This is a weird request, but there has been some great developments around O2 and IBM which could be great for our industry, and really push this area of research to the next level.
tl;dr: if you complain about the fact that SAST tools like AppScan Source don't really 'work' in the real-world, and wish they could be more customisable, please send your support, ideas, thoughts and requests to ianspiro@us.ibm.com
Dinis Cruz
The long version of this request is at my blog Please show Ian Spiro your support for his IBM AppScan research, ideas and energy (which also contains tons of links to Ian's research)
I hope that you also will see that this is much bigger than Ian. Companies like IBM react to their customers requests (both end users and security professionals) and they need to hear from them how important it is to:
- open up their technology,
- document it,
- allow inter-operability between tools (IBM and external),
- expose the rules
- allow customisation of rules
- make it easy to integrate with CI environments,
- basically... to make them in real-world apps/environments :)
IBM (and HP, Microsoft, etc...) spend tons of money and resources in Application Security research. Unfortunately most is done in bubbles, the collaboration with communities like OWASP is minimal and massive opportunities are missed.
Yes Ian might not be the most famous web application security guy in the world, but he works damn hard, and is the kind of 'inside' guy that is really trying to make the technology work, and help it's customers to be more secure.
One of the areas we could do much better at OWASP, is to connect the dots between the people who care about a topic and the ones who can do something about it.
So please take a look at Ian's blog and share your views on email, blog, twitter or pigeon post :)
Btw, if you are interested in this topic, you might also enjoy the post I wrote on My focus, O2 as the Open Platform, why IBM needs open standards and O2+AppScan research project
Thanks
Dinis Cruz