[Owasp-leaders] Are we helping Hackers or helping Application security?

Tony UV tonyuv at owasp.org
Fri May 20 01:02:36 UTC 2016


*On the issue of ZAP / Hurting or Helping AppSec.*So Phineas used ZAP to
hack Catalan police - who gives an F?!?!?!  Since the beginning of time,
tools of any type (either hardware or software or virtual) will be used for
whatever motive the handler wants to use them.  This shouldn't at all shape
the perspective that ZAP or any other tool is hurting rather than helping
an industry or sub-industry.  That is absurd.  Those that think that in
AppSec or in security in general don't get the fact that when doing
criminal actions, any means necessary will encompass the use of products
and services not intended or designed for a criminal's nefarious actions.
Tainting ZAP (either deliberately or not) is not helping the ignorance that
blames tools for facilitating hacks.  The intent of ZAP is to allow for
more security professionals to understand how and why apps fall to common
attack patterns.  If that same tool is used to do bad, in no way shape or
form should the weakly formed argument of 'are we helping or hurting' be
thrown into a conversation piece within this industry b/c there are far too
many tools that break that have come before ZAP and are used much more
widely than ZAP that are open source and those frames of thought never got
good traction and deservingly so.  If there is some emotional infosec
asshat that wants to ask that question and allude to an 'OWASP' project as
a facilitator to these types of activities, then we should all be able to
easily defend the number of instances of whitehat efforts that ZAP supports
that dwarf undoubted blackhat used of that tool (or any other that is or
becomes flagship).

*On the issue of quantity vs quality.*
Agreed that we have WAY too many projects.  I'm on that bandwagon.  But the
one I'm not is believing that the intent of the disparity between notorious
breaker tools that are flagship vs. defender tools is based upon anything
but simply a factor of (a) time of interested people/ persons devoted to a
project (b) level of interest of said people in a track of security
(breaking vs building vs defending, etc.).  What's the saying - the road to
hell is paved with good intentions - in this case, I don't think there was
a deliberate intent to sway one way (break, defend, build) versus another
at all but things have gotten away from us.  I do think that greater
project governance and leadership can force a more balanced project roster
which would reflect what everyone has had in mind for OWASP, which is well
developed and maintained projects. Mark's blog post, although true, is true
only at the superficial level.  The causal factors need to be clearly
understood.  If there was project governance and we could collectively
drive to a smaller project footprint, then our execution would be better,
but its not by design and that's what I disagree with in the blog and those
that follow that credence.

Tony UV

On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi All,
> Not sure if you have heard the news that Phineas Fisher, the hacker that
> hacked HackingTeam, has made public a couple of days ago a video showing
> how he hacked the Spanish (Catalan) police using ZAP.
> Video in the mean time has been removed but I made a copy for anyone that
> wants it ;-P
> Phineas goes ahead and made comments to encourage and teach others to
> 'hack back'(nice music background 'f*ck the police'). In his own words:
> *“That's the plan,” the hacker told Motherboard in an email. “Like
> subverso says in the lyrics of the song at the end of the video, ‘el que
> comparte lo que aprende, es peligroso.’”*
> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
> OWASP is supposed to be about 'Application Security' and right now,
> hackers like this are doing the opposite with the same tools we promote .
> OWASP has a huge misbalance of tools between 'breakers' and 'defenders'.
> ZAP on one side , with a quality and level of development that is
> competing with the commercial tools like Burp, but on the other side, to
> balance the equation, what are we actually doing to improve defense? What
> kind of defender projects does OWASP has to compete what ZAP is doing?
> Sorry to say, none. No defender project at OWASP has a full time developer
> working on it nor the quality that ZAP does.
> @Tom:
> I think one of the things OWASP projects needs to focus on is to bring a
> balance and incentive the development of *Quality* defender projects to
> teach developers how to protect applications. Not to keep focusing on
> teaching hacking. Developers are not going to become hackers to protect
> applications.
> Mark Curphey, the co-fouder of OWASP had a vision to develop security
> tools for developers. And he left because OWASP management  focused in
> quantity and not in quality. Timo and I, the last reviewers were standing
> for this principle.But we couldn't fight how management though about and we
> left.
> *"I do suspect that it maybe time for a different kind of open source
> software security project that focuses on a small number of high quality,
> high impact projects. ..*
> *So long OWASP, you were a fun ride and I wish you the very best for the
> future. Remember that a “Jack of all trades is a master of none”!**"*
> In the mean time Marc is the founder of SRC:CLR, based startup that helps
> companies use open-source code safely
> http://www.curphey.com
> regards
> --
> Johanna Curiel
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/c1806b3e/attachment.html>

More information about the OWASP-Leaders mailing list