Friday, 17 May 2013

Responding to Andrew's O2 Platform feedback on the OWASP Leaders list

Here is my answers to OWASP's Andrew van der Stock on this feedback on the O2 Platform. My answers contains good info on my approach to O2 Platform's community and development.

Andrew's words are in italic below

----------------- (start) -----------------

(changing the title to reflect the new thread on the O2 Platform)

Hey Andrew, thanks a lot for your feedback, and please see my comments below

On 16 May 2013 13:41, vanderaj vanderaj <> wrote:

I know what you mean about the lack of O2 feedback. So I'm going to
give you a tiny bit, and hopefully it will help rather than hinder the

and I really appreciate you taking the time :)
I think the main constructive criticism I can help you with for O2 is
the UX is almost certainly best represented as "Dinis Cruz's best
13487 ideas in a single app with a fair few extra options just to make
sure they are there, plus magic lemur juice".

I agree :) in fact one of my core objectives for O2 was that it would be become my preferred tool, which I would use every day and where I would be the most productive.

I do believe that it is very important for the developers to use their tool every day, and part of the reason why the rate of innovation in O2 hasn't really slowed down is because I keep using it, and keep improving its capabilities (in order to make my work/job more effecient)

Note that I am a really 'hard father' on O2, and will not use it if there is a better solution or technology. This is always a great sanity check, since it is also important not to 'force the use' of a tool/technique. In a way my development moto of O2 is to make O2 the easiest and most productive way for doing a particular 'security/development related' task.

I also always viewed that the comment 'only dinis can do it ! ' is in fact a great compliment, since that means that 'it is possible to do it !' (vs 'not being possible to do'). It also allows for evolution to be measured. For example, a couple years ago I would hear that 'what you (Dinis) are proposing will not scale because only you (Dinis) can use it' and now I've started to hear reports/comments from O2 users that they are hearing the same thing :)  ie. they are being told (in some case):   'what you are proposing will not scale because only you (XYZ O2 user) can use it'. Which is an evolution and means the workflow/system is starting to work.

That said, at the moment a lot of those 13488 ideas (I added another one last night :) ) are now all managed via scripts which are dynamically compiled and executed (you can see the scripts at )
Also the main O2 GUI is much more simpler to use: and there is even a way to consume it as a VisualStudio Extension

O2 could really do with some community,

It could do with a bigger community :) 

there are already a number of great O2 users and some companies actually using it as part of their SDL (which is pretty cool)
particularly to untangle the
hot mess that is the UI.

yap, and that is what that community should really be doing.

The way I look at it, my job is to create powerful APIs and Capabilities inside the O2 Platform. I also need to create GUIs that work for me.

The power of O2 is its ability to create targeted/focused GUIs, and what is needed is for that 'O2 Community' to do the same (see below for how these targeted/custom GUIs can be easily packaged and distributed).

Yes this means that O2 is having a slower 'success rate' than it would with those simpler GUIs, but its the community that should be building those simpler GUIs.  My job as O2 core-developer is to create solutions that allow that workflow and ecosystem to happen  (and to create the simpler GUIs for me :) ). Remember that it is very dangerous to develop features for that you think 'a user out there' will want, its better to work with real users who have real problems.

That said, we're clearly not there with simpler and widely used O2-created GUIs, but it's getting closer by the day :)
I watched a few of the videos, tried it a
couple of times over the last couple of years when I've had .NET code
reviews, and honestly, I am moderately sure it can do what I am asking
of it if only I knew what I'm supposed to do, but I find it's utterly
impenetrable. I bet many more do too, but I'm not sure many have tried
it as it's plain scary on first boot.

I agree, and it demands quite a lot from its first users.
Can I humbly suggest that you work with some folks who can work with
you to edit the feature set into progressive disclosure, put some
metrics into it to work out some (simpler) common workflows, and
somehow (and I'm not sure this is possible) simplify the use of the
tool so that mere mortals can use say the 20% of the product that
would be used 80% of the time? There's a fine, powerful product hiding
in there somewhere.

Again I agree with that, what I need is those 'folks' who want to work :)

For example, my focus on the O2 Development has been to add solutions and technologies that will allow that process to happen very smoothly.

Namely the ability to package an O2 script as a 100% stand-alone exe that can be easily deployed and consumed (take a look at this post : Packaging an O2 Platform Script as a stand alone tool (in this case the WatiN based 'IE Script' tool) for a detailed explanation of how it works)

This is what I believe you want: Single focused O2 tools that do one thing very well, right?

Here are a number of stand-alone tools that I have created an published:
Note that these are just examples of the tools that I have blogged about, you can find a much bigger number of tools here: (feel free to browse and download the stand-alone exes)

The links above are also examples of 'needs from o2 users'. I.e. those where tools that an existing O2 user asked for help with, and my prefered way to help is to write a blog post with the answer: for example like this: Finding a html link with no ID in the middle of a web page using WatiN (via IE objects and jQuery) 
So YES, O2 really needs simple GUIs, with clear documentation and how-to guides. The technology and capabilities are there now, all we need are users with specific problems (that could be solved with a variation of one of the existing tools/scripts)

Lastly, you're one of the very few in our OWASP community who likes,
develops, and uses Microsoft platforms.

Yeah, sometimes that can be quietly lonely :(

I wrote about that today on: Where Is .NET Headed? and the cost for Microsoft of ignoring the O2 Platform , do you think I was to hard on Steve B and Microsoft? 
That platform is a critical
commercial niche,

Nice and non-controversial comment :)
but I doubt more than a handful of us could
participate in developing O2 unless it could be made to run under Mono
as well. Is there any chance of that?

well, as you have found out (by your comment on my blog) that is also an area that I have made quite a lot improvements in the O2 Platform :)

There is an mono branch of the main APIs: (which compile ok in MonoDevelop in OSx) and here are a number of OSX related posts:

Btw, on the topic of interoperability also checkout how O2 can now talk with ZAP Proxy: Using Jni4Net (Part 2) - Controling OWASP ZAP remotely (via Java BeanShell REPL in .Net)  (or any other Java windows app or Jar)

Wrapping up, the key to using O2 is to start with a problem that you want to solve, and also having the realisation that O2 today is designed to WORK , not Designed to be Easy to 'start using'

Which means that if you try to use O2 today, you WILL get lost and wont be able to get the most of out it.

What is needed is for those 'trying to use O2' users (like you Andrew in the past) to have enough faith in O2 to be able to ask for help and work through the creation of the solution they want/need.

It wont be easy, but the rewards are worth it :)

My job as O2 main developer is to make that path as fast and effective as possible.

The job of those O2 users is to create tools for them and for their users :)

That is how (in my view) O2 will scale and survive in the long term

Finally, if you are still reading this, I am always more than happy to provide remote training on O2 via remote desktop tools like, all you need to do is ask :)

Thanks for reading


----------------- (end) -----------------