[Owasp-leaders] Are we helping Hackers or helping Application security?

Larry Conklin larry.conklin at owasp.org
Fri May 20 00:54:01 UTC 2016

Johanna, We need to stop meeting like this. lol.

Well, maybe we should just blame the people who make compilers. Without a
compilier, most hackers couldn't hack. Heck lets outlaw computer chips.
Same argument goes for guns and anyone who has any training in firearms and
then shoots some innocent person.  Bad yes and Bad things happen to good
people. ZAP is a tool used by good people to get good results. Used by bad
people and bad things could happen.

What about the Testing guide; how to find issues before the code is in
production? Code Review Guide? Don't we have CSRFGuard and Java ESAPI?

Johanna, I am not sure where you are going but I still believe OWASP has
greats things to deliver. The sky is not falling, take a deep breathe and

PS, A jack of all trades is a general contractor who gets the house built.

Larry Conklin

On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi All,
> Not sure if you have heard the news that Phineas Fisher, the hacker that
> hacked HackingTeam, has made public a couple of days ago a video showing
> how he hacked the Spanish (Catalan) police using ZAP.
> Video in the mean time has been removed but I made a copy for anyone that
> wants it ;-P
> Phineas goes ahead and made comments to encourage and teach others to
> 'hack back'(nice music background 'f*ck the police'). In his own words:
> *“That's the plan,” the hacker told Motherboard in an email. “Like
> subverso says in the lyrics of the song at the end of the video, ‘el que
> comparte lo que aprende, es peligroso.’”*
> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
> OWASP is supposed to be about 'Application Security' and right now,
> hackers like this are doing the opposite with the same tools we promote .
> OWASP has a huge misbalance of tools between 'breakers' and 'defenders'.
> ZAP on one side , with a quality and level of development that is
> competing with the commercial tools like Burp, but on the other side, to
> balance the equation, what are we actually doing to improve defense? What
> kind of defender projects does OWASP has to compete what ZAP is doing?
> Sorry to say, none. No defender project at OWASP has a full time developer
> working on it nor the quality that ZAP does.
> @Tom:
> I think one of the things OWASP projects needs to focus on is to bring a
> balance and incentive the development of *Quality* defender projects to
> teach developers how to protect applications. Not to keep focusing on
> teaching hacking. Developers are not going to become hackers to protect
> applications.
> Mark Curphey, the co-fouder of OWASP had a vision to develop security
> tools for developers. And he left because OWASP management  focused in
> quantity and not in quality. Timo and I, the last reviewers were standing
> for this principle.But we couldn't fight how management though about and we
> left.
> *"I do suspect that it maybe time for a different kind of open source
> software security project that focuses on a small number of high quality,
> high impact projects. ..*
> *So long OWASP, you were a fun ride and I wish you the very best for the
> future. Remember that a “Jack of all trades is a master of none”!**"*
> In the mean time Marc is the founder of SRC:CLR, based startup that helps
> companies use open-source code safely
> http://www.curphey.com
> regards
> --
> Johanna Curiel
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/8d35b7df/attachment.html>

More information about the OWASP-Leaders mailing list