[Owasp-leaders] Are we helping Hackers or helping Application security?

Jim Manico jim.manico at owasp.org
Fri May 20 04:56:53 UTC 2016


This is a very astute perspective, Tony. Thanks for diving in and
bringing clarity.

Aloha, Jim

On 5/19/16 7:14 PM, Tony UV wrote:
> 1. If giving an F is hating on a tool versus understanding the threat
> actors and real threat motives, then sorry to break it to you that the
> Catalan police don't give a "PM" (spanish) or "F" about your F.
> 2. Having more defender tools will still not instruct 'security
> professionals' to interact effectively with developers.  Knowing the
> precepts of coding, development frameworks, threat modeling, good
> architecture will.  So in terms of more defender tools helping, that
> wouldn't do jack.
> 3. ModSecurity Ruleset is highly utilized individually and by
> commercial products that have pwned its G status effectiveness and
> baked it into their commercial rule sets.  Maybe not as hyped as ZAP
> but per other previous responses, there's a lot of good Defender stuff
> in the vault.
> 4. Your right.  Too much pen tester rhetoric.  But I say up the level
> and call it what it is - attack.  No hacker is like 'hey boss, i'm
> gonna pen test this web api real quick'. Get real.  We need more pros
> to understand real criminal exploitation and leave this pen testing BS
> for PCI 3.2.  This includes a greater understanding of encoding
> techniques for obfuscating payloads, new evasion techniques, payloads
> against new web app frameworks, reversing, etc. This is real stuff
> that transcends simply payload replaying via tools and we need more of
> that skill set in order to educate developers on how these parameters
> get compromised b/c of well crafted payloads.
> 5.  Helping Dev shops requires more understanding of things that they
> are working with, but crawl, walk, run.  Right now, IMHO, I think most
> want to know how to break and are still maturing there.  From there,
> they'll run into the wall of not being able to message to dev teams. 
> Then they'll need to mature in that respect and either (a) tell them
> countermeasures that are upstream from the API or service listener or
> whatever (WEAK) or (b) help them to improve their secure coding
> measures and leveraging of security class objects in frameworks,
> hardening techniques, secure coding snippets, etc.  OWASP Cheatsheets,
> Secure Dev Guide all help with this btw so recognize.
> Not gonna get into the whole US violent BS. Stay topical to appsec and
> leave the political remarks for the comments section of Anderson
> Cooper's blog.  I can gladly entertain those later if you want to
> debate causal factors at BH/ DC over pisco sours. 
> On Thu, May 19, 2016 at 9:31 PM, johanna curiel curiel
> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>     >>So Phineas used ZAP to hack Catalan police - who gives an F?!?!?! 
>     I give a f*ck...;-P. 
>     >> The intent of ZAP is to allow for more security professionals
>     to understand how and why apps fall to common attack patterns.
>     Look. A 'security professional'  tells the developer all the
>     security bugs she has, but if she is not able to fix them then
>     what? Nothing gets fixed properly. 
>     Most pen testers work is focused on showing vulnerabilities
>     instead of helping fixing them because for most part pen testers
>     cannot code applications neither is their work, like this joke on
>     Twitter:
>     https://twitter.com/pencilsareneat/status/724711158863790084
>     I think OWASP is way too focused on Pen testers and this
>     discussion just shows me that.
>     Defender projects are poor compare to ZAP. 
>     Have anyone of you download and test ALL the so called 'top'
>     defender projects we have, have you actually USE them ?
>     Who has? I have, can you say the same?
>     I have and I can tell you that for sure.
>     *Read team is important but Blue team as much. I'm talking about
>     Yin Yang. *
>     *Balance my friends. OWASP has the power to shape that balance.*
>     And BTW thats US is the country with high rate murder with guns. 
>     http://www.nytimes.com/2012/12/20/opinion/blow-on-guns-america-stands-out.html?_r=1
>     And talking about Columbine and School killings...yea, but is off
>     course none is to blame...
>     Hey Viva US and the second ammendment , each country should know
>     what they do. 
>     I just love my little island where they forbid guns...thanks God...
>     On Thu, May 19, 2016 at 9:02 PM, Tony UV <tonyuv at owasp.org
>     <mailto:tonyuv at owasp.org>> wrote:
>         Johanna,*
>         *
>         *
>         On the issue of ZAP / Hurting or Helping AppSec.
>         *So Phineas used ZAP to hack Catalan police - who gives an
>         F?!?!?!  Since the beginning of time, tools of any type
>         (either hardware or software or virtual) will be used for
>         whatever motive the handler wants to use them.  This shouldn't
>         at all shape the perspective that ZAP or any other tool is
>         hurting rather than helping an industry or sub-industry.  That
>         is absurd.  Those that think that in AppSec or in security in
>         general don't get the fact that when doing criminal actions,
>         any means necessary will encompass the use of products and
>         services not intended or designed for a criminal's nefarious
>         actions.  Tainting ZAP (either deliberately or not) is not
>         helping the ignorance that blames tools for facilitating
>         hacks.  The intent of ZAP is to allow for more security
>         professionals to understand how and why apps fall to common
>         attack patterns.  If that same tool is used to do bad, in no
>         way shape or form should the weakly formed argument of 'are we
>         helping or hurting' be thrown into a conversation piece within
>         this industry b/c there are far too many tools that break that
>         have come before ZAP and are used much more widely than ZAP
>         that are open source and those frames of thought never got
>         good traction and deservingly so.  If there is some emotional
>         infosec asshat that wants to ask that question and allude to
>         an 'OWASP' project as a facilitator to these types of
>         activities, then we should all be able to easily defend the
>         number of instances of whitehat efforts that ZAP supports that
>         dwarf undoubted blackhat used of that tool (or any other that
>         is or becomes flagship).
>         *On the issue of quantity vs quality.*
>         Agreed that we have WAY too many projects.  I'm on that
>         bandwagon.  But the one I'm not is believing that the intent
>         of the disparity between notorious breaker tools that are
>         flagship vs. defender tools is based upon anything but simply
>         a factor of (a) time of interested people/ persons devoted to
>         a project (b) level of interest of said people in a track of
>         security (breaking vs building vs defending, etc.).  What's
>         the saying - the road to hell is paved with good intentions -
>         in this case, I don't think there was a deliberate intent to
>         sway one way (break, defend, build) versus another at all but
>         things have gotten away from us.  I do think that greater
>         project governance and leadership can force a more balanced
>         project roster which would reflect what everyone has had in
>         mind for OWASP, which is well developed and maintained
>         projects. Mark's blog post, although true, is true only at the
>         superficial level.  The causal factors need to be clearly
>         understood.  If there was project governance and we could
>         collectively drive to a smaller project footprint, then our
>         execution would be better, but its not by design and that's
>         what I disagree with in the blog and those that follow that
>         credence. 
>         Tony UV
>         On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel
>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>         wrote:
>             Hi All,
>             Not sure if you have heard the news that Phineas Fisher,
>             the hacker that hacked HackingTeam, has made public a
>             couple of days ago a video showing how he hacked the
>             Spanish (Catalan) police using ZAP.
>             Video in the mean time has been removed but I made a copy
>             for anyone that wants it ;-P
>             Phineas goes ahead and made comments to encourage and
>             teach others to 'hack back'(nice music background 'f*ck
>             the police'). In his own words:
>             *“That's the plan,” the hacker told Motherboard in an
>             email. “Like subverso says in the lyrics of the song at
>             the end of the video, ‘el que comparte lo que aprende, es
>             peligroso.’”*
>             While I'm a big fan of ZAP, this has hit a deep core in my
>             conscious.
>             OWASP is supposed to be about 'Application Security' and
>             right now, hackers like this are doing the opposite with
>             the same tools we promote .
>             OWASP has a huge misbalance of tools between 'breakers'
>             and 'defenders'. 
>             ZAP on one side , with a quality and level of development
>             that is competing with the commercial tools like Burp, but
>             on the other side, to balance the equation, what are we
>             actually doing to improve defense? What kind of defender
>             projects does OWASP has to compete what ZAP is doing?
>             Sorry to say, none. No defender project at OWASP has a
>             full time developer working on it nor the quality that ZAP
>             does.
>             @Tom:
>             I think one of the things OWASP projects needs to focus on
>             is to bring a balance and incentive the development of
>             *Quality* defender projects to teach developers how to
>             protect applications. Not to keep focusing on teaching
>             hacking. Developers are not going to become hackers to
>             protect applications. 
>             Mark Curphey, the co-fouder of OWASP had a vision to
>             develop security tools for developers. And he left because
>             OWASP management  focused in quantity and not in quality.
>             Timo and I, the last reviewers were standing for this
>             principle.But we couldn't fight how management though
>             about and we left.
>             *"I do suspect that it maybe time for a different kind of
>             open source software security project that focuses on a
>             small number of high quality, high impact projects. ..*
>             *
>             *
>             *So long OWASP, you were a fun ride and I wish you the
>             very best for the future. Remember that a “Jack of all
>             trades is a master of none”!**"*
>             *
>             *
>             In the mean time Marc is the founder of SRC:CLR, based
>             startup that helps companies use open-source code safely
>             http://www.curphey.com
>             regards
>             -- 
>             Johanna Curiel 
>             OWASP Volunteer
>             _______________________________________________
>             OWASP-Leaders mailing list
>             OWASP-Leaders at lists.owasp.org
>             <mailto:OWASP-Leaders at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     -- 
>     Johanna Curiel 
>     OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160519/24944e18/attachment-0001.html>

More information about the OWASP-Leaders mailing list