[Owasp-o2-platform] (ideas moved to bug tracking system) Re: Feedback

Rohit Sethi rklists at gmail.com
Wed Nov 25 09:31:48 EST 2009

Thanks Dinis. I really believe that with the right amount of
information hiding we can greatly enhance the experience for new users

On Wed, Nov 25, 2009 at 6:47 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Thanks again Rohit for the great ideas on this email (and for the 3 hours he
> spent yesterday with Brad and Matt on the O2's DimDim remote presentation)
> To keep track of Rohit's requests and ideas I created the following 3 issues
> on the O2 bug tracking system:
> Issue 8: O2 GUI - Create Rohit's GUI PoC
> Issue 9: Introduce O2 Wizards (and use it to replace some modules)
> Issue 12: What was the rationale for creating a new GUI?
> The reason for using the O2's bug tracking system for documentation (or
> feature requests) is so that we can
>   a) track its resolution state and
>   b) be able to store all ideas about a particular request in a central
> location
> Please feel free to add additional comments to hose 'bug' entries or to
> enter your own
> Dinis
> 2009/11/19 Rohit Sethi <rklists at gmail.com>
>> Dinis et al, this project is very promising. Although I've known about
>> O2 for a while now, today was the first time I actually installed the
>> tool. Dinis, when you demonstrate the capabilities of O2 it's
>> awe-inspiring, but I imagine many people feel the same way as I do
>> when they actually install the tool: overwhelmed. I suggest you apply
>> the principle of "information hiding" to the design of the application
>> - provide people with a basic, simple view of the application and give
>> them the option to expand on more advanced features when needed. I
>> have some ideas for you, but I'm ashamed to say I don't have the
>> bandwidth to actually implement them :(
>> A few specific suggestions:
>> •       Is there a public bug tracking system? If not this is an
>> invaluable
>> tool to solicit feedback and track bugs on an ongoing basis. You
>> should provide a link to the bug-tracker from the main OWASP O2 page
>> •       What was the rationale for creating a new GUI? In particular, why
>> didn’t you just piggyback off an existing, pluggable IDE like Eclipse?
>> I'd guess the answer is because O2 is developed (I’m assuming) in .Net
>> and probably through Visual Studio in order to facilitate GUI widget
>> development. You’ve created a new look and feel which then requires
>> the end user to understand the new look and feel in order to make
>> sense of the application. Although I can appreciate the choice to go
>> use .Net instead of Java, I wonder if copying some of the GUI
>> conventions of Eclipse might be useful (more on this later). Note that
>> I’m no usability expert, but I’d like to share my thoughts anyway. I
>> would seriously suggest freezing new feature development for a while
>> and focus on improving usability; once the application is easier to
>> use, hopefully the user base will grow and so will the pool of
>> developers willing to pitch in. In general try to minimize the amount
>> of information in each dialogue box, and provide expandable, grouped
>> advanced options.
>> •       I think O2 would be better served as one application with various
>> features and extensions, rather than a loosely coupled collection of
>> modules. Not only will this help lower the learning curve to the
>> application, it will help clarify the user interface. Going back to
>> the Eclipse point, why not start with the concept of a “Project”? Each
>> project relates to an individual application, and is comprised of
>> several child elements. You can even have a Project Explorer /
>> Navigation similar to what Eclipse has. Rather than dragging and
>> dropping source files into different module windows, there should be
>> one location of source files within the projects and the modules can
>> reference those source files.
>> Here’s an example of a potential Project structure:
>> Project
>>   -Input
>>       -Scanner Results (e.g. .ozmat)
>>       -Source Files (e.g. .class, .xml)
>>   -Analysis
>>       -Findings (e.g. Ounce findings)
>>       -Rules (e.g. Ounce rules)
>>       -Scripts (e.g. Python, Java, C# scripts, etc.)
>>       -Intermediate Representation (e.g. CIR objects)
>> •       I appreciate the flexibility in offering discrete modules of O2
>> functionality; however, in its current format, I had a hard time
>> distinguishing between which functions are "Core O2 functions" and
>> what were really extensions. I suggest that you create a single GUI
>> which users can identify as the "O2 application". Similar to IDEs like
>> Eclipse, users could open the GUI and then select different views or
>> perspectives based on the features they wish to use. Similarly, I
>> suggest creating a single Windows installer that installs all Core O2
>> functions along with the single GUI (e.g. Rules Manager, Join Traces,
>> O2 Scripts, Findings Query, Findings Viewer, Findings Filter, Search
>> Assessment Run, etc.). Provide an option for custom installation in
>> case people want to scale down the features. Provide an interface to
>> install "extensions" such as Spring MVC or support for CSharpScripts,
>> etc.
>> Here’s what I’d recommend for the top level menus of the Core O2
>> application:
>> File
>>   -New /** starts a new project, perhaps with a wizard to help guide
>> the user */
>>   -Open
>>   -Save
>>   --------
>>   -Import /** import findings from various scanners */
>>   ---------
>>   -Exit
>> /** Get rid of restart modules - this might be a useful debugging
>> concept but doesn't make sense to end users. Somebody should open and
>> close the app if they need to do this */
>> Edit
>>  -Cut
>>  -Copy
>>  -Paste
>>  -------
>>  -Configuration /** opens a dialog window with top level choices on
>> the left and details on the right, similar to Eclipse Preferences */
>>      -File System /** Top level choice */
>>         -File Location
>>         -Install Directory
>>         -Temp Directory
>>         -Executable Directory
>>      -Module Specific /** One top level choice for each module that
>> requires configuraiton */
>>      -Advanced /** Top level choice */
>>         -(other configuration items from the KO2Config)
>> /** Provide a radio button on the top to allow users to toggle between
>> Main configuration and user-specific configuration */
>> /** Provide standard Save and Cancel buttons on the bottom of the
>> dialogue window */
>> Modules /** Each should bring up a different dialog box */
>>   -Search
>>   -Rules Manager /** don't distinguish between XRules and other kinds
>> of rules - this is confusing */
>>   -Log Viewer
>>   -Trace Joiner
>>   -Code Reflector
>>   -Script Editor /** should support  C-Sharp, Python and Java */
>>   -Findings Manager /** includes Filter and Viewer */
>>   -Intermediate Representation Viewer  /** or IR Viewer for short,
>> rather than CIR since this is now platform agnostic */
>>   -Technology-Specific Modules
>>       -Spring MVC
>>       -.Net /**Should include the .Net debugger (the web server
>> should be part of this functionality rather than a separate module),
>> .Net Callbacks Maker */
>> Windows /** no idea what functionality is supposed to be here */
>> Help
>>  -Online Knowledgebase (or Wiki) /** Link to owasp site */
>>  -Request Help from O2 Developers
>>  -About /** include version, developers names and the email address
>> to provide feedback, don’t need the Send Comment feature */
>> •       Do you really need the modules that allow people to run the
>> scanner
>> from within O2? I argue this causes too much confusion for it’s actual
>> value
>> •       If you use the above-suggested layout, Web Inspect Converter and
>> other Blackbox scanner import tools should be Wizards to import data
>> into a project’s Scanner Results rather than new modules
>> Cheers,
>> --
>> Rohit Sethi
>> Security Compass
>> http://www.securitycompass.com
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
> --
> Dinis Cruz
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2

Rohit Sethi
Security Compass

More information about the Owasp-o2-platform mailing list