[Owasp-o2-platform] Feedback

Dinis Cruz dinis at ddplus.net
Tue Nov 24 13:07:20 EST 2009

This is great news Brad, please dump as much info here regarding what are
your requirements, objectives and deliverables (you can also use the O2
Power-User Blogs which you have an account :) ).

The best way to 'consume' O2 is to have a very explicit set of problems that
we can use O2 to solve. So Brad, are you able to list 5 items that you would
like to do with O2?

Regarding training, there are already a couple commercial options that are
available to you: Bruce or Ian from IBM/Ounce , Cigital (talk to John Steven
since he knows the best ones),  Matt Parsons, and (if you fly them from
Brazil) Wagner from Conviso. There are a couple others power-users out
there, but I'm not sure I can mention their names :)

On the topic of O2 Users and Companies providing commercial services on top
of O2, I've started a page here (
http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/Active_O2_Users) and
please feel free to add your name (It's a WIKI, just get an account and
start editing)


On Mon, Nov 23, 2009 at 2:19 PM, Brad Causey <bradcausey at gmail.com> wrote:

> I'm firing this into the open forum because hopefully other folks will be
> able to get something from it.
> I am creating a standardized code review process manual for my employer.
> This will include step-by-step (yay for the reqs in the financial sector)
> guide on what needs to be done. Now because we don't have a shi-ton of
> coders on our team, we need a tool to assist us. We primarly deal in java
> and dot-net. Because of this, O2 came to mind, and I'm proud to say I've
> convinced my boss to let me attempt to make O2 the "authorized" tool for
> code review, across the organization.
> I will probably end up having to hire a trainer and bring them in to train
> the team on O2, but this also drives home the need for some simplistic
> interfaces, and good docs.
> I'd like to get with you Dinis, and make this happen, and share what we
> create/learn with the O2 mailing list. Anonomized of course. =)
> -Brad Causey
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
> On Sat, Nov 21, 2009 at 10:04 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> First of all, a big* Thank You to Rohit*, since feedback like this is not
>> easy to do, and he is also providing a number of very good ideas (which I
>> will implement in the very short term)
>> I also completely agree with Rohit (and probably most of you that have
>> tried O2) *that O2's GUI sucks from the point of view of a new user*.
>> I really like the idea of 'information hiding' for new users suggested by
>> Rohit, in fact once I made a bunch of 'analog' (i.e. on paper) sketches
>> based on the idea of 'rewarding user with features once he 'achieves' a
>> certain task (just like the games on the iPhone (which my kids play) which
>> only let you go to the next level once you completed the current one.
>> I'm going to provide a much more detailed answer to Rohit (including with
>> a PoC of the GUI that he described), but please keep feedback like this
>> coming
>> And if you want to be track your requests, you can add them here:
>> http://code.google.com/p/o2platform/issues/list
>> Dinis Cruz
>> 2009/11/19 Rohit Sethi <rklists at gmail.com>
>> Dinis et al, this project is very promising. Although I've known about
>>> O2 for a while now, today was the first time I actually installed the
>>> tool. Dinis, when you demonstrate the capabilities of O2 it's
>>> awe-inspiring, but I imagine many people feel the same way as I do
>>> when they actually install the tool: overwhelmed. I suggest you apply
>>> the principle of "information hiding" to the design of the application
>>> - provide people with a basic, simple view of the application and give
>>> them the option to expand on more advanced features when needed. I
>>> have some ideas for you, but I'm ashamed to say I don't have the
>>> bandwidth to actually implement them :(
>>> A few specific suggestions:
>>> •       Is there a public bug tracking system? If not this is an
>>> invaluable
>>> tool to solicit feedback and track bugs on an ongoing basis. You
>>> should provide a link to the bug-tracker from the main OWASP O2 page
>>> •       What was the rationale for creating a new GUI? In particular, why
>>> didn’t you just piggyback off an existing, pluggable IDE like Eclipse?
>>> I'd guess the answer is because O2 is developed (I’m assuming) in .Net
>>> and probably through Visual Studio in order to facilitate GUI widget
>>> development. You’ve created a new look and feel which then requires
>>> the end user to understand the new look and feel in order to make
>>> sense of the application. Although I can appreciate the choice to go
>>> use .Net instead of Java, I wonder if copying some of the GUI
>>> conventions of Eclipse might be useful (more on this later). Note that
>>> I’m no usability expert, but I’d like to share my thoughts anyway. I
>>> would seriously suggest freezing new feature development for a while
>>> and focus on improving usability; once the application is easier to
>>> use, hopefully the user base will grow and so will the pool of
>>> developers willing to pitch in. In general try to minimize the amount
>>> of information in each dialogue box, and provide expandable, grouped
>>> advanced options.
>>> •       I think O2 would be better served as one application with various
>>> features and extensions, rather than a loosely coupled collection of
>>> modules. Not only will this help lower the learning curve to the
>>> application, it will help clarify the user interface. Going back to
>>> the Eclipse point, why not start with the concept of a “Project”? Each
>>> project relates to an individual application, and is comprised of
>>> several child elements. You can even have a Project Explorer /
>>> Navigation similar to what Eclipse has. Rather than dragging and
>>> dropping source files into different module windows, there should be
>>> one location of source files within the projects and the modules can
>>> reference those source files.
>>> Here’s an example of a potential Project structure:
>>> Project
>>>   -Input
>>>       -Scanner Results (e.g. .ozmat)
>>>       -Source Files (e.g. .class, .xml)
>>>   -Analysis
>>>       -Findings (e.g. Ounce findings)
>>>       -Rules (e.g. Ounce rules)
>>>       -Scripts (e.g. Python, Java, C# scripts, etc.)
>>>       -Intermediate Representation (e.g. CIR objects)
>>> •       I appreciate the flexibility in offering discrete modules of O2
>>> functionality; however, in its current format, I had a hard time
>>> distinguishing between which functions are "Core O2 functions" and
>>> what were really extensions. I suggest that you create a single GUI
>>> which users can identify as the "O2 application". Similar to IDEs like
>>> Eclipse, users could open the GUI and then select different views or
>>> perspectives based on the features they wish to use. Similarly, I
>>> suggest creating a single Windows installer that installs all Core O2
>>> functions along with the single GUI (e.g. Rules Manager, Join Traces,
>>> O2 Scripts, Findings Query, Findings Viewer, Findings Filter, Search
>>> Assessment Run, etc.). Provide an option for custom installation in
>>> case people want to scale down the features. Provide an interface to
>>> install "extensions" such as Spring MVC or support for CSharpScripts,
>>> etc.
>>> Here’s what I’d recommend for the top level menus of the Core O2
>>> application:
>>> File
>>>   -New /** starts a new project, perhaps with a wizard to help guide
>>> the user */
>>>   -Open
>>>   -Save
>>>   --------
>>>   -Import /** import findings from various scanners */
>>>   ---------
>>>   -Exit
>>> /** Get rid of restart modules - this might be a useful debugging
>>> concept but doesn't make sense to end users. Somebody should open and
>>> close the app if they need to do this */
>>> Edit
>>>  -Cut
>>>  -Copy
>>>  -Paste
>>>  -------
>>>  -Configuration /** opens a dialog window with top level choices on
>>> the left and details on the right, similar to Eclipse Preferences */
>>>      -File System /** Top level choice */
>>>         -File Location
>>>         -Install Directory
>>>         -Temp Directory
>>>         -Executable Directory
>>>      -Module Specific /** One top level choice for each module that
>>> requires configuraiton */
>>>      -Advanced /** Top level choice */
>>>         -(other configuration items from the KO2Config)
>>> /** Provide a radio button on the top to allow users to toggle between
>>> Main configuration and user-specific configuration */
>>> /** Provide standard Save and Cancel buttons on the bottom of the
>>> dialogue window */
>>> Modules /** Each should bring up a different dialog box */
>>>   -Search
>>>   -Rules Manager /** don't distinguish between XRules and other kinds
>>> of rules - this is confusing */
>>>   -Log Viewer
>>>   -Trace Joiner
>>>   -Code Reflector
>>>   -Script Editor /** should support  C-Sharp, Python and Java */
>>>   -Findings Manager /** includes Filter and Viewer */
>>>   -Intermediate Representation Viewer  /** or IR Viewer for short,
>>> rather than CIR since this is now platform agnostic */
>>>   -Technology-Specific Modules
>>>       -Spring MVC
>>>       -.Net /**Should include the .Net debugger (the web server
>>> should be part of this functionality rather than a separate module),
>>> .Net Callbacks Maker */
>>> Windows /** no idea what functionality is supposed to be here */
>>> Help
>>>  -Online Knowledgebase (or Wiki) /** Link to owasp site */
>>>  -Request Help from O2 Developers
>>>  -About /** include version, developers names and the email address
>>> to provide feedback, don’t need the Send Comment feature */
>>> •       Do you really need the modules that allow people to run the
>>> scanner
>>> from within O2? I argue this causes too much confusion for it’s actual
>>> value
>>> •       If you use the above-suggested layout, Web Inspect Converter and
>>> other Blackbox scanner import tools should be Wizards to import data
>>> into a project’s Scanner Results rather than new modules
>>> Cheers,
>>> --
>>> Rohit Sethi
>>> Security Compass
>>> http://www.securitycompass.com
>>> _______________________________________________
>>> Owasp-o2-platform mailing list
>>> Owasp-o2-platform at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>> --
>> Dinis Cruz
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091124/01b3ad40/attachment.html 

More information about the Owasp-o2-platform mailing list