For the past couple years I have been using this personal blog to document O2 Platform's history.
Here are the most important blog posts, ordered chronologically and with some additional comments (made in August 2011).
- OunceLabs releases my research tools under an Open Source license (it's called O2 and is hosted at CodePlex - this explains the origins of O2 , why I created it and the multiple modules that this initial version had. This also explains how O2 relates to OSA (Ounce Security Analyst). Note that at this time O2 was not an OWASP Project (It was released under an Open Source license, but not at OWASP)
- So what can I do with O2? - I go through what was possible to do back then with O2, very importantly, check out the type of analysis that I was already doing then (using O2 + the Ounce Labs engine)
In August 2009, IBM bought Ounce labs which I documented at the time with Update on O2 & Ounce & IBM , followed by Update #2 on O2 & IBM - 02 Sep 09 (after meeting the other IBM teams). This last post shows how by now I was realising that IBM had enough tools in their portfolio to create a really powerful integrated solution for embedding Security into SDLs (if only these tools could talk and work together). This was also the first time that I saw IBM's JAZZ, which from the first moment I though it was an amazing idea/concept).
In Sep 2009 O2 finally became an OWASP Project and I figured out how to explain one of the key ideas of 'what O2 is': O2: 'Open Platform for automating application security knowledge and workflows'
Then in Nov 2009 came the series of 4 blog posts that marked the end of my relationship with OunceLabs and IBM (I was still a contractor then):
- Part I - IBM Application Security related tools & "AppScan 2011" - This is still one of my favorite posts since it really shows the need to have all these tools working together (note how many IBM tools I was able to use). Ironically its now 2011 and I don't think this will happen this year
- Part II - Why IBM will 'solve the problem' - This is one of those post that (hopefully) will one day became true :) . The core idea is that IBM (as a company) 'Needs' application security, not as a product to sell and make money, but as a core foundation for their other software/development practices
- Part III - Why I said NO to IBM ... for now - basically, O2 was providing answers to problems that that IBM teams didn't knew they had (or felt there was customer demand for them), so It was better to part ways and leave space to one day meet again :)
- Part IV - O2 needs to be Commercially Supported - rational behind the need that an Open Source platform like O2 needs to be supported by services.
In response to these 4 posts, there were a number of really interesting responses by John Steven, Gunter Ollmann, Daniel Cuthbert and R'Snake which I linked at Public reactions to last week's posts
In November 2009, I also wrote Why I had to build O2? and Mr Security Consultant: 'Are You Doing A Good Job' for your clients?
In Jan 2010, I wrote Update #4 on OunceLabs/IBM Relationship which re-enforced the idea that there was no hard-feeling between me and IBM guys and that from that moment on, I was going to (for a while) focus 100% on O2's development. The Need for Standards to evaluate Static Analysis tools was also published at this time and provided a good rational for why we really need a common language between the multiple scanning tools.
In May 2010 I created the first version of O2's .NET Static Analysis engine: Major new version, O2 .NET Ast Scanner and first batch of videos and Major O2 Milestone: 'Complete Vulnerability Trace' for an HacmeBank Sql Injection vulnerability
In June 2010, I documented my ideas for the types of Commercial Services that could be provided around O2: O2 Services: Online Training, Remote Support, Custom development and New funding model for O2's Development (based on Pledges, which I still think is a good idea, but O2 needs a bigger community before it can generate enough momentum and funds)
In July 2010 I wrote an update on the IBM story and the fact that O2 was ready for beta testing: Update on OunceLabs+IBM story and "OWASP O2 Platform is ready for you (after 6 months solid development)" and First major release of the OWASP O2 Platform - please download and try it
In Oct 2010 I launched the O2 Subscription model (Commercial Services not provided by OWASP) to some success. There was positive feedback from some OWASP leaders which I documented here: Great Comments on the O2 Subscription Model
In Oct 2010 I also wrote the With O2, I am a Curator of Open Source Software which is another one of my favorite posts since it represents a lot of the thinking and workflow that happens behind the scenes.
By now some users were starting to 'get' O2, and here is a great email I received: Having an O2 Epiphany - your turn next :)
In Nov 2010 I published an O2 Platform presentation (still relevant today) and a number of O2 Platform Videos (Nov 2010)
In Feb 2011, after the OWASP Summit in Portugal, I published an Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation
In May 2011 I continued on the We need to give our clients 'scripts' not pdfs theme
In June 2011 I move the core of O2 into a separate project (in an effort to reach more developers) which was called FluentSharp - An API for .NET developers
In Jule 2011 I republished the Spring MVC security research that I had done at Ounce Labs with "Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008) , which was followed by a number of Spring MVC posts: Finally ... here is how I have been analysing Spring MVC apps using O2 , Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities, Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic's vulnerabilities) and Current O2 support for analyzing Spring MVC
Also in July I documented how to Use O2 to Parse and Visualize Fortify's FVDL files and how to create an O2 Platform Amazon EC2 Image (AMI)
From Late 2010 till July 2011 I used the O2 Blog at http://o2platform.wordpress.com to document numerous O2 Scripting examples. 101 of them were (using an O2 script) consolidated, indexed by category and linked at 101x O2 Platform Blog posts (by category) - on July 21st
And finally, at the beginning of August I Joined Security Innovation (SI) as a Employee, which marks a new phase for me and for O2.
Let's see that happens next :)