[Owasp-leaders] I am glad to announce we've just set a new project up - the OWASP Myth Breakers Project, led by Stefano Di Paola & Dinis Cruz.

Juan Carlos Calderon Rojas juan.calderon at softtek.com
Tue Mar 1 16:12:38 EST 2011


I totally agree Dave.

I think there is "natural" trend to do pen test since it is easier to report/demonstrate and to automate (HTTP is well defined, Code is not). Show a popup and the guy will say "wow what shouldn't  have happen".  But try to convince him showing a line of code and he will simply say "I don't think that's possible" or "No, the application/technology would not allow that". But you cannot match the power of "going to the source" of the security issues.

Notice also that you don't have to do line-by-line code review, that would be stupid. Is using code as enabler to speed up application understanding, vulnerability detection and exploitation where code review really shines. Why spending a lot of time trying to figure out the correct filter evation combination if you can just go to the app source and craft yourself a nice and mostly 100% effective evation patern for your pen test?.

Regards,
Juan Carlos


________________________________
De: owasp-leaders-bounces at lists.owasp.org [owasp-leaders-bounces at lists.owasp.org] En nombre de Dave Wichers [dave.wichers at owasp.org]
Enviado el: martes, 01 de marzo de 2011 02:43 p.m.
Para: owasp-leaders at lists.owasp.org
Asunto: Re: [Owasp-leaders] I am glad to announce we've just set a new project up - the OWASP Myth Breakers Project, led by Stefano Di Paola & Dinis Cruz.

I did a talk last fall at AppSec DC on ‘Strengths of Combining Code Review with Application Penetration Testing<http://www.owasp.org/index.php/The_Strengths_of_Combining_Code_Review_with_Application_Penetration_Testing>’. One major point of my talk was to try to bust the ‘myth’ that code review is way more expensive than pen testing, and that we can’t find enough qualified code reviewers. There are millions of really good developers that can be taught how to review code. There aren’t anywhere near as many good pen testers. So it’s my position that its ‘easier’ to find and use good code reviewers than pen testers, not harder, and that code review is far more effective than pen testing overall, and really shines when both are done together.

This is not obvious from the title of my talk but I was trying to not offend anyone.

-Dave

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stefano Di Paola
Sent: Tuesday, March 01, 2011 3:29 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] I am glad to announce we've just set a new project up - the OWASP Myth Breakers Project, led by Stefano Di Paola & Dinis Cruz.

Thanks Paulo,
in the next days we'll put together the ideas and start the mailing
list!
Anyone with some ideas about legends to be busted is encouraged to note
it down and send it to the new mailing list as soon as it'll be
available.

Cheers,
Stefano

On Tue, Mar 1, 2011 at 1:41 PM, Paulo Coimbra <paulo.coimbra at owasp.org<mailto:paulo.coimbra at owasp.org>> wrote:
Leaders,

I am glad to announce we’ve just set a new project up – the OWASP Myth Breakers Project, led by Stefano Di Paola & Dinis Cruz.

http://www.owasp.org/index.php/Projects/OWASP_Myth_Breakers_Project

The project’s purpose is “similar to http://dsc.discovery.com/tv/mythbusters but for appsec, urban legends and assumptions regarding appsec will be tested and there'll be a set of examples that will prove the correctness/incorrectness of a statement related to the question. Every question will be answered in the mailing list and further, a page on the OWASP site will be created to report the results. Also anyone will be able to use the contents of the page/ml in OWASP conferences to spread the verb about what's an urban legend and what's not”.

As always, your suggestions and contributions would be greatly appreciated.

Thanks,
- Paulo


Paulo Coimbra,
OWASP Project Manager<http://www.owasp.org/index.php/User:Paulo_Coimbra>


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110301/2a531e93/attachment-0001.html 


More information about the OWASP-Leaders mailing list