Thursday, 8 July 2010

Update on OunceLabs+IBM story and "OWASP O2 Platform is ready for you (after 6 months solid development)"

So what is happening with the OWASP O2 Platform, with me, and why am I only writing this blog post now? (7th of July 2010)

For the past 6 months I have been following an opportunity that I was given by the IBM purchase of OunceLabs and the previous Open Sourcing of my research on static analysis (originally on top of the OunceLabs engine).


After the IBM acquisition, I was exposed to the enormous amount of resources and energy that IBM is putting into the application security space. In the beginning I really thought that if IBM was able to allocate serious resources to O2, then I would stick around and continue its development over there.

But has you probably know I decided not to stay at IBM (and accept the contract they gave me). I guess part of the problem was that O2 was too much too soon, and they (IBM AppScan/Rational group) were focused on how to integrate the OunceLabs technology into their existing products, and were not ready for the type of advanced analysis and capabilities that O2 was bringing to the table.

I also knew that it would be hard for O2 to gain its position as an independent platform for application security automation if it was 'too close' to IBM (since IBM is an active player in this space and sells a number of related products and services).

Pushing me to go the independent route, was also my feeling that I had to make O2 independent from any commercial tools (while still able to consume their data) , and, that there were a number of features that I wanted to add to O2, that had the of potential to freak out some IBM execs (namely the features that provide Open Source alternatives to the current commercial Static and Dynamic tools). As you can see by the fact that O2 now (amongst other key WhiteBox+BlackBox features/capabilities) has a working prototype of a .NET Static Analysis engine, I meet both these objectives :)

For the past 6th months I have self funded the O2 development (i.e. used my savings to pay my running costs and performed only 1 small security engagement).

This lack of external deadlines and commercial engagements, allowed me to exclusively focus on O2 development and write code for an average 12h per day.

Although O2 for a long time was already able to add a lot of value to security consultants and developers (if they could figure out how to use it :) ), I strategically delayed its documentation and the 'O2 push to the masses' until O2 had the right combination of technology and user experience.

I did this because only now (July 2010) is O2 delivering the type of experience + analysis + automation that I had envisioned and dreamed of.

I am now in a position where I am able to look my peers in the eye and say 'you need to look at this' + 'you have to start using O2 in your security engagements since it will make you more productive, effective and profitable'. I can also go to the tool vendors in this space, and give them real examples (packaged as UnitTests) of what we security consultants want/need them to deliver.

I'm not saying that you should stop using the tool and techniques you use today. I'm saying you should use O2 to get more value from them.

This has been a long road, and one that has put a lot of strain in me and my family, but as the saying goes "its better to fail trying than to look back and ask 'what if?' "

I'm really happy with the outcome and I really fell that I delivered to our industry one of the key pieces of the puzzle. Namely technology and workflows that will allow us to:

- easily consume data from the multiple tools that we have at our disposal
- easily automate the security knowledge that we have, so that non-webapp-security-experts (i.e. developers, managers and network security guys) are able to benefit from it and consume it
- engage in 'real' conversations with developers and be able to give them 'Application Security UnitTests' or even 'Security rules written in English (or other languages)'
- transform application security from being a 'cost' centre to being an '...increase visibility into how my app works and what is it doing...' centre

It is important to note that my challenge/vision for "O2's security knowledge automation" was one where I knew that it had to be faster to 'automate our actions' than to do it manually. I.e. the technology and experience had to deliver immediate value and had to be faster than doing it using the current workflows (usually a mix of some tools + lots of manual work)

I believe that the current version of O2 delivers on this vision :)

So please take a look at O2, try to use, report bugs and find the scenarios where the O2 Platform really adds value to your daily work.

It works for me, now the challenge is to get it to work for you

Thanks for your help