[Owasp-o2-platform] Request for help on: OWASP O2 Platform

dinis cruz dinis.cruz at owasp.org
Mon Nov 16 20:57:09 EST 2009


Hi there, in case some of you missed this last week, just before my OWASP O2
Platform <http://www.owasp.org/index.php/OWASP_O2_Platform/> Presentation at
the AppSec DC conference last week I posted 4 blog posts on O2, IBM, and
what I think should happen next:

   - Part I - IBM Application Security related tools & "AppScan
2011"<http://diniscruz.blogspot.com/2009/11/part-i-ibm-application-security-related.html>

   - Part II - Why IBM will ‘solve the
problem’<http://diniscruz.blogspot.com/2009/11/part-ii-why-ibm-will-solve-problem.html>
   - Part III - Why I said NO to IBM ... for
now<http://diniscruz.blogspot.com/2009/11/part-iii-why-i-said-no-to-ibm-for-now.html>
   - Part IV - O2 needs to be Commercially
Supported<http://diniscruz.blogspot.com/2009/11/part-iv-o2-needs-to-be-commercially.html>

As you can see, I have moved O2 to OWASP and am driving 100 miles-a-hour
into making the OWASP O2
Platform<http://www.owasp.org/index.php/OWASP_O2_Platform/>THE
standard 'lingua-franca' between multiple Application Security tools
(allowing a type of Human+Tool type of analysis, workflow and automation
that most people in our industry think it is impossible).

As R'Snake's says in his comment
http://ha.ckers.org/blog/20091115/the-future-of-o2/  this is a great
opportunity for IBM. The only way we will have a number of standards in our
industry, and any decent tool interoperability, is if we do it openly and
collaboratively, with OWASP and O2  strategically positioned to do lead that
effort.

IBM's return or investment is the fact that O2 will make it easier for users
to use their products (which leaves the user in a position that they can
chose the best tool for the job without worrying those tools (Open Source or
Proprietary) talked to each other).

What I like about the Part I - IBM Application Security related tools &
"AppScan 2011"<http://diniscruz.blogspot.com/2009/11/part-i-ibm-application-security-related.html>
post - and ignore the IBM references (or replace them with  Open Source or
Proprietary equivalents) which are there to show that I could implement most
(if not all) of that workflow today using available products and a numbers
of O2 Scripts - is that it:

    a) shows the complexity of real world engagements (and I would argue
that even that example is a VERY simplified version of reality)
    b) how we are so far away as an industry to 'communicate' and engage
with out clients in a way that they get the maximum return in their
investment in our services (and improve their security risk profile)

If you are not interested in O2, IBM or what I am doing, you should at least
read the 2nd part of this post Part IV - O2 needs to be Commercially
Supported<http://diniscruz.blogspot.com/2009/11/part-iv-o2-needs-to-be-commercially.html>and
John Steven's blog post on Vendors
in an Open-Source Security
Community<http://www.cigital.com/justiceleague/2009/11/12/vendors-in-an-open-source-security-community/>

The only way OWASP materials will be used by the people that matter (big
companies, small companies, software developers, framework developers,
governments, etc...) is if OWASP materials can be 'consumed' in
professional, efficient and productive way.

And just like commercial vendors like Red Hat & IBM made the Linux
'commercial ecosystem' work, to really succeed in its mission ("... make
application security visible so that people and organizations can make
informed decisions about application security
risks...<http://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project>")
OWASP needs to create a healthy ecosystem of commercially-driven companies
(maybe even government or grand funded external organizations) that support
and drive is most successful projects.

Of course that we have to be very careful about how we do this, since we
have to make sure that this is done in a way that is 100% compatible with
our values. Ironically, the two efforts that are probably closer to this
reality (an OWASP project commercially supported by a 3rd party company) are
two projects lead by two OWASP Board Members: me with O2 and Jeff with
EASPI.

I think both me an Jeff have the political capital inside OWASP to have some
margin for maneuver in creating, testing and fine-tuning the model.

The good news is that, IF (and it is a big if) we get this right, there are
a LOT of OWASP projects that should follow the same path.

OWASP Project leaders, imagine if you could work for a company that
commercially supported your OWASP Project (Tool or Document) and paid you
and others to work exclusively on that project and release what was created
under OWASP?

Of course, that if we (me or Jeff) screw this up, and the OWASP community
thinks we lost our independence, then we can no longer be Board Members.

Disclaimer: I'm using Jeff as another example of what I am trying to do with
O2 since it is a very similar scenario. BUT, just for the record, as far as
I know, Jeff's employer has NOT decided (so far) to commercially support
EASPI, and they might never go down that path (that said, I think they will,
since at the rate EASPI is maturing, it will just be a matter of time before
somebody else (individual or company) gets the funding to do it).

So here is my request to you (owasp-leaders): *Please help me convert the
materials created by your project (tool or document) into O2's Open Schemas
so we can consume them from a central location *(and when applicable be able
to 'consume' O2's Open Schemas so that your project can benefit from
artifacts created by other OWASP projects). Of course that there is a lot
more to O2 than this first step, but achieving good interoperability between
OWASP tools would be a great step forward.

As I explained in my previous email (subject was "Fwd: [Owasp-o2-platform]
[SC-L] Static Analysis Findings"), one of O2's powerful features is its
ability to quickly consume and process results from external tools.

I'm happy to help you, and I am sure you will be pleasantly surprised by how
easy it is write these parsers (for example Matt Tesauro, can vouch how I
wrote the O2 WebScarab Log parser in a short-period, while attending the
OWASP Brazilian conference (The objective of that exercise was to show how
O2 could create reports based on the special tags supported by the latest
version of WebScarab (not the NG one) ))

A final comment that I would like to make about IBM.

My feeling is that* they, (IBM) want to do the right thing and support
O2*(remember that there is a good historical precedent with IBM's
support for
key Open Source projects like Eclipse (see
http://www.ibm.com/developerworks/opensource/ for tons of more examples), *
BUT* *they (IBM) are not sure/convinced about O2's ability to generate a
vibrant and productive community.

*So ironically, at the moment YOU (owasp-leader or O2 user) are more
important for the short/medium-term future of O2 than I am :)

Thanks for your help,

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091117/82e63967/attachment.html 


More information about the Owasp-o2-platform mailing list