Saturday 26 January 2013

Please show Ian Spiro your support for his IBM AppScan research, ideas and energy

tl;dr: if you complain about the fact that SAST tools like AppScan Source don't really 'work' in the real-world, and wish they could be more customisable, please send your support, ideas, thoughts and requests to

Sometimes one has to go on the record and publicly support who deserves it.

Ian Spiro is one of them.

I know Ian from my OunceLabs days when he was working as the main support person for the OunceLabs Static analysis engine (Ounce was bought by IBM and the product is now called IBM AppScan Source).

Ian was one of the first guys who really saw the potential of the O2 Platform (called F1 at the time) and he has been one of my best power-users since then.

After the IBM acquisition, I chose to not join IBM because after showing the problems I was solving with the O2 Platform, I realised that those were problems that the IBM AppScan crowd didn't even realised they had.

But Ian stayed at IBM, keept improving his skills and become the best power-user of AppScan Source (while trying to use O2 behind the scenes to help customers and to make things work).

The best part is that Ian has finally started blogging (at about his efforts to make AppScan Source, specially around the idea of creating an AppScan Appliance (i.e. a central server that automatically runs and distributes scans).

Here are some of Ian's best posts:
What is really important about Ian's writing, is that it represents the areas of research that are needed if we are going to make SAST and DAST work in the real-world (see my post on What are the challenges with SAST that don't need a better engine for a nice list).

Just look at what he is doing:
  • Integrate AppScan Source with a CI environment like TeamCity (where Scans can be triggered from Git Commits)
  • Using WAFL and F4F to allow AppScan's engine to understand how Frameworks (like ASP.NET MVC work)
  • Creating GUIs where results from SAST (AppScan Source) and DAST (AppScan Standard) are presented together so that much better informed decisions can be made about the issues presented
  • Join traces together in order to create 'real-world' traces
  • Trying to figure out how to package all this in an 'AppScan Appliance'
Really important research, and if you (like me) really wants the SAST technology to improve, please join me in congratulating Ian's for his efforts and dedication (and thanks to IBM too, for allowing Ian to post his research on the blogs)

WHAT YOU CAN DO TO HELP: here is the Important part of this post

What is happening is that unfortunately Ian (like me) is too far ahead of the current IBM AppScan development teams, and it looks like he is much better at IBM Research.

So, since Ian is going to have a 'word' with the IBM Research guys next week, I though it would be a good idea to help Ian with a show of support and to let IBM Research know just how important what he is doing is for the Web Application industry.

Please blog or email with your views on what he is doing, and help him to get a really nice research gig at IBM.

Ian, here is my support paragraph to you:

"Ian is currently doing some of the most advanced Web Application Security research in the world, whereby he is trying to combine his real-world expertise from working with AppScan Source/Standard clients with: 
   a) CI (Contiguous Integration) tools/workflow, 
   b) data/guis correlation techniques 
   c)  application's frameworks mapping/visualisation. 
He represents the future of IBM's technology with multiple tools and services working together as one, providing IBM's customers (and industry) a unified view of an application's security vulnerability/risk"