As I drove Dinis to the final day of AppSecDC he (as often is the case) had his laptop open. We traded ideas regarding the future of O2, support, and other broader issues about the future of software security. As we discussed or machinated over word choice, I found myself in near-complete agreement with him: not an unusual circumstance.
In his post RSnake muses:
I’ll be curious to see if any big companies step up to the plate here and takes ownership. It’s a bit unclear about Dinis’ fate within IBM – I think he’s a bit on the fence.
I characterize O2 as a platform that facilitates a highly-experienced or expert-reviewer in understanding software. While Dinis has taken a few runs at automation and work-flow support (before with his WCF stuff and now with his XRules) I think the principal benefit of his current state of development remains unshackling the reviewer from limitations of a SA tool often in terms of data-flow across language boundaries and through framework / generated code. So important is this concept to myself and Cigital that we’ve built our own framework which we call ‘The Factory‘. We use it for a similar purpose as one might use O2. As Dinis consistently reminds me though it is not open source. And, yes, there’s a lot of other wicked-cool stuff in O2 (the Visual Studio debugger integration is my favorite).
Cigital believes in O2 enough that we’ve conducted hands-on O2 training with a bunch of our guys even after Ounce training. I personally believe in the technical value to code reviewers of O2 enough that I put a modicum of code towards it when Dinis needed it in a pinch. I’ve also agreed to build and publish O2 training for the masses; ‘training that makes it seem less scary.
Taking a step back for a second, there’s a large leap between where the world is and the world Dinis describes in his recent blog post. Unfortunately, I see a lot of organizations doing software assessment driven by (and in pursuit of) compliance only.
So, it doesn’t shock me that IBM hasn’t dived head-first into the O2 pool, regardless of the opportunity it may represent. I believe they will fully embrace it when the market can support it. In the meantime, O2 can continue to find hospitality and support in the welcome arms of assessment experts like Cigital.