[Owasp-leaders] Are we helping Hackers or helping Application security?

Kevin W. Wall kevin.w.wall at gmail.com
Sun May 22 14:34:31 UTC 2016

On Sun, May 22, 2016 at 3:43 AM, Gregory Disney
<gregory.disney at owasp.org> wrote:
> I've tried not to jump into these types of coversation. This is not a as
> simple as hackers win, the hacker ecosystem exists so vulnerabilities come to
> light not just black hats have them, hence gray and white hats. These hackers
> ethically disclosured and tools are developed so mitigations can be developed.
> So in reality defenders really have no way to ensure their security feature
> actually works without hackers; the right hand actually needs the left hand.
> It's truly sad I have to say this to OWASP leaders list, we should know this
> better than any group this fact.

Gregory, I was in no way intending on disparaging "hackers" of any type, whether
offensive or defensive, and I would bet that Johanna did not intend that either
(although I will let her speak for herself).

However I'm not sure I would go as far as you in your statement of

    "So in reality defenders really have *no way* to ensure their security
    feature actually works without hackers..." [emphasis mine]

(those who are good at defense have a deep understanding of offense as well;
just look at the last of those who contributed in the past to ESAPI as but
one example), but I definitely agree with the *sentiment* of your statement.
We're all in this together.

Having said that, I do think that if we did a poll of OWASP members who
consider themselves as full-time AppSec / InfoSec engineers, I think that
we would find that "breakers" far outnumber both the "builders" and
"defenders" communities put together and I think that imbalance was
what Johanna was expressing concern about and what I was trying to explain
(as to the reasons for the imbalance). [And this poll result may even
extend to OWASP members who consider themselves primarily as developers.]

But, I agree 100% with you that "hackers" (i.e., "breakers") are a valuable
asset of the OWASP community and I had no intent to undervalue them and if
I came across that way, I profusely apologize.

Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list