John Melton

What do you want to do with the AppSensor project?

I believe AppSensor and the concepts behind it are absolutely going to lay the groundwork for the next generation of defensive techniques in application security. The concepts are basic and fundamentally sound, which is critical to a great solution. It provides an additional layer of intelligence that's missing from current applications. It has great potential and provides the primitive constructs for a host of solutions we haven't even thought of yet. Once applications begin to produce the level of data that AppSensor collects, novel uses for that data will begin to emerge.

My plans for growing the project revolve around a few key areas: "brand" recognition, tooling and integration.

Recognition: The project team members have done a really good job (under Michael's leadership) of promoting and talking about AppSensor at conferences and within OWASP, and I would hope to continue along the great path laid out here. That would involve things like: completing the next version of the AppSensor book (Colin Watson and Dennis Groves have already done some great work here), generating marketing material and cheatsheets to make the information about the project more available to the community. The online documentation could also use some love. In addition, we have some folks that are very good at marketing within OWASP as well as some AppSensor specific funds available - we can tap those resources to continue to get the word out.

Tooling: I've recently been working (along with Jay Reynolds) on the next version of the AppSensor software, which is a significant rewrite. The two most common complaints I've heard about the existing software are that a) it's Java-only and b) it only works with one application at a time. The next version of the software has been re-designed to address both of these issues and more. I was recently able (along with Kevin Wall) to co-mentor a GSOC project for AppSensor where a student (Rauf Butt) produced an initial version of a services-based AppSensor. The completed version is going to require the full re-architecting of the application, but we've made some solid strides forward already. At the completion of the project, we will have software that can be used in far more configurations than the current version.

Integration: We've had a lot of great help on the project from Ryan Barnett, whose worked to integrate many of the concepts of AppSensor into ModSecurity. However, I think it would be great if we could work with Ryan and others to build a simple integration model to interact with AppSensor in a more standardized manner. This will make a huge enterprise product if we can build integration point hooks to popular products (WAFs, SIEMs, logging systems, etc.). This is an area where we've only really scratched the surface. The next version of the software will allow us to make these integration points much simpler.

Do you feel you have sufficient time to tackle leadership of this project?

I think you make time for the things you like to do. I work full-time and have a family that keeps me busy. I also enjoy my free time like everyone else. However, I think contributing to the community is worthwhile, and have a track record of committing time to AppSensor as well as other projects within OWASP. Those who follow our mailing list have seen me post there, and those working with the AppSensor software have seen me working on any submitted bugs or feature requests. While there are other things I certainly could do, I like working on AppSensor and will continue to do so.

Why are you a good choice to lead AppSensor?

First let me say Dennis is a phenominal choice for a leader - he's absolutely bright, passionate, and very involved. As for my reasons for wanting to lead, I think it would be a fun and exciting challenge. I care a lot about OWASP in general and AppSensor specifically and want to see both succeed. I've met the core members of the team personally and have really enjoyed working with all of them. Honestly, whether I'm leading or not, I'm just happy to be involved and working on the project.

As for reasons I should lead, I think it mostly boils down to my track record. I've been involved in OWASP for quite some time. Over that period of time, I've been fortunate to play various roles including reviewing work for others, adding documentation to the wiki, testing tools, filing and fixing bugs, and writing much of the AppSensor software. From a work perspective, I've been both a developer and "security guy" for the last 10 years or so. I'm fairly pragmatic in my approach, and mostly want to see us produce something useful. Whichever path gets us there is the one that I like best.

One final note: I think I mentioned 7 or 8 folks in this email who are already significant contributors to the project. That is a great testament to the way Michael setup and maintained the project, and no matter who leads the project, it's already better off because of all those involved.