[Owasp-leaders] Are we helping Hackers or helping Application security?

Tony UV tonyuv at owasp.org
Sat May 21 01:41:27 UTC 2016


Get Outlook for iOS

On Fri, May 20, 2016 at 11:35 AM -0700, "Todd Grotenhuis" <todd.grotenhuis at owasp.org> wrote:

(That list is not meant to be exhaustive or final, just an example starting point that I think is more helpful than the current categorization)
On Fri, May 20, 2016 at 2:28 PM, Todd Grotenhuis <todd.grotenhuis at owasp.org> wrote:
It seems that categorizing the projects in "offense" and "defense" may exacerbate the problem, acting as if these resources are at odds with each other in improving security. Both "offense" and "defense" projects are truly defense projects, and many practitioners use tools form both "categories" in pursuit of their work. I wonder if it might be better to address what type of defense they are:
Secure Design and Architecture - tools & referencesMonitoring and Detection - tools & referencesSecurity Testing - tools & referencesSecure Business Processes - references
On Fri, May 20, 2016 at 1:02 PM, Timothy D. Morgan <tim.morgan at owasp.org> wrote:

> Respectfully, and that you understand, I'm more than a ZAP fan. I

> contribute/promote this project . Don't get me wrong, ZAP is my favourite

> tool and I just feel like they have used something I care for bad purposes,

> like thieves that steals your car to commit a bank robbery.


> I think we need to at least incentive(not only financially) and motivate

> more research into defending applications. Our defender projects help but

> they are far out cry to really make a difference.

Ok, so we all agree tools are just tools and they can be used for good or

evil.  Let's put that behind us, yeah?

I think the point Johanna is making is that while there are a lot of offensive

tools in the OWASP lineup to help everyone *understand* what the security

problems are, there are fewer mature tools projects on the defense side to help

developers solve them.

Is that a problem?  Is it just the nature of the beast that our solutions on

the defense side involve more documentation, testing guides, and awareness

campaigns?  I'm actually not sure the answer to that.

What I do think, however, is that while technical frameworks designed for

defense are a great idea, they aren't going to be adopted by the

majority of developers who need it if they are developed as independent

libraries/modules/etc.  The developers who need it have never heard of OWASP,

and even if they have, they aren't sufficiently motivated to go out of their way

to integrate a security framework into their day-to-day development.  So I

don't think adding a bunch more defense tools is really the answer unless those

are somehow integrated into standard frameworks and development platforms.



OWASP-Leaders mailing list

OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160521/0bf926bd/attachment.html>

More information about the OWASP-Leaders mailing list