Friday, 13 November 2009

Part IV - O2 needs to be Commercially Supported

The OWASP O2 Platform is now reaching a critical mass moment where it really needs to be officially supported by a commercial entity:
  • there are a number of corporate users who have used it, love it, but are very worried about its current support model (which is basically me and Ian Spiro)
  • There are a number of commercial and very profitable revenue streams that can only occur if there is an infrastructure & ‘machine’ behind O2
  • O2 has already reached a technology level & quality where it is adding spectacular value to security consultants. The problem is that the current presentation and support level are very basic and non-professional
  • there is a lot of functionality in O2 which just needs to be documented so that new users can find it and know how to use it
  • there are a number of small bugs and issues that need to be solved

So what do I mean by ‘Commercially supporting O2’? 

Well, I am looking for a a company or department which provides the following services:
  • Support: 9 to 5 (or 24h), Level 1 and Level 2 support (via email, phone, tweet, online forums and mailing lists)
  • Training: provide online and classroom based training to both new and advanced users
  • QA: Test new releases of O2
  • Documentation
  • Security Review of O2 itself
  • Build Certified versions of O2 (just like ReddHat)
  • Manage source control and user-submitted content
  • On Demand customization of O2 Modules
  • Professional Services
  • Integration Services: building new parsers / plug-ins for consuming & instrument other tools. Adding support to new languages and technologies (ABAP SmallTalk, SQL, COBOL, etc...)
  • Bug Fixing of existing O2 Modules
  • Development of new O2 Features
Now who could provide this services and has enough money / motivation to do it? 

Well, there are two types of companies who could do it?
    • 1) companies who view O2 as a commercial opportunity (ala RedHat with Linux)
        • IBM Rational, IBM consulting services
        • Consulting Companies: Cigital
        • WAF vendor
        • Black Box vendor
        • White Box vendor
        • Penetration Testing / Security consultancies
        • Anti-Virus companies
        • 2) companies who NEED to solve the ‘Application Security Assessment’ problem, regardless if they make money with it (ala Google & Internet Usage)
            • IBM: WebSphere, Smart Planet, Jazz, System S
            • Framework developers: Spring Source
            • Platform developers: Sharepoint,CMS, ERP
            • Flash
            • Google
            • Microsoft
            • Firefox: For its gadgets and to be able to more accurately detect malicious web-based code
            • Governments
            • Fortune 100
            • SAP
            • Oracle
            • Major software developers / Outsourcers
            • Online Community providers that allow & encourage user-driven content (Facebook, Ebay, SalesForce, LinkedIn)
            • Mobile AppStores: From ITunes, OVI store, Vodafone and all they other up and upcoming players
          Since there are plenty of companies that fit those two worlds, I’m pretty confident that I will find a good home for O2. 

          One final important concept, is that this type of Commercial support to Open Source tools is actually (from my point of view) one of the next stages of development of OWASP (see John Steven's post Vendors in an Open-Source Security Community). 

          OWASP has already a number of projects which will ONLY go the next stage and become widely used, if they have similar commercial support. A couple examples are:
          • EASPI
          • SAMM
          • Guides & Standards (Testing, Code Review, Developer, ADSR, ASVS)
          • WebGoat
          • Legal
          In fact there have already been some contacts between Jeff Williams & Aspect security and external organizations about providing commercial support to ESAPI. 

          A good analogy here is the RedHat / Linux relationship. The external companies (RedHat) provide a number of services on top of Open Source materials (OWASP) which is exactly the type of services that commercial entities will want to buy (since they need these ‘products’ to be officially supported).

          Of course that OWASP needs to make sure that its brand is not abused by these 3rd party companies, but as the OWASP ‘products’ (tools & documents) become more and more successful and usable, the more there will be the need for them to be commercially supported