[Owasp-leaders] Are we helping Hackers or helping Application security?

johanna curiel curiel johanna.curiel at owasp.org
Fri May 20 00:33:18 UTC 2016


On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi All,
> Not sure if you have heard the news that Phineas Fisher, the hacker that
> hacked HackingTeam, has made public a couple of days ago a video showing
> how he hacked the Spanish (Catalan) police using ZAP.
> Video in the mean time has been removed but I made a copy for anyone that
> wants it ;-P
> Phineas goes ahead and made comments to encourage and teach others to
> 'hack back'(nice music background 'f*ck the police'). In his own words:
> *“That's the plan,” the hacker told Motherboard in an email. “Like
> subverso says in the lyrics of the song at the end of the video, ‘el que
> comparte lo que aprende, es peligroso.’”*
> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
> OWASP is supposed to be about 'Application Security' and right now,
> hackers like this are doing the opposite with the same tools we promote .
> OWASP has a huge misbalance of tools between 'breakers' and 'defenders'.
> ZAP on one side , with a quality and level of development that is
> competing with the commercial tools like Burp, but on the other side, to
> balance the equation, what are we actually doing to improve defense? What
> kind of defender projects does OWASP has to compete what ZAP is doing?
> Sorry to say, none. No defender project at OWASP has a full time developer
> working on it nor the quality that ZAP does.
> @Tom:
> I think one of the things OWASP projects needs to focus on is to bring a
> balance and incentive the development of *Quality* defender projects to
> teach developers how to protect applications. Not to keep focusing on
> teaching hacking. Developers are not going to become hackers to protect
> applications.
> Mark Curphey, the co-fouder of OWASP had a vision to develop security
> tools for developers. And he left because OWASP management  focused in
> quantity and not in quality. Timo and I, the last reviewers were standing
> for this principle.But we couldn't fight how management though about and we
> left.
> *"I do suspect that it maybe time for a different kind of open source
> software security project that focuses on a small number of high quality,
> high impact projects. ..*
> *So long OWASP, you were a fun ride and I wish you the very best for the
> future. Remember that a “Jack of all trades is a master of none”!**"*
> In the mean time Marc is the founder of SRC:CLR, based startup that helps
> companies use open-source code safely
> http://www.curphey.com
> regards
> --
> Johanna Curiel
> OWASP Volunteer

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/f7ab3c1f/attachment-0001.html>

More information about the OWASP-Leaders mailing list