[Owasp-leaders] Are we helping Hackers or helping Application security?

Todd Grotenhuis todd.grotenhuis at owasp.org
Fri May 20 18:32:32 UTC 2016


(That list is not meant to be exhaustive or final, just an example starting
point that I think is more helpful than the current categorization)

On Fri, May 20, 2016 at 2:28 PM, Todd Grotenhuis <todd.grotenhuis at owasp.org>
wrote:

> It seems that categorizing the projects in "offense" and "defense" may
> exacerbate the problem, acting as if these resources are at odds with each
> other in improving security. Both "offense" and "defense" projects are
> truly defense projects, and many practitioners use tools form both
> "categories" in pursuit of their work. I wonder if it might be better to
> address what type of defense they are:
>
> Secure Design and Architecture - tools & references
> Monitoring and Detection - tools & references
> Security Testing - tools & references
> Secure Business Processes - references
>
> On Fri, May 20, 2016 at 1:02 PM, Timothy D. Morgan <tim.morgan at owasp.org>
> wrote:
>
>>
>> > Respectfully, and that you understand, I'm more than a ZAP fan. I
>> > contribute/promote this project . Don't get me wrong, ZAP is my
>> favourite
>> > tool and I just feel like they have used something I care for bad
>> purposes,
>> > like thieves that steals your car to commit a bank robbery.
>> >
>> > I think we need to at least incentive(not only financially) and motivate
>> > more research into defending applications. Our defender projects help
>> but
>> > they are far out cry to really make a difference.
>>
>>
>> Ok, so we all agree tools are just tools and they can be used for good or
>> evil.  Let's put that behind us, yeah?
>>
>>
>> I think the point Johanna is making is that while there are a lot of
>> offensive
>> tools in the OWASP lineup to help everyone *understand* what the security
>> problems are, there are fewer mature tools projects on the defense side
>> to help
>> developers solve them.
>>
>> Is that a problem?  Is it just the nature of the beast that our solutions
>> on
>> the defense side involve more documentation, testing guides, and awareness
>> campaigns?  I'm actually not sure the answer to that.
>>
>> What I do think, however, is that while technical frameworks designed for
>> defense are a great idea, they aren't going to be adopted by the
>> majority of developers who need it if they are developed as independent
>> libraries/modules/etc.  The developers who need it have never heard of
>> OWASP,
>> and even if they have, they aren't sufficiently motivated to go out of
>> their way
>> to integrate a security framework into their day-to-day development.  So I
>> don't think adding a bunch more defense tools is really the answer unless
>> those
>> are somehow integrated into standard frameworks and development platforms.
>>
>> tim
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160520/24211758/attachment.html>


More information about the OWASP-Leaders mailing list