Sometimes one has to go on the record and publicly support who deserves it.
Ian Spiro is one of them.
I know Ian from my OunceLabs days when he was working as the main support person for the OunceLabs Static analysis engine (Ounce was bought by IBM and the product is now called IBM AppScan Source).
Ian was one of the first guys who really saw the potential of the O2 Platform (called F1 at the time) and he has been one of my best power-users since then.
After the IBM acquisition, I chose to not join IBM because after showing the problems I was solving with the O2 Platform, I realised that those were problems that the IBM AppScan crowd didn't even realised they had.
But Ian stayed at IBM, keept improving his skills and become the best power-user of AppScan Source (while trying to use O2 behind the scenes to help customers and to make things work).
The best part is that Ian has finally started blogging (at http://www.ibm.com/developerworks/) about his efforts to make AppScan Source, specially around the idea of creating an AppScan Appliance (i.e. a central server that automatically runs and distributes scans).
Here are some of Ian's best posts:
- Source Edition Results Plug-in For AppScan Standard – Application Injection Part 2
- Extending The AppScan Web Application Framework Language – Creating an F4F Handler
- The AppScan Appliance – Source Scans On Demand
- The AppScan Appliance – Web Portal Development and CI Integration
- Extending AppScan's Web Application Framework to support ASP.NET MVC
- The AppScan Appliance - Proof Of Concept Definition
- Application Injection - Hooking into AppScan Standard
- The AppScan Security Appliance - How The Mainframe Can Transform Application Security
- Mapping Entrypoint URLs To AppScan Source Findings
- WAFL - The AppScan Web Application Framework Language
- AppScan Source Trace Stitiching
- AppScan Source Edition Findings Viewer Utility
What is really important about Ian's writing, is that it represents the areas of research that are needed if we are going to make SAST and DAST work in the real-world (see my post on What are the challenges with SAST that don't need a better engine for a nice list).
Just look at what he is doing:
- Integrate AppScan Source with a CI environment like TeamCity (where Scans can be triggered from Git Commits)
- Using WAFL and F4F to allow AppScan's engine to understand how Frameworks (like ASP.NET MVC work)
- Creating GUIs where results from SAST (AppScan Source) and DAST (AppScan Standard) are presented together so that much better informed decisions can be made about the issues presented
- Join traces together in order to create 'real-world' traces
- Trying to figure out how to package all this in an 'AppScan Appliance'
Really important research, and if you (like me) really wants the SAST technology to improve, please join me in congratulating Ian's for his efforts and dedication (and thanks to IBM too, for allowing Ian to post his research on the blogs)
WHAT YOU CAN DO TO HELP: here is the Important part of this post
What is happening is that unfortunately Ian (like me) is too far ahead of the current IBM AppScan development teams, and it looks like he is much better at IBM Research.
So, since Ian is going to have a 'word' with the IBM Research guys next week, I though it would be a good idea to help Ian with a show of support and to let IBM Research know just how important what he is doing is for the Web Application industry.
Please blog or email email@example.com with your views on what he is doing, and help him to get a really nice research gig at IBM.
Ian, here is my support paragraph to you:
"Ian is currently doing some of the most advanced Web Application Security research in the world, whereby he is trying to combine his real-world expertise from working with AppScan Source/Standard clients with:
a) CI (Contiguous Integration) tools/workflow,
b) data/guis correlation techniques
c) application's frameworks mapping/visualisation.
He represents the future of IBM's technology with multiple tools and services working together as one, providing IBM's customers (and industry) a unified view of an application's security vulnerability/risk"