Wednesday 3 August 2011

OWASP O2 platform, the history so far (Sep 2008 till Aug 2011)

For the past couple years I have been using this personal blog to document O2 Platform's history.

Here are the most important blog posts, ordered chronologically and with some additional comments (made in August 2011).

O2 launch as an OpenSource tool happened in September 2008 at the OWASP AppSec USA conference in NYC under the OunceLabs banner:
In August 2009, IBM bought Ounce labs which I documented at the time with Update on O2 & Ounce & IBM , followed by Update #2 on O2 & IBM - 02 Sep 09 (after meeting the other IBM teams). This last post shows how by now I was realising that IBM had enough tools in their portfolio to create a really powerful integrated solution for embedding Security into SDLs (if only these tools could talk and work together). This was also the first time that I saw IBM's JAZZ, which from the first moment I though it was an amazing idea/concept).

In Sep 2009 O2 finally became an OWASP Project and I figured out how to explain one of the key ideas of 'what O2 is': O2: 'Open Platform for automating application security knowledge and workflows'

Then in Nov 2009 came the series of 4 blog posts that marked the end of my relationship with OunceLabs and IBM (I was still a contractor then):
  • Part I - IBM Application Security related tools & "AppScan 2011" - This is still one of my favorite posts since it really shows the need to have all these tools working together (note how many IBM tools I was able to use). Ironically its now 2011 and I don't think this will happen this year
  • Part II - Why IBM will 'solve the problem' - This is one of those post that (hopefully) will one day became true :) . The core idea is that IBM (as a company) 'Needs' application security, not as a product to sell and make money, but as a core foundation for their other software/development practices
  • Part III - Why I said NO to IBM ... for now - basically, O2 was providing answers to problems that that IBM teams didn't knew they had (or felt there was customer demand for them), so It was better to part ways and leave space to one day meet again :)
  • Part IV - O2 needs to be Commercially Supported - rational behind the need that an Open Source platform like O2 needs to be supported by services.
In response to these 4 posts, there were a number of really interesting responses by John Steven, Gunter Ollmann, Daniel Cuthbert and R'Snake which I linked at Public reactions to last week's posts


In Jan 2010, I wrote Update #4 on OunceLabs/IBM Relationship which re-enforced the idea that there was no hard-feeling between me and IBM guys and that from that moment on, I was going to (for a while) focus 100% on O2's development. The Need for Standards to evaluate Static Analysis tools was also published at this time and provided a good rational for why we really need a common language between the multiple scanning tools.


In June 2010, I documented my ideas for the types of Commercial Services that could be provided around O2: O2 Services: Online Training, Remote Support, Custom development and New funding model for O2's Development (based on Pledges, which I still think is a good idea, but O2 needs a bigger community before it can generate enough momentum and funds)


In Oct 2010 I launched the O2 Subscription model (Commercial Services not provided by OWASP) to some success. There was positive feedback from some OWASP leaders which I documented here: Great Comments on the O2 Subscription Model

In Oct 2010 I also wrote the With O2, I am a Curator of Open Source Software which is another one of my favorite posts since it represents a lot of the thinking and workflow that happens behind the scenes.

By now some users were starting to 'get' O2, and here is a great email I received: Having an O2 Epiphany - your turn next :)

In Nov 2010 I published an O2 Platform presentation (still relevant today) and a number of O2 Platform Videos (Nov 2010)

In Feb 2011, after the OWASP Summit in Portugal, I published an Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation

In May 2011 I continued on the We need to give our clients 'scripts' not pdfs theme

In June 2011 I move the core of O2 into a separate project (in an effort to reach more developers) which was called FluentSharp - An API for .NET developers


Also in July I documented how to Use O2 to Parse and Visualize Fortify's FVDL files and how to create an O2 Platform Amazon EC2 Image (AMI)

From Late 2010 till July 2011 I used the O2 Blog at http://o2platform.wordpress.com to document numerous O2 Scripting examples. 101 of them were (using an O2 script) consolidated, indexed by category and linked at 101x O2 Platform Blog posts (by category) - on July 21st

And finally, at the beginning of August I Joined Security Innovation (SI) as a Employee, which marks a new phase for me and for O2.

Let's see that happens next :)