[Owasp-leaders] Are we helping Hackers or helping Application security?

Tony UV tonyuv at owasp.org
Fri May 20 02:14:32 UTC 2016

1. If giving an F is hating on a tool versus understanding the threat
actors and real threat motives, then sorry to break it to you that the
Catalan police don't give a "PM" (spanish) or "F" about your F.
2. Having more defender tools will still not instruct 'security
professionals' to interact effectively with developers.  Knowing the
precepts of coding, development frameworks, threat modeling, good
architecture will.  So in terms of more defender tools helping, that
wouldn't do jack.
3. ModSecurity Ruleset is highly utilized individually and by commercial
products that have pwned its G status effectiveness and baked it into their
commercial rule sets.  Maybe not as hyped as ZAP but per other previous
responses, there's a lot of good Defender stuff in the vault.
4. Your right.  Too much pen tester rhetoric.  But I say up the level and
call it what it is - attack.  No hacker is like 'hey boss, i'm gonna pen
test this web api real quick'. Get real.  We need more pros to understand
real criminal exploitation and leave this pen testing BS for PCI 3.2.  This
includes a greater understanding of encoding techniques for obfuscating
payloads, new evasion techniques, payloads against new web app frameworks,
reversing, etc. This is real stuff that transcends simply payload replaying
via tools and we need more of that skill set in order to educate developers
on how these parameters get compromised b/c of well crafted payloads.
5.  Helping Dev shops requires more understanding of things that they are
working with, but crawl, walk, run.  Right now, IMHO, I think most want to
know how to break and are still maturing there.  From there, they'll run
into the wall of not being able to message to dev teams.  Then they'll need
to mature in that respect and either (a) tell them countermeasures that are
upstream from the API or service listener or whatever (WEAK) or (b) help
them to improve their secure coding measures and leveraging of security
class objects in frameworks, hardening techniques, secure coding snippets,
etc.  OWASP Cheatsheets, Secure Dev Guide all help with this btw so

Not gonna get into the whole US violent BS. Stay topical to appsec and
leave the political remarks for the comments section of Anderson Cooper's
blog.  I can gladly entertain those later if you want to debate causal
factors at BH/ DC over pisco sours.

On Thu, May 19, 2016 at 9:31 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >>So Phineas used ZAP to hack Catalan police - who gives an F?!?!?!
> I give a f*ck...;-P.
> >> The intent of ZAP is to allow for more security professionals to
> understand how and why apps fall to common attack patterns.
> Look. A 'security professional'  tells the developer all the security bugs
> she has, but if she is not able to fix them then what? Nothing gets fixed
> properly.
> Most pen testers work is focused on showing vulnerabilities instead of
> helping fixing them because for most part pen testers cannot code
> applications neither is their work, like this joke on Twitter:
> https://twitter.com/pencilsareneat/status/724711158863790084
> I think OWASP is way too focused on Pen testers and this discussion just
> shows me that.
> Defender projects are poor compare to ZAP.
> Have anyone of you download and test ALL the so called 'top' defender
> projects we have, have you actually USE them ?
> Who has? I have, can you say the same?
> I have and I can tell you that for sure.
> *Read team is important but Blue team as much. I'm talking about Yin
> Yang. *
> *Balance my friends. OWASP has the power to shape that balance.*
> And BTW thats US is the country with high rate murder with guns.
> http://www.nytimes.com/2012/12/20/opinion/blow-on-guns-america-stands-out.html?_r=1
> And talking about Columbine and School killings...yea, but is off course
> none is to blame...
> Hey Viva US and the second ammendment , each country should know what they
> do.
> I just love my little island where they forbid guns...thanks God...
> On Thu, May 19, 2016 at 9:02 PM, Tony UV <tonyuv at owasp.org> wrote:
>> Johanna,
>> *On the issue of ZAP / Hurting or Helping AppSec.*So Phineas used ZAP to
>> hack Catalan police - who gives an F?!?!?!  Since the beginning of time,
>> tools of any type (either hardware or software or virtual) will be used for
>> whatever motive the handler wants to use them.  This shouldn't at all shape
>> the perspective that ZAP or any other tool is hurting rather than helping
>> an industry or sub-industry.  That is absurd.  Those that think that in
>> AppSec or in security in general don't get the fact that when doing
>> criminal actions, any means necessary will encompass the use of products
>> and services not intended or designed for a criminal's nefarious actions.
>> Tainting ZAP (either deliberately or not) is not helping the ignorance that
>> blames tools for facilitating hacks.  The intent of ZAP is to allow for
>> more security professionals to understand how and why apps fall to common
>> attack patterns.  If that same tool is used to do bad, in no way shape or
>> form should the weakly formed argument of 'are we helping or hurting' be
>> thrown into a conversation piece within this industry b/c there are far too
>> many tools that break that have come before ZAP and are used much more
>> widely than ZAP that are open source and those frames of thought never got
>> good traction and deservingly so.  If there is some emotional infosec
>> asshat that wants to ask that question and allude to an 'OWASP' project as
>> a facilitator to these types of activities, then we should all be able to
>> easily defend the number of instances of whitehat efforts that ZAP supports
>> that dwarf undoubted blackhat used of that tool (or any other that is or
>> becomes flagship).
>> *On the issue of quantity vs quality.*
>> Agreed that we have WAY too many projects.  I'm on that bandwagon.  But
>> the one I'm not is believing that the intent of the disparity between
>> notorious breaker tools that are flagship vs. defender tools is based upon
>> anything but simply a factor of (a) time of interested people/ persons
>> devoted to a project (b) level of interest of said people in a track of
>> security (breaking vs building vs defending, etc.).  What's the saying -
>> the road to hell is paved with good intentions - in this case, I don't
>> think there was a deliberate intent to sway one way (break, defend, build)
>> versus another at all but things have gotten away from us.  I do think that
>> greater project governance and leadership can force a more balanced project
>> roster which would reflect what everyone has had in mind for OWASP, which
>> is well developed and maintained projects. Mark's blog post, although true,
>> is true only at the superficial level.  The causal factors need to be
>> clearly understood.  If there was project governance and we could
>> collectively drive to a smaller project footprint, then our execution would
>> be better, but its not by design and that's what I disagree with in the
>> blog and those that follow that credence.
>> Tony UV
>> On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> Hi All,
>>> Not sure if you have heard the news that Phineas Fisher, the hacker that
>>> hacked HackingTeam, has made public a couple of days ago a video showing
>>> how he hacked the Spanish (Catalan) police using ZAP.
>>> Video in the mean time has been removed but I made a copy for anyone
>>> that wants it ;-P
>>> Phineas goes ahead and made comments to encourage and teach others to
>>> 'hack back'(nice music background 'f*ck the police'). In his own words:
>>> *“That's the plan,” the hacker told Motherboard in an email. “Like
>>> subverso says in the lyrics of the song at the end of the video, ‘el que
>>> comparte lo que aprende, es peligroso.’”*
>>> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
>>> OWASP is supposed to be about 'Application Security' and right now,
>>> hackers like this are doing the opposite with the same tools we promote .
>>> OWASP has a huge misbalance of tools between 'breakers' and 'defenders'.
>>> ZAP on one side , with a quality and level of development that is
>>> competing with the commercial tools like Burp, but on the other side, to
>>> balance the equation, what are we actually doing to improve defense? What
>>> kind of defender projects does OWASP has to compete what ZAP is doing?
>>> Sorry to say, none. No defender project at OWASP has a full time
>>> developer working on it nor the quality that ZAP does.
>>> @Tom:
>>> I think one of the things OWASP projects needs to focus on is to bring a
>>> balance and incentive the development of *Quality* defender projects to
>>> teach developers how to protect applications. Not to keep focusing on
>>> teaching hacking. Developers are not going to become hackers to protect
>>> applications.
>>> Mark Curphey, the co-fouder of OWASP had a vision to develop security
>>> tools for developers. And he left because OWASP management  focused in
>>> quantity and not in quality. Timo and I, the last reviewers were standing
>>> for this principle.But we couldn't fight how management though about and we
>>> left.
>>> *"I do suspect that it maybe time for a different kind of open source
>>> software security project that focuses on a small number of high quality,
>>> high impact projects. ..*
>>> *So long OWASP, you were a fun ride and I wish you the very best for the
>>> future. Remember that a “Jack of all trades is a master of none”!**"*
>>> In the mean time Marc is the founder of SRC:CLR, based startup that
>>> helps companies use open-source code safely
>>> http://www.curphey.com
>>> regards
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Johanna Curiel
> OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/6d0c04be/attachment-0001.html>

More information about the OWASP-Leaders mailing list