, and have over the last 2 years developed a number of O2 Modules which clearly represent mature analysis and workflows that need to be integrated into the main Ounce/AppScan product (note that with the significant investment that IBM in putting in this space, it will just be a matter of time (6 to 12 months) that a lot of these O2 Features should be ‘productized’).
Basically my brief to the development team is: “Here is its, these X O2 modules ( which are all ‘real-world-applications-tried-and-tested’ tools and workflows) that represent the features you need to add to the next version(s) of your product.
The problem is that, in the post-acquisition restructuring, I was placed under Ounce Engineering, which I don’t feel is the best location for my energy,focus, and O2 Platform research (also I don’t want to wait around for the main product to catch up where I already am today)
Due to O2’s advanced capabilities, I am already TODAY living in the world which Ounce & AppScan will only arrive in a couple years time. So I want to keep moving at my current fast speed and continue to solve the problems that keep popping-up (since I am still quite far away from having a solution). Remember that (most, if not all) current WebAppSec product companies are NOT focused on solving the needs of the ‘Application Security expert’, which is the exact space that O2 is playing in.
The fundamental problem with the proposed IBM contact & location, was that what I really need is to be given a Team which will Commercially support O2 (see next post).
The other problem is that these product teams are NOT designed to provide the type of ‘semi-real-time’ support that the O2 user community needs.
Does this mean that I am breaking ALL links with IBM / Ounce? No, I’m still heavily involved in a number of implementation projects (which I want to make sure are successful) and I still think there a good change to make this work within IBM. We (me and the Rational/AppScan management team) agreed that we will continue with my previous Ounce Labs professional services contract until the end of the year (with nothing defined yet for 2010) .
Here is the key issue, as you can see by this series of posts, I do believe that IBM has all most of the pieces it needs to solve the ‘Application Security Assessment’ problem, has enough money to invest on its research and will eventually have enough motivation to REALLY want to solve the problem.
IBM is not there yet, so maybe the best way is if I give IBM some time.
My focus is on O2, and although it would be great if IBM allocated substantial resources to it, I need to find a home for O2 that is synchronized with my vision and direction (see next post).
See also:
- Part I - IBM Application Security related tools & "AppScan 2011"
- Part II - Why IBM will ‘solve the problem’
- Part III - Why I said NO to IBM ... for now
- Part IV - O2 needs to be Commercially Supported