Wednesday, 31 October 2012

My TeamMentor 'to-do' list for the next 6/12 months :)

I was thinking today about the areas/ideas that I think should/could be developed over the next 6/12 months on TeamMentor and come up with the list below (I stopped after a while since the list was getting quite big :)  )

The good news is that with the new TeamMentor 3.2 codebase and architecture, this is all doable, specially when compared with what has already been implemented over the past 18 months (btw, if you are a TM user feel free to put 'pressure' on which ones should happen first :) ).

With the caveat that these (very draft/raw) ideas are not in the right order in terms of priority or effort:  

Key Scenarios to support/improve:
  • How Developers find/are-exposed-to TM content
  • Time that it takes to create an Article
  • Time that it takes to push changes to an article (from the first email/reddit comment, to its creation/edition, to its publishing in the official SI library, to the moment it is available in a customer site)
  • Improve TM hyperlinks and its connections to/from the best content out there
  • Ability for TM to help developers to fix code
  • Ability of TM to help policy makers to define, distribute and enforce security policies
  • Ability to 'react to current events' and have relevant TM articles about it
  • How Security teams create and distribute their findings
  • How Security Knowledge and 'Best Practices' are created
  • How Security tools show guidance for the security issues their tools are able to find
  • How easy it is to create/convert content into the TM_Article schema
TM integration with 3rd party tools:
  • Consume TM in:
    • Security tools:
      • AppScan suite, HP tools, ThreadFix, Armorize, Veracode, Whitehat, Zap, ThreatModeller, Qualys, Metasploit Netsparker (see more tools here)
    • 'Policy' tools (and CMS)
      • MediaWiki, Sharepoint and what ever tools the CIOs and 'Policy-guys' use
    • IDEs:
      • VisualStudio (better plugin) Eclipse, MonoDevelop, Notepad, latest online javascript editor, GitHub, etc... (see IDE list here)
  • Import/Export
    • security-findings conversion into TM Article Schema,
  • Allow TM to directly invoke (and control) external tools for example:
    • Trigger scans from TeamMentor GUI
Make, and spectacular TM case studies
  • Use the fact that we use TM ourselves to show how/where TM adds value
  • On give the marketing team maximum visibility into what is going and integrate/export 'TM generated data' with the tools they use (email, SalesForce, HubSpot,etc...)
  • Add issues documented in and the next batch of their requests
Make TeamMentor a case study of a 'Secure app'
  • Document TM's security architecture and use it as a case study of 'how things should be done' (working with the AppSec community on what that actually means)
  • Continue with the practice of 'please hack teammentor' and the 'TM security bounty'
  • Add security features like HSTS and CSP (Content Security Policies)
  • Find a way to scan/test TeamMentor using the best security tools out there (Commercial and Open Source)

Consume/Map external data
  • NIST, CWE, SANS, OWASP, MSDN, StackExchange, Google
  • Better ways to consume/present TM data:
    • 'Google like' search engine mode 
    • Article's mappings schemas, 
    • Better design 
    • Link's visualisation,
Change TM Articles from the current 'flat content format' to a  'content + mappings' format:
  • Figure out a way to create, package and create TM Articles based on the concept of 'virtual mappings'
  • A key scenario to support is the reuse of the same landing pages for multiple technologies (i.e. '1 landing page + n mappings' into 'technologic specific' content/article)
    • This  'technologic specific' content, can be another TM Article or an external resource (a page in CWE site) or even just a title/topic ('Section XYZ of PCI ABC standard')
TeamMentor Mobile/Tablet
  • Auto detection and display 'TM mobile version' to mobile users
  • Create downloadable/installable versions of TM Libraries (which can be sold in Apple's or Android's AppStore)
  • Use this version to explore multiple GUI options and to implemente (a much needed REST API for the fetch of Library/Folder/View data)
  • Find a way to package 'security reports' in TM Libraries that can be securely consumed on a tablet
  • Explore the reuse of the GUIs created for tablets in the developer's IDEs (i.e the same Web Interface used to consume (navigate into) an TM Article would be the same in an (Android) Tablet and in the developer's (VisualStudio) IDE.
    • This is a really important concept and one that I think will make a massive difference in TM's adoption and use
Improve TM Design
  • First 'clean rough edges' Design pass
  • 'What should TM 4.0 look like' design pass
  • Focus on making TM 'Simple to use'
  • Think about better ways to present the main TM web GUI (which at the moment is quite cluttered)

Technologic changes needed on TM code base:
  • Improve Unit Tests support and use them as part of TM continuous build
  • New control panel
  • Improve User Management and Automation of User provisioning/management 
  • Improve TM's use of Git's engine
    • Auto Commit on code changes
    • View Articles changes
    • Ability to change between TM versions (i.e. to go back into 'GitHub history')
  • Use Asp.Net MVC 4.0 for request routing
  • Add activity/request monitoring capabilities (maybe using Graphite) and add support for AppSensor-like capabilities
  • Remove legacy APIs and dead code (from TM 2.0)
  • Improve TM article cache architecture
  • Better HTML online editing capabilities
  • Better WikiText/Markup online editing capabilities (starting by adding Markup support)
  • Ability to Import data from other sources (word docs, web pages, etc..)
  • Allow the secure storage of data (by encrypting an Article's content (not the metadata))
  • Add TM installer for IIS and a better launcher (i.e. remove that 'start TeamMentor.bat')
  • Add support for OAuth authentication where it would be possible to authenticate using (for example) Google/Gmail, Twitter, Facebook, etc..
  • Add online-payments support to TM where the user can buy a TM license or to a TM Library from TM's user's control panel
  • Create a read-only version of TM 
  • Add support for 'providing anonymous feedback on TM usage' (with usage data and bugs/problems sent to SI)
Support for scheduled tasks:
  • Auto fetch of Content changes (and if desired, with auto merge with existing content)
  • Auto update (latest version of Code)
  • Auto rebuild (for sites like that need to always been in a pristine state)
  • Stats-web-traffic data analysis and email to devs and marketing
  • User Management (for example to expire users)

User-centric capabilities
  • Ability to track user's usage of TM
  • Ability to store user data and activities
  • Ability to change GUI based on store user data (namely its activities, behaviour and tasks)
  • Ability to define what a user should do in TM

TM deployments monitoring technologues, 
  • Ability to deploy first 10s then 100s of new TM instances per day 
  • TM Cloud Provisioning 'Control Panel' - with ability to create/start/stop new TM instances with a couple clicks
Improve 'Content Changes/Comments' workflow
  • Improve GUI to track and visualize content changes
  • Add support for 'Article' Forks (just like )
  • Allow users to make comments (and link to) to specific parts of an article (this could be done on a per user article fork)
Inter-TM communication where TM instances can
  • talk to each other and automatically Download/upload content
  • send/receive user data/activities/tasks