[Owasp-leaders] Are we helping Hackers or helping Application security?

Kenneth F. Belva owasp at silverbackventuresllc.com
Fri May 20 01:26:05 UTC 2016


> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
> 
> OWASP is supposed to be about 'Application Security' and right now,
> hackers like this are doing the opposite with the same tools we promote .

Technology is neutral; the mind or will behind it is not.


> OWASP has a huge misbalance of tools between 'breakers' and 'defenders'. 
> 
> ZAP on one side , with a quality and level of development that is
> competing with the commercial tools like Burp, but on the other side, to
> balance the equation, what are we actually doing to improve defense?
> What kind of defender projects does OWASP has to compete what ZAP is doing?
> 
> Sorry to say, none. No defender project at OWASP has a full time
> developer working on it nor the quality that ZAP does.


It is not the fault of OWASP there is an asymmetry in the marketplace.
Application defects may fall into categories but solutions are often
very application specific. For example, while many web applications do
not implement an account lockout feature (general problem), implementing
an account lockout feature is language, application architecture and
business specific (i.e., does the owner accept the risk?). This is just
one example of why it's fundamentally more difficult to focus on defense.

It should come as no surprise that the tools that are created also focus
on discovering problems because it's tough to create generic security
solutions (think WAF). As another example, even if there was a perfect
anti-XSS library that worked across all languages, platforms,
architectures, etc. there would still be a cost trade-off whether or not
a company would actually implement it in it's application, especially
retro fitting a stable/mature app or legacy application with such a
library.

If cyber security history is any guide this asymmetry will extend far
into the future.

Don't hate the player; hate the game.

Ken


More information about the OWASP-Leaders mailing list