[Owasp-leaders] Are we helping Hackers or helping Application security?
tonyuv at owasp.org
Sat May 21 01:41:27 UTC 2016
Get Outlook for iOS
On Fri, May 20, 2016 at 11:35 AM -0700, "Todd Grotenhuis" <todd.grotenhuis at owasp.org> wrote:
(That list is not meant to be exhaustive or final, just an example starting point that I think is more helpful than the current categorization)
On Fri, May 20, 2016 at 2:28 PM, Todd Grotenhuis <todd.grotenhuis at owasp.org> wrote:
It seems that categorizing the projects in "offense" and "defense" may exacerbate the problem, acting as if these resources are at odds with each other in improving security. Both "offense" and "defense" projects are truly defense projects, and many practitioners use tools form both "categories" in pursuit of their work. I wonder if it might be better to address what type of defense they are:
Secure Design and Architecture - tools & referencesMonitoring and Detection - tools & referencesSecurity Testing - tools & referencesSecure Business Processes - references
On Fri, May 20, 2016 at 1:02 PM, Timothy D. Morgan <tim.morgan at owasp.org> wrote:
> Respectfully, and that you understand, I'm more than a ZAP fan. I
> contribute/promote this project . Don't get me wrong, ZAP is my favourite
> tool and I just feel like they have used something I care for bad purposes,
> like thieves that steals your car to commit a bank robbery.
> I think we need to at least incentive(not only financially) and motivate
> more research into defending applications. Our defender projects help but
> they are far out cry to really make a difference.
Ok, so we all agree tools are just tools and they can be used for good or
evil. Let's put that behind us, yeah?
I think the point Johanna is making is that while there are a lot of offensive
tools in the OWASP lineup to help everyone *understand* what the security
problems are, there are fewer mature tools projects on the defense side to help
developers solve them.
Is that a problem? Is it just the nature of the beast that our solutions on
the defense side involve more documentation, testing guides, and awareness
campaigns? I'm actually not sure the answer to that.
What I do think, however, is that while technical frameworks designed for
defense are a great idea, they aren't going to be adopted by the
majority of developers who need it if they are developed as independent
libraries/modules/etc. The developers who need it have never heard of OWASP,
and even if they have, they aren't sufficiently motivated to go out of their way
to integrate a security framework into their day-to-day development. So I
don't think adding a bunch more defense tools is really the answer unless those
are somehow integrated into standard frameworks and development platforms.
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders