[Owasp-leaders] Are we helping Hackers or helping Application security?

Tom Brennan - OWASP tomb at owasp.org
Fri May 20 00:59:47 UTC 2016


Hammers, screw drivers, guns, pencils, zaproxy, keyboards are all TOOLS -
Humans power the tools and Ethics determine what you do with the tool...
Criminals will be criminals (based on laws not technology) politics are
outside the scope of OWASP but not code of conduct, ethics or core purpose
<https://www.owasp.org/index.php/About_OWASP#Core_Values> for our members.

The sky is not falling and this is rather a educational opportunity to
highlight the (153) projects tagged as Defender in OWASP
https://www.owasp.org/index.php/Category:OWASP_Defenders when media asks
ANYONE about how does OWASP feel about this issue.

Be well

<insert standard OWASP disclaimer


Tom Brennan
GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F D9C6

OWASP Foundation | www.owasp.org
Tel:  (m) 973-506-9304

Need to book time with me to discuss an existing or a future project click
on my virtual calendar http://www.proactiverisk.com/brennan

On Thu, May 19, 2016 at 8:33 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> https://mcurphey.wordpress.com/category/owasp/
> On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Hi All,
>> Not sure if you have heard the news that Phineas Fisher, the hacker that
>> hacked HackingTeam, has made public a couple of days ago a video showing
>> how he hacked the Spanish (Catalan) police using ZAP.
>> Video in the mean time has been removed but I made a copy for anyone that
>> wants it ;-P
>> Phineas goes ahead and made comments to encourage and teach others to
>> 'hack back'(nice music background 'f*ck the police'). In his own words:
>> *“That's the plan,” the hacker told Motherboard in an email. “Like
>> subverso says in the lyrics of the song at the end of the video, ‘el que
>> comparte lo que aprende, es peligroso.’”*
>> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
>> OWASP is supposed to be about 'Application Security' and right now,
>> hackers like this are doing the opposite with the same tools we promote .
>> OWASP has a huge misbalance of tools between 'breakers' and 'defenders'.
>> ZAP on one side , with a quality and level of development that is
>> competing with the commercial tools like Burp, but on the other side, to
>> balance the equation, what are we actually doing to improve defense? What
>> kind of defender projects does OWASP has to compete what ZAP is doing?
>> Sorry to say, none. No defender project at OWASP has a full time
>> developer working on it nor the quality that ZAP does.
>> @Tom:
>> I think one of the things OWASP projects needs to focus on is to bring a
>> balance and incentive the development of *Quality* defender projects to
>> teach developers how to protect applications. Not to keep focusing on
>> teaching hacking. Developers are not going to become hackers to protect
>> applications.
>> Mark Curphey, the co-fouder of OWASP had a vision to develop security
>> tools for developers. And he left because OWASP management  focused in
>> quantity and not in quality. Timo and I, the last reviewers were standing
>> for this principle.But we couldn't fight how management though about and we
>> left.
>> *"I do suspect that it maybe time for a different kind of open source
>> software security project that focuses on a small number of high quality,
>> high impact projects. ..*
>> *So long OWASP, you were a fun ride and I wish you the very best for the
>> future. Remember that a “Jack of all trades is a master of none”!**"*
>> In the mean time Marc is the founder of SRC:CLR, based startup that
>> helps companies use open-source code safely
>> http://www.curphey.com
>> regards
>> --
>> Johanna Curiel
>> OWASP Volunteer
> --
> Johanna Curiel
> OWASP Volunteer

The information contained in this message and any attachments may be 
privileged, confidential, proprietary or otherwise protected from 
disclosure. If you, the reader of this message, are not the intended 
recipient, you are hereby notified that any dissemination, distribution, 
copying or use of this message and any attachment is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by replying to the message, permanently delete it from your 
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/d9cbaf0a/attachment-0001.html>

More information about the OWASP-Leaders mailing list