O2: A brief introduction and why you should care

If you consider yourself a well-educated follower of all things info security related, then the Owasp O2 Platform project shouldn’t come as a surprise. If that’s not the case, here is a quick breakdown:

What: A series of Open Source modules that allow you, the tester, to better understand an applications security profile.

Why: It’s a known fact that black-box assessments won’t result in all the possible vulnerabilities being discovered. A hybrid approach is needed, when applicable source code and access is available.This is where O2 comes into the picture. A more detailed explanation can be found here.

Dinis, being the bundle of infosec energy we all know and love, has written a series of blog posts discussing the future of O2, namely:

• Part I – IBM Application Security related tools & “AppScan 2011”
• Part II – Why IBM will ‘solve the problem’
• Part III – Why I said NO to IBM … for now
• Part IV – O2 needs to be Commercially Supported

All good points, albeit it with some fundamental flaws. In Part 1, he talks about a fictional company called AppSEC, which is primarily an IBM shop. The problem here is that whilst IBM is a big company, anyone who’s worked with IBM tools in the past know they often don’t really do the job well. All I need to mutter are the fabled words of ‘Lotus Notes’ to know what a total abortion some of their tools are like. AppSEC, like many new consultancies who cannot afford more senior staff, rely on automated tools like AppScan.

AppScan is ok for catching low-hanging fruit, but it does not replace the experience and knowledge obtained from testing hundreds of applications. I’d query any companies approach to security that relies on any given tool to achieve a full-spread of testing. The rest of the post goes on to mention how the test would flow, including some pretty nifty ideas, albeit it rather impractical ones.

Maybe in 2011 security assessments will look like this, but in 10 years of doing this, i’ve yet to see one that does.

In Part II, he thinks that IBM will solve the problem, which again is something I find rather impossible. Having worked with IBM and some of their more talented employees, this is a distant dream and one I doubt will come true. IBM, like any other large company, has invested in Application Security by purchasing big name products and stamping the IBM badge on them. The basis of their approach is building ‘smarter’ technologies. So if that’s the case, why have we been inundated with dump technologies to date?

SQL injection is still a major hassle to anyone on the Internet, as is Cross-Site Scripting. Are we saying that up to now, all developments have been dumb and now all of a sudden IBM have the ability to go smart? What changed?

The final post is about the commercial support of O2, one I do agree with. However, as with any tool that’s developed by a security professional, a massive amount of common sense is missing. The framework is hard to use, the documentation is lacking and the overall support just isn’t there. For any chance of having a company support O2, some drastic work has to be done to make it appealing to people in the industry, and right now it’s not.

Dinis is looking for a company or department which provides the following services:

• Support: 9 to 5 (or 24h), Level 1 and Level 2 support (via email, phone, tweet, online forums and mailing lists)
• Training: provide online and classroom based training to both new and advanced users
• QA: Test new releases of O2
• Documentation
• Security Review of O2 itself
• Build Certified versions of O2 (just like ReddHat)
• Manage source control and user-submitted content
• On Demand customization of O2 Modules
• Professional Services
• Integration Services: building new parsers / plug-ins for consuming & instrument other tools. Adding support to new languages and technologies (ABAP SmallTalk, SQL, COBOL, etc…)
• Bug Fixing of existing O2 Modules
• Development of new O2 Features

All good and great, but something that will require vast am0unts of investment from said company and right now the world’s economy is still reeling from a nasty meltdown and investment isn’t forthcoming.

The problem with this industry is that we love to make things complicated. It’s often like a special badge that shows we can do it, but just because we can doesn’t mean we should. The basic idea behind O2 is brilliant, the execution isn’t. It’s confusing and lacking in so many different areas that i’d hedge a bet and say it’s not attractive to any potential investor as they cannot see what they’d get out of it.

If you want to attract support, here is what I think would help:

1. Tidy up the house. Explain what the tool does in an easy to understand language. Show examples, with diagrams and make sure everyone who has a basic level of IT knowledge understands it.
2. Train a group of core people up who can be evangelists of the project. Having one or two people isn’t enough, it’s just another Open Source project that has a limited future
3. Ease of use. I cannot stress this enough, a tool that is hard to use ISN’T used!

I do see a future for O2 but not until some basic changes have been made to make it more attractive to investors.