[Owasp-leaders] Are we helping Hackers or helping Application security?

johanna curiel curiel johanna.curiel at owasp.org
Fri May 20 00:25:59 UTC 2016

Hi All,

Not sure if you have heard the news that Phineas Fisher, the hacker that
hacked HackingTeam, has made public a couple of days ago a video showing
how he hacked the Spanish (Catalan) police using ZAP.

Video in the mean time has been removed but I made a copy for anyone that
wants it ;-P

Phineas goes ahead and made comments to encourage and teach others to 'hack
back'(nice music background 'f*ck the police'). In his own words:
*“That's the plan,” the hacker told Motherboard in an email. “Like subverso
says in the lyrics of the song at the end of the video, ‘el que comparte lo
que aprende, es peligroso.’”*

While I'm a big fan of ZAP, this has hit a deep core in my conscious.

OWASP is supposed to be about 'Application Security' and right now, hackers
like this are doing the opposite with the same tools we promote .

OWASP has a huge misbalance of tools between 'breakers' and 'defenders'.

ZAP on one side , with a quality and level of development that is competing
with the commercial tools like Burp, but on the other side, to balance the
equation, what are we actually doing to improve defense? What kind of
defender projects does OWASP has to compete what ZAP is doing?

Sorry to say, none. No defender project at OWASP has a full time developer
working on it nor the quality that ZAP does.


I think one of the things OWASP projects needs to focus on is to bring a
balance and incentive the development of *Quality* defender projects to
teach developers how to protect applications. Not to keep focusing on
teaching hacking. Developers are not going to become hackers to protect

Mark Curphey, the co-fouder of OWASP had a vision to develop security tools
for developers. And he left because OWASP management  focused in quantity
and not in quality. Timo and I, the last reviewers were standing for this
principle.But we couldn't fight how management though about and we left.

*"I do suspect that it maybe time for a different kind of open source
software security project that focuses on a small number of high quality,
high impact projects. ..*

*So long OWASP, you were a fun ride and I wish you the very best for the
future. Remember that a “Jack of all trades is a master of none”!**"*

In the mean time Marc is the founder of SRC:CLR, based startup that helps
companies use open-source code safely



Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/6dac97f8/attachment.html>

More information about the OWASP-Leaders mailing list