[Owasp-leaders] Are we helping Hackers or helping Application security?

Jim Manico jim.manico at owasp.org
Sun May 22 06:20:59 UTC 2016


+1 as well. What a well thought out idea Todd. There is a lot of
discussion going on about the next phase of maturing projects, do you
have time to participate?

Aloha, Jim


On 5/20/16 6:41 PM, Tony UV wrote:
> +1
>
> Get Outlook for iOS <https://aka.ms/o0ukef>
>
>
>
>
> On Fri, May 20, 2016 at 11:35 AM -0700, "Todd Grotenhuis"
> <todd.grotenhuis at owasp.org <mailto:todd.grotenhuis at owasp.org>> wrote:
>
>     (That list is not meant to be exhaustive or final, just an example
>     starting point that I think is more helpful than the current
>     categorization)
>
>     On Fri, May 20, 2016 at 2:28 PM, Todd Grotenhuis
>     <todd.grotenhuis at owasp.org <mailto:todd.grotenhuis at owasp.org>> wrote:
>
>         It seems that categorizing the projects in "offense" and
>         "defense" may exacerbate the problem, acting as if these
>         resources are at odds with each other in improving security.
>         Both "offense" and "defense" projects are truly defense
>         projects, and many practitioners use tools form both
>         "categories" in pursuit of their work. I wonder if it might be
>         better to address what type of defense they are:
>
>         Secure Design and Architecture - tools & references
>         Monitoring and Detection - tools & references
>         Security Testing - tools & references
>         Secure Business Processes - references
>
>         On Fri, May 20, 2016 at 1:02 PM, Timothy D. Morgan
>         <tim.morgan at owasp.org <mailto:tim.morgan at owasp.org>> wrote:
>
>
>             > Respectfully, and that you understand, I'm more than a
>             ZAP fan. I
>             > contribute/promote this project . Don't get me wrong,
>             ZAP is my favourite
>             > tool and I just feel like they have used something I
>             care for bad purposes,
>             > like thieves that steals your car to commit a bank robbery.
>             >
>             > I think we need to at least incentive(not only
>             financially) and motivate
>             > more research into defending applications. Our defender
>             projects help but
>             > they are far out cry to really make a difference.
>
>
>             Ok, so we all agree tools are just tools and they can be
>             used for good or
>             evil.  Let's put that behind us, yeah?
>
>
>             I think the point Johanna is making is that while there
>             are a lot of offensive
>             tools in the OWASP lineup to help everyone *understand*
>             what the security
>             problems are, there are fewer mature tools projects on the
>             defense side to help
>             developers solve them.
>
>             Is that a problem?  Is it just the nature of the beast
>             that our solutions on
>             the defense side involve more documentation, testing
>             guides, and awareness
>             campaigns?  I'm actually not sure the answer to that.
>
>             What I do think, however, is that while technical
>             frameworks designed for
>             defense are a great idea, they aren't going to be adopted
>             by the
>             majority of developers who need it if they are developed
>             as independent
>             libraries/modules/etc.  The developers who need it have
>             never heard of OWASP,
>             and even if they have, they aren't sufficiently motivated
>             to go out of their way
>             to integrate a security framework into their day-to-day
>             development.  So I
>             don't think adding a bunch more defense tools is really
>             the answer unless those
>             are somehow integrated into standard frameworks and
>             development platforms.
>
>             tim
>             _______________________________________________
>             OWASP-Leaders mailing list
>             OWASP-Leaders at lists.owasp.org
>             <mailto:OWASP-Leaders at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160521/6e8aaa4a/attachment.html>


More information about the OWASP-Leaders mailing list