[Owasp-leaders] Are we helping Hackers or helping Application security?

Todd Grotenhuis todd.grotenhuis at owasp.org
Fri May 20 18:28:00 UTC 2016


It seems that categorizing the projects in "offense" and "defense" may
exacerbate the problem, acting as if these resources are at odds with each
other in improving security. Both "offense" and "defense" projects are
truly defense projects, and many practitioners use tools form both
"categories" in pursuit of their work. I wonder if it might be better to
address what type of defense they are:

Secure Design and Architecture - tools & references
Monitoring and Detection - tools & references
Security Testing - tools & references
Secure Business Processes - references

On Fri, May 20, 2016 at 1:02 PM, Timothy D. Morgan <tim.morgan at owasp.org>
wrote:

>
> > Respectfully, and that you understand, I'm more than a ZAP fan. I
> > contribute/promote this project . Don't get me wrong, ZAP is my favourite
> > tool and I just feel like they have used something I care for bad
> purposes,
> > like thieves that steals your car to commit a bank robbery.
> >
> > I think we need to at least incentive(not only financially) and motivate
> > more research into defending applications. Our defender projects help but
> > they are far out cry to really make a difference.
>
>
> Ok, so we all agree tools are just tools and they can be used for good or
> evil.  Let's put that behind us, yeah?
>
>
> I think the point Johanna is making is that while there are a lot of
> offensive
> tools in the OWASP lineup to help everyone *understand* what the security
> problems are, there are fewer mature tools projects on the defense side to
> help
> developers solve them.
>
> Is that a problem?  Is it just the nature of the beast that our solutions
> on
> the defense side involve more documentation, testing guides, and awareness
> campaigns?  I'm actually not sure the answer to that.
>
> What I do think, however, is that while technical frameworks designed for
> defense are a great idea, they aren't going to be adopted by the
> majority of developers who need it if they are developed as independent
> libraries/modules/etc.  The developers who need it have never heard of
> OWASP,
> and even if they have, they aren't sufficiently motivated to go out of
> their way
> to integrate a security framework into their day-to-day development.  So I
> don't think adding a bunch more defense tools is really the answer unless
> those
> are somehow integrated into standard frameworks and development platforms.
>
> tim
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160520/5d995998/attachment.html>


More information about the OWASP-Leaders mailing list