[Owasp-leaders] Are we helping Hackers or helping Application security?

johanna curiel curiel johanna.curiel at owasp.org
Fri May 20 01:31:27 UTC 2016

>>So Phineas used ZAP to hack Catalan police - who gives an F?!?!?!

I give a f*ck...;-P.

>> The intent of ZAP is to allow for more security professionals to
understand how and why apps fall to common attack patterns.

Look. A 'security professional'  tells the developer all the security bugs
she has, but if she is not able to fix them then what? Nothing gets fixed

Most pen testers work is focused on showing vulnerabilities instead of
helping fixing them because for most part pen testers cannot code
applications neither is their work, like this joke on Twitter:

I think OWASP is way too focused on Pen testers and this discussion just
shows me that.

Defender projects are poor compare to ZAP.

Have anyone of you download and test ALL the so called 'top' defender
projects we have, have you actually USE them ?
Who has? I have, can you say the same?

I have and I can tell you that for sure.

*Read team is important but Blue team as much. I'm talking about Yin Yang. *
*Balance my friends. OWASP has the power to shape that balance.*

And BTW thats US is the country with high rate murder with guns.

And talking about Columbine and School killings...yea, but is off course
none is to blame...

Hey Viva US and the second ammendment , each country should know what they
I just love my little island where they forbid guns...thanks God...

On Thu, May 19, 2016 at 9:02 PM, Tony UV <tonyuv at owasp.org> wrote:

> Johanna,
> *On the issue of ZAP / Hurting or Helping AppSec.*So Phineas used ZAP to
> hack Catalan police - who gives an F?!?!?!  Since the beginning of time,
> tools of any type (either hardware or software or virtual) will be used for
> whatever motive the handler wants to use them.  This shouldn't at all shape
> the perspective that ZAP or any other tool is hurting rather than helping
> an industry or sub-industry.  That is absurd.  Those that think that in
> AppSec or in security in general don't get the fact that when doing
> criminal actions, any means necessary will encompass the use of products
> and services not intended or designed for a criminal's nefarious actions.
> Tainting ZAP (either deliberately or not) is not helping the ignorance that
> blames tools for facilitating hacks.  The intent of ZAP is to allow for
> more security professionals to understand how and why apps fall to common
> attack patterns.  If that same tool is used to do bad, in no way shape or
> form should the weakly formed argument of 'are we helping or hurting' be
> thrown into a conversation piece within this industry b/c there are far too
> many tools that break that have come before ZAP and are used much more
> widely than ZAP that are open source and those frames of thought never got
> good traction and deservingly so.  If there is some emotional infosec
> asshat that wants to ask that question and allude to an 'OWASP' project as
> a facilitator to these types of activities, then we should all be able to
> easily defend the number of instances of whitehat efforts that ZAP supports
> that dwarf undoubted blackhat used of that tool (or any other that is or
> becomes flagship).
> *On the issue of quantity vs quality.*
> Agreed that we have WAY too many projects.  I'm on that bandwagon.  But
> the one I'm not is believing that the intent of the disparity between
> notorious breaker tools that are flagship vs. defender tools is based upon
> anything but simply a factor of (a) time of interested people/ persons
> devoted to a project (b) level of interest of said people in a track of
> security (breaking vs building vs defending, etc.).  What's the saying -
> the road to hell is paved with good intentions - in this case, I don't
> think there was a deliberate intent to sway one way (break, defend, build)
> versus another at all but things have gotten away from us.  I do think that
> greater project governance and leadership can force a more balanced project
> roster which would reflect what everyone has had in mind for OWASP, which
> is well developed and maintained projects. Mark's blog post, although true,
> is true only at the superficial level.  The causal factors need to be
> clearly understood.  If there was project governance and we could
> collectively drive to a smaller project footprint, then our execution would
> be better, but its not by design and that's what I disagree with in the
> blog and those that follow that credence.
> Tony UV
> On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Hi All,
>> Not sure if you have heard the news that Phineas Fisher, the hacker that
>> hacked HackingTeam, has made public a couple of days ago a video showing
>> how he hacked the Spanish (Catalan) police using ZAP.
>> Video in the mean time has been removed but I made a copy for anyone that
>> wants it ;-P
>> Phineas goes ahead and made comments to encourage and teach others to
>> 'hack back'(nice music background 'f*ck the police'). In his own words:
>> *“That's the plan,” the hacker told Motherboard in an email. “Like
>> subverso says in the lyrics of the song at the end of the video, ‘el que
>> comparte lo que aprende, es peligroso.’”*
>> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
>> OWASP is supposed to be about 'Application Security' and right now,
>> hackers like this are doing the opposite with the same tools we promote .
>> OWASP has a huge misbalance of tools between 'breakers' and 'defenders'.
>> ZAP on one side , with a quality and level of development that is
>> competing with the commercial tools like Burp, but on the other side, to
>> balance the equation, what are we actually doing to improve defense? What
>> kind of defender projects does OWASP has to compete what ZAP is doing?
>> Sorry to say, none. No defender project at OWASP has a full time
>> developer working on it nor the quality that ZAP does.
>> @Tom:
>> I think one of the things OWASP projects needs to focus on is to bring a
>> balance and incentive the development of *Quality* defender projects to
>> teach developers how to protect applications. Not to keep focusing on
>> teaching hacking. Developers are not going to become hackers to protect
>> applications.
>> Mark Curphey, the co-fouder of OWASP had a vision to develop security
>> tools for developers. And he left because OWASP management  focused in
>> quantity and not in quality. Timo and I, the last reviewers were standing
>> for this principle.But we couldn't fight how management though about and we
>> left.
>> *"I do suspect that it maybe time for a different kind of open source
>> software security project that focuses on a small number of high quality,
>> high impact projects. ..*
>> *So long OWASP, you were a fun ride and I wish you the very best for the
>> future. Remember that a “Jack of all trades is a master of none”!**"*
>> In the mean time Marc is the founder of SRC:CLR, based startup that
>> helps companies use open-source code safely
>> http://www.curphey.com
>> regards
>> --
>> Johanna Curiel
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/0467c364/attachment-0001.html>

More information about the OWASP-Leaders mailing list