Today, the Open Web Application Security Project (OWASP) announced the availability of the first major release of its new O2 Platform.
The O2 Platform is, as the project's Web site describes it, "a collection of open source modules that help Web application security professionals maximize their efforts and quickly obtain high visibility into an application's security profile." The OWASP is a not-for-profit organization focused on finding and fighting the causes of insecure software.
The idea is to provide a high level of visibility into an application's security profile by automating "application security knowledge and workflows." An overview of the available modules is available via PDF download.
The guy leading the O2 Platform project is Dinis Cruz, whom I last interviewed about two years ago.The then-pony-tailed (haven't seen his hair lately) security consultant with the Portuguese accent and the London address was known for his fondness for showing conference attendees just how easy it is to bypass the built-in security mechanisms of the .NET and Java runtimes.
Cruz is all over the OWASP. He's the chair of the OWASP Connection Committee, a member of the OWASP Board, and a participant in the OWSAP Global Projects Committee. And he really wants you to try out the new O2 Platform. On his blog, he writes, in bold text, "This is the moment when I'm asking you to PLEASE TRY IT."
He needs feedback, he says, and input on "what you like, what works, what doesn't work, what could be improved." He adds: "There is enough functionality + capabilities + power in this version of O2, that I finally have the confidence to make this direct request for you, knowing that no matter what area of Web Application Security you are involved in, there will be an O2 Script/Module/Tool that will make you more productive."
I couldn't track him down for today's blog, so I thought I'd recall a conversation I had with Cruz in 2007, during which we discussed the security of the Web and the overall responsibly of the developer to create secure software.
"We're now in the process of building a world in which all the code we run on our Web sites has the power to access all of our assets from our desktops and servers," he said. "From a security point of view, this is a very bad development. But we shouldn't use the developers as the scapegoats. They often simply don't have enough visibility into what they are creating to evaluate the security of an application…. It's very hard for the developers to understand all the inputs and everything they need to run their applications. So we need to change the paradigms so that the developers can see what the hell's going on under the hood."
Cruz is a knowledgeable and, though he maybe doesn't always mean to be, funny guy. Don't miss his blog entry "I'm looking for work (O2 related work:) ) and O2's Commercial Ecosystem," in which he declares "I'm probably the only guy in the world that today really knows how to get the most power out of O2," but adds that, of course, he doesn't scale.
You can find out lots more about the OWASP in general here.
Posted by John K. Waters on July 12, 20100 comments
So, I'm talking recently with Mike Milinkovich, exec director of the Eclipse Foundation, about this year's ginormous Eclipse Release Train -- 39 projects, 33 million lines of code -- when he mentions that, of the 490 committers, 108 were individuals. That seemed like a lot of unaffiliated code contributors to me, but he said that this was a growing trend.
"The bulk of these individuals are focused on a couple of areas in Eclipse, particularly modeling," he told me. "Lots of individuals are contributing to the Eclipse modeling project, I think in part because they can make a bit of a reputation for themselves within the Eclipse modeling community and make a living through consulting by leveraging what they've built at Eclipse. That sort of small-scale individual ecosystem is starting to become very prevalent in parts of the broader Eclipse community."
He then pointed me to Dr. Ed Merks, who has been the technical lead of the Eclipse Modeling Framework (EMF) project from its inception. EMF is a subproject of the top-level Eclipse Modeling project, which Merks also leads.
Merks worked for IBM about 18 years, and he was there when Big Blue bought Object Technology International (OTI) and began developing Eclipse. At the time, he was working on some modeling-related technology that would eventually become the EMF.
Two years ago, Merks left IBM, moved back to his hometown of Vancouver, and struck out on his own with a one-man firm called Macro Modeling. He now helps clients to "exploit the power of the open source software available at Eclipse in general and the best-of-breed technology of the Eclipse Modeling Project in particular.
He says he's making a good living as an EMF consultant -- better than he thought he would. He's got some good clients. He's the modeling project lead for Itemis, a German company focused on IT-industrialization and model-driven software development. And he's also working with CloudSmith porting the EMF runtime to the Google Widget Toolkit.
Merk agrees with Milinkovich about the rise in individual contributors to the EMF project. "I think there's room for exponential growth," he says. "I'm seeing the big players like IBM and Borland have stepped aside, and the smaller players and individuals have a lot of room to push this stuff forward. There really is no good open alternative to the EMF."
But he adds that European companies are currently much more interested in modeling than U.S. companies. "Modeling generally has a bad reputation in North America, because it's associated with the OMG and UML, and it's seen as this heavyweight, model-driven architecture," he says. "People are highly resistant to it -- which I understand. When I started, I didn't like the stuff, either. But the thinking has evolved, and there a lot of misconceptions about it that I spend a lot of time correcting."
And yet interest in EMF is growing among U.S. defense contractors and NASA, Merks says. He also points out that EMF is used by a large and growing number of Eclipse projects, including XML Schema Definition (XSD), Unified Modeling Language (UML), and Web Tools project (WTP). And related projects, including the Graphical Modeling Framework project (GMF) and the Generative Modeling Tools project (GMT), are adding to the Eclipse Modeling project. "It's like an onion now, with many layers and EMF at its core."
Book plug: Merks is also co-author of "EMF: Eclipse Modeling Framework (2nd Edition)," which he wrote with Dave Steinberg, Frank Budinsky and Marcelo Paternostro.
Posted by John K. Waters on June 30, 20100 comments
Simon Phipps is a man with a mission… Well, a new mission. The former open source evangelist for Sun Microsystems has always been kind of missiony. His new cause: proving that "open source continuity" is a reality. His vehicle for that mission: ForgeRock, a company formed by erstwhile Sun execs to provide "reliable stewardship" for OpenSSO, an open-source access management and federation server platform.
OpenSSO was a Sun-sponsored open-source project, the stewardship of which went to Oracle when it was acquired. But Big O has shown little interest in the technology. Earlier this year, the company declared that OpenSSO was "not strategic," and later removed OpenSSO Express as a download.
Enter ForgeRock, which was founded in February by Lasse Andresen, former CTO of Sun's Europe, Middle East and Africa (EMEA) region, Herman Svoren, former Sun Sales exec (EMEA). Phipps joined the company in May.
The goal of the company, which is headquartered in the U.K. and Norway, with subsidiaries in the U.S., is to be what Phipps calls "a pure-play, open-source ISV."
"It's not our goal to aggregate copyright, or to sell some sort of open-core product with some secret sauce that the customer has to buy," he says. "We bug-fix, sustain, and innovate on the code bases we're looking after. And we've committed to continuing the same roadmaps that the community was expecting."
Phipps's personal goal is to prove that open source projects can survive the neglect of a sponsoring company.
"People talk about open source continuity and say theoretically that the community lives on even if their sponsor goes away," he says. "I believe that we are the first major attempt to prove that open source continuity is a reality."
In May, the company unveiled its I3 ("eye-cubed") Open Platform, an identify management suite built from OpenAM (which is based on OpenSSO), OpenESB, OpenIdM and OpenPortal (which is based on LifeRay).
Since its launch, the company has snagged some noteworthy customers, including Betfair, the world's largest online gambling service provider; NBS AS, Norwegian state railway company; and SwissSign, the identity solutions subsidiary of Swiss Post.
Open source is Phipps raison d'être. He's a director of the Open Source Initiative (OSI) and board advisor of Open Source for America. And he blogs like a madman on the topic on his Wild Webmink Web site.
"The thing about a real open source project, as opposed to a canned project that is being micromanaged by a company that wants to wrap itself in the open-source flag, is that anybody can access the source code and do anything they wish with it, as long as they obey the license terms," Phipps says.
They can even partner with other communities. In June, ForgeRock announced that it would be working with Japan's Open Source Solution Technology (OSSTech) on joint development of the OpenAM ID management software.
No reaction yet from Oracle on ForgeRock's activities. I'll let you know what they say when they call me back.
Posted by John K. Waters on June 30, 20100 comments
Please join us in welcoming back the WatersWorks blog -- a return of an old favorite here on ADTmag.com. In this blog John K. Waters will regularly cover a variety of topics of interest to application developers working with a variety of languages, IDEs and frameworks. Check out the first few posts (above).
If there's a topic you'd like to see John cover, be sure to let him know by posting in the comments or drop him an e-mail at john(at)watersworks.com.
-- ADTmag.com's Editors
Posted on June 29, 20100 comments