[Owasp-leaders] Are we helping Hackers or helping Application security?

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Fri May 20 05:26:22 UTC 2016


I have one remark about using the term "hacker" as bad thing.

If a hacker attack a vulnerable web app without authorization he becomes a
malicious or a cracker or "pirate".

By the way ZAP or any other tool can be used for defense or attack like in
the real life.

If we publish a web application written by foot, with no secure by design,
any tool can break it.

Le 20 mai 2016 5:57 AM, "Jim Manico" <jim.manico at owasp.org> a écrit :

> +1
> This is a very astute perspective, Tony. Thanks for diving in and bringing
> clarity.
> Aloha, Jim
> On 5/19/16 7:14 PM, Tony UV wrote:
> 1. If giving an F is hating on a tool versus understanding the threat
> actors and real threat motives, then sorry to break it to you that the
> Catalan police don't give a "PM" (spanish) or "F" about your F.
> 2. Having more defender tools will still not instruct 'security
> professionals' to interact effectively with developers.  Knowing the
> precepts of coding, development frameworks, threat modeling, good
> architecture will.  So in terms of more defender tools helping, that
> wouldn't do jack.
> 3. ModSecurity Ruleset is highly utilized individually and by commercial
> products that have pwned its G status effectiveness and baked it into their
> commercial rule sets.  Maybe not as hyped as ZAP but per other previous
> responses, there's a lot of good Defender stuff in the vault.
> 4. Your right.  Too much pen tester rhetoric.  But I say up the level and
> call it what it is - attack.  No hacker is like 'hey boss, i'm gonna pen
> test this web api real quick'. Get real.  We need more pros to understand
> real criminal exploitation and leave this pen testing BS for PCI 3.2.  This
> includes a greater understanding of encoding techniques for obfuscating
> payloads, new evasion techniques, payloads against new web app frameworks,
> reversing, etc. This is real stuff that transcends simply payload replaying
> via tools and we need more of that skill set in order to educate developers
> on how these parameters get compromised b/c of well crafted payloads.
> 5.  Helping Dev shops requires more understanding of things that they are
> working with, but crawl, walk, run.  Right now, IMHO, I think most want to
> know how to break and are still maturing there.  From there, they'll run
> into the wall of not being able to message to dev teams.  Then they'll need
> to mature in that respect and either (a) tell them countermeasures that are
> upstream from the API or service listener or whatever (WEAK) or (b) help
> them to improve their secure coding measures and leveraging of security
> class objects in frameworks, hardening techniques, secure coding snippets,
> etc.  OWASP Cheatsheets, Secure Dev Guide all help with this btw so
> recognize.
> Not gonna get into the whole US violent BS. Stay topical to appsec and
> leave the political remarks for the comments section of Anderson Cooper's
> blog.  I can gladly entertain those later if you want to debate causal
> factors at BH/ DC over pisco sours.
> On Thu, May 19, 2016 at 9:31 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> >>So Phineas used ZAP to hack Catalan police - who gives an F?!?!?!
>> I give a f*ck...;-P.
>> >> The intent of ZAP is to allow for more security professionals to
>> understand how and why apps fall to common attack patterns.
>> Look. A 'security professional'  tells the developer all the security
>> bugs she has, but if she is not able to fix them then what? Nothing gets
>> fixed properly.
>> Most pen testers work is focused on showing vulnerabilities instead of
>> helping fixing them because for most part pen testers cannot code
>> applications neither is their work, like this joke on Twitter:
>> https://twitter.com/pencilsareneat/status/724711158863790084
>> I think OWASP is way too focused on Pen testers and this discussion just
>> shows me that.
>> Defender projects are poor compare to ZAP.
>> Have anyone of you download and test ALL the so called 'top' defender
>> projects we have, have you actually USE them ?
>> Who has? I have, can you say the same?
>> I have and I can tell you that for sure.
>> *Read team is important but Blue team as much. I'm talking about Yin
>> Yang. *
>> *Balance my friends. OWASP has the power to shape that balance.*
>> And BTW thats US is the country with high rate murder with guns.
>> http://www.nytimes.com/2012/12/20/opinion/blow-on-guns-america-stands-out.html?_r=1
>> And talking about Columbine and School killings...yea, but is off course
>> none is to blame...
>> Hey Viva US and the second ammendment , each country should know what
>> they do.
>> I just love my little island where they forbid guns...thanks God...
>> On Thu, May 19, 2016 at 9:02 PM, Tony UV <tonyuv at owasp.org> wrote:
>>> Johanna,
>>> * On the issue of ZAP / Hurting or Helping AppSec. *So Phineas used ZAP
>>> to hack Catalan police - who gives an F?!?!?!  Since the beginning of time,
>>> tools of any type (either hardware or software or virtual) will be used for
>>> whatever motive the handler wants to use them.  This shouldn't at all shape
>>> the perspective that ZAP or any other tool is hurting rather than helping
>>> an industry or sub-industry.  That is absurd.  Those that think that in
>>> AppSec or in security in general don't get the fact that when doing
>>> criminal actions, any means necessary will encompass the use of products
>>> and services not intended or designed for a criminal's nefarious actions.
>>> Tainting ZAP (either deliberately or not) is not helping the ignorance that
>>> blames tools for facilitating hacks.  The intent of ZAP is to allow for
>>> more security professionals to understand how and why apps fall to common
>>> attack patterns.  If that same tool is used to do bad, in no way shape or
>>> form should the weakly formed argument of 'are we helping or hurting' be
>>> thrown into a conversation piece within this industry b/c there are far too
>>> many tools that break that have come before ZAP and are used much more
>>> widely than ZAP that are open source and those frames of thought never got
>>> good traction and deservingly so.  If there is some emotional infosec
>>> asshat that wants to ask that question and allude to an 'OWASP' project as
>>> a facilitator to these types of activities, then we should all be able to
>>> easily defend the number of instances of whitehat efforts that ZAP supports
>>> that dwarf undoubted blackhat used of that tool (or any other that is or
>>> becomes flagship).
>>> *On the issue of quantity vs quality.*
>>> Agreed that we have WAY too many projects.  I'm on that bandwagon.  But
>>> the one I'm not is believing that the intent of the disparity between
>>> notorious breaker tools that are flagship vs. defender tools is based upon
>>> anything but simply a factor of (a) time of interested people/ persons
>>> devoted to a project (b) level of interest of said people in a track of
>>> security (breaking vs building vs defending, etc.).  What's the saying -
>>> the road to hell is paved with good intentions - in this case, I don't
>>> think there was a deliberate intent to sway one way (break, defend, build)
>>> versus another at all but things have gotten away from us.  I do think that
>>> greater project governance and leadership can force a more balanced project
>>> roster which would reflect what everyone has had in mind for OWASP, which
>>> is well developed and maintained projects. Mark's blog post, although true,
>>> is true only at the superficial level.  The causal factors need to be
>>> clearly understood.  If there was project governance and we could
>>> collectively drive to a smaller project footprint, then our execution would
>>> be better, but its not by design and that's what I disagree with in the
>>> blog and those that follow that credence.
>>> Tony UV
>>> On Thu, May 19, 2016 at 8:25 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> Hi All,
>>>> Not sure if you have heard the news that Phineas Fisher, the hacker
>>>> that hacked HackingTeam, has made public a couple of days ago a video
>>>> showing how he hacked the Spanish (Catalan) police using ZAP.
>>>> Video in the mean time has been removed but I made a copy for anyone
>>>> that wants it ;-P
>>>> Phineas goes ahead and made comments to encourage and teach others to
>>>> 'hack back'(nice music background 'f*ck the police'). In his own words:
>>>> *“That's the plan,” the hacker told Motherboard in an email. “Like
>>>> subverso says in the lyrics of the song at the end of the video, ‘el que
>>>> comparte lo que aprende, es peligroso.’”*
>>>> While I'm a big fan of ZAP, this has hit a deep core in my conscious.
>>>> OWASP is supposed to be about 'Application Security' and right now,
>>>> hackers like this are doing the opposite with the same tools we promote .
>>>> OWASP has a huge misbalance of tools between 'breakers' and
>>>> 'defenders'.
>>>> ZAP on one side , with a quality and level of development that is
>>>> competing with the commercial tools like Burp, but on the other side, to
>>>> balance the equation, what are we actually doing to improve defense? What
>>>> kind of defender projects does OWASP has to compete what ZAP is doing?
>>>> Sorry to say, none. No defender project at OWASP has a full time
>>>> developer working on it nor the quality that ZAP does.
>>>> @Tom:
>>>> I think one of the things OWASP projects needs to focus on is to bring
>>>> a balance and incentive the development of *Quality* defender projects
>>>> to teach developers how to protect applications. Not to keep focusing on
>>>> teaching hacking. Developers are not going to become hackers to protect
>>>> applications.
>>>> Mark Curphey, the co-fouder of OWASP had a vision to develop security
>>>> tools for developers. And he left because OWASP management  focused in
>>>> quantity and not in quality. Timo and I, the last reviewers were standing
>>>> for this principle.But we couldn't fight how management though about and we
>>>> left.
>>>> *"I do suspect that it maybe time for a different kind of open source
>>>> software security project that focuses on a small number of high quality,
>>>> high impact projects. ..*
>>>> *So long OWASP, you were a fun ride and I wish you the very best for
>>>> the future. Remember that a “Jack of all trades is a master of none”!*
>>>> *"*
>>>> In the mean time Marc is the founder of SRC:CLR, based startup that
>>>> helps companies use open-source code safely
>>>> http://www.curphey.com
>>>> regards
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> Johanna Curiel
>> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160520/c74b6b7f/attachment-0001.html>

More information about the OWASP-Leaders mailing list