[Owasp-leaders] Are we helping Hackers or helping Application security?

psiinon psiinon at gmail.com
Fri May 20 09:03:23 UTC 2016

Before I first released ZAP I did worry that it could do more harm than
I'm not so worried about that now.
Yes, people can, and will, use it for 'bad things'.
But I'm convinced that are many, many more using ZAP for good things.

I think positioning is very important - if we positioned/promoted ZAP as a
l33t haxors tool designed to 'stick it to the man' then it would be more
attractive to the bad guys and much less attractive to people who want to
use it to make webapps more secure.

I agree OWASP is not so well balanced between defenders and attackers, but
there are some very practical reasons for that.
ZAP, and other attack tools, are tools that anyone can use, regardless of
the technology they use to create their webapps.
There are some defender tools (like WAFs) that can be used regardless of
technology, but in most cases defender projects need to be technology
The best Java defensive library in the world is useless to developers who
use dotnet, python, nodejs, ruby etc etc.
And developers dont just choose technologies, they choose frameworks as
If your defensive library doesnt integrate seamlessly with the framework
they are using then they wont use it.
So I think its actually far harder to develop defensive projects that will
be adopted by a wide range of developers than it is to develop attack

What can we do about that?
We could adopt a different approach, one that various people have suggested
before on this list.
We could try to work with the frameworks that developers use to make them
more secure.
I'm certainly not going to claim this will be easy, and I'm going to count
myself out of any such initiative because I just dont have enough time to
do justice do this :/
But I'll share a few thoughts anyway ;)
One option would be to form a 'project' ('hot team' whatever you want to
call it) of people with enough time, enthusiasm and the relevant skills to
approach this.
They could then evaluate various open source frameworks and determine which
need the most help with security.
They would then need to approach those projects (in a respectful rather
than confrontational manner) and see if any help would be well received or
not - theres no point trying to help a project which just desnt care about
After that it would be a case of finding _and_fixing_ security issues in a
manner that is accepted by the relevant projects.
Pick on one project, help it out, help the developers of that project gain
a better understanding of security, move onto the next one.



On Fri, May 20, 2016 at 3:57 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hey Tony
> Respectfully, and that you understand, I'm more than a ZAP fan. I
> contribute/promote this project . Don't get me wrong, ZAP is my favourite
> tool and I just feel like they have used something I care for bad purposes,
> like thieves that steals your car to commit a bank robbery.
> I think we need to at least incentive(not only financially) and motivate
> more research into defending applications. Our defender projects help but
> they are far out cry to really make a difference.
> I would like to see more energy to promote this and I believe research and
> fostering this sphere can help create great things.
> >>then sorry to break it to you that the Catalan police don't give a "PM"
> (spanish) or "F" about your F.
> Well the catalan police does care the hacker has leaked all private
> personal data of the police team, this is serious.
> http://ccaa.elpais.com/ccaa/2016/05/18/catalunya/1463551156_428987.html
> " Además, SME está atendiendo a los policías perjudicados a través de sus
> delegados sindicales y del teléfono fijo del sindicato. Los *mossos* temen
> el uso que se pueda hacer de sus datos privados en los círculos
> antipoliciales"
> PM? Puta Madre? Pura Mierda?  joder, a la policía si le importa un cono,
> tal vez no mi F pero saben que no pueden hacer nada...ni sobre ellos que
> están maldiciendo a Phineas...😂 sino el video todavía estuviera
> accesible en YouTube
> Ahi que *bonito* se ve este video en todo su esplendor mostrando como se
> usa OWASP ZAP hackeando a la policia catalana...
> I feel torn when the video opened and showed this...
> https://drive.google.com/file/d/0B28S4R_cON7JMVNnNl9FbnQ4djg/view?usp=sharing
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160520/533cf94c/attachment.html>

More information about the OWASP-Leaders mailing list