Saturday, 21 November 2009

Request for help on: OWASP O2 Platform

(Posted to the owasp-leaders list on 17th/Nov/09)

Hi there, in case some of you missed this last week, just before my OWASP O2 Platform Presentation at the AppSec DC conference last week I posted 4 blog posts on O2, IBM, and what I think should happen next:

As you can see, I have moved O2 to OWASP and am driving 100 miles-a-hour into making the OWASP O2 Platform THE standard 'lingua-franca' between multiple Application Security tools (allowing a type of Human+Tool type of analysis, workflow and automation that most people in our industry think it is impossible).

As R'Snake's says in his comment  this is a great opportunity for IBM. The only way we will have a number of standards in our industry, and any decent tool interoperability, is if we do it openly and collaboratively, with OWASP and O2  strategically positioned to do lead that effort.

IBM's return or investment is the fact that O2 will make it easier for users to use their products (which leaves the user in a position that they can chose the best tool for the job without worrying those tools (Open Source or Proprietary) talked to each other).

What I like about the Part I - IBM Application Security related tools & "AppScan 2011"  post - and ignore the IBM references (or replace them with  Open Source or Proprietary equivalents) which are there to show that I could implement most (if not all) of that workflow today using available products and a numbers of O2 Scripts - is that it:

    a) shows the complexity of real world engagements (and I would argue that even that example is a VERY simplified version of reality)
    b) how we are so far away as an industry to 'communicate' and engage with out clients in a way that they get the maximum return in their investment in our services (and improve their security risk profile)

If you are not interested in O2, IBM or what I am doing, you should at least read the 2nd part of this post
Part IV - O2 needs to be Commercially Supported and John Steven's blog post on Vendors in an Open-Source Security Community

The only way OWASP materials will be used by the people that matter (big companies, small companies, software developers, framework developers, governments, etc...) is if OWASP materials can be 'consumed' in professional, efficient and productive way.

And just like commercial vendors like Red Hat & IBM made the Linux 'commercial ecosystem' work, to really succeed in its mission ("... make application security visible so that people and organizations can make informed decisions about application security risks...") OWASP needs to create a healthy ecosystem of commercially-driven companies (maybe even government or grand funded external organizations) that support and drive is most successful projects.

Of course that we have to be very careful about how we do this, since we have to make sure that this is done in a way that is 100% compatible with our values. Ironically, the two efforts that are probably closer to this reality (an OWASP project commercially supported by a 3rd party company) are two projects lead by two OWASP Board Members: me with O2 and Jeff with EASPI.

I think both me an Jeff have the political capital inside OWASP to have some margin for maneuver in creating, testing and fine-tuning the model.

The good news is that, IF (and it is a big if) we get this right, there are a LOT of OWASP projects that should follow the same path.

OWASP Project leaders, imagine if you could work for a company that commercially supported your OWASP Project (Tool or Document) and paid you and others to work exclusively on that project and release what was created under OWASP?

Of course, that if we (me or Jeff) screw this up, and the OWASP community thinks we lost our independence, then we can no longer be Board Members.

Disclaimer: I'm using Jeff as another example of what I am trying to do with O2 since it is a very similar scenario. BUT, just for the record, as far as I know, Jeff's employer has NOT decided (so far) to commercially support EASPI, and they might never go down that path (that said, I think they will, since at the rate EASPI is maturing, it will just be a matter of time before somebody else (individual or company) gets the funding to do it).

So here is my request to you (owasp-leaders): Please help me convert the materials created by your project (tool or document) into O2's Open Schemas so we can consume them from a central location (and when applicable be able to 'consume' O2's Open Schemas so that your project can benefit from artifacts created by other OWASP projects). Of course that there is a lot more to O2 than this first step, but achieving good interoperability between OWASP tools would be a great step forward.

As I explained in my previous email (subject was "Fwd: [Owasp-o2-platform] [SC-L] Static Analysis Findings"), one of O2's powerful features is its ability to quickly consume and process results from external tools.

I'm happy to help you, and I am sure you will be pleasantly surprised by how easy it is write these parsers (for example Matt Tesauro, can vouch how I wrote the O2 WebScarab Log parser in a short-period, while attending the OWASP Brazilian conference (The objective of that exercise was to show how O2 could create reports based on the special tags supported by the latest version of WebScarab (not the NG one) ))

A final comment that I would like to make about IBM.

My feeling is that they, (IBM) want to do the right thing and support O2 (remember that there is a good historical precedent with IBM's support for key Open Source projects like Eclipse (see for tons of more examples), BUT they (IBM) are not sure/convinced about O2's ability to generate a vibrant and productive community.

So ironically, at the moment YOU (owasp-leader or O2 user) are more important for the short/medium-term future of O2 than I am :)

Thanks for your help,

Dinis Cruz