[Owasp-leaders] Bring balance: force verification in scanning tools

Bev Corwin bev.corwin at owasp.org
Sun May 22 22:20:52 UTC 2016


Hi Johanna,

I was thinking more about possible collaborations between interested OWASP
Foundation projects and NIST Cloud Computing Forensic Science Working
Group: http://www.nist.gov/itl/itl-cloud-computing-forensic-science.cfm

Your questions about social responsibility when developing technologies
that have potentials for misuse, or to be weaponized, and putting such
concepts into "security by design-like" and/or "implementing security early
in development life cycle-like" contexts, could provide interesting
discussions for collaborative working group discussions, and/or panel
discussions at future events, i.e.: AppSecUSA, and/or other conferences,
for example.

Best wishes,
Bev


On Sat, May 21, 2016 at 10:51 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Bev made a question which triggered an idea
>
> >>Why couldn't we think about implementing some types of OWASP forensic
> features into all of our code projects so that we could at least have some
> way to investigate if / when they are misused?
>
> Now, when she said that I though why ZAP does not implement a feature that
> already exists is SaaS products which REQUIRES that you set a file in the
> hosting application before in order to be able to pen test it? If the file
> is not found in the URL domain server hosting the application, you cannot
> attack it.
>
> I don't want to advertise which commercial vendors do that but this is the
> way they avoid that a hackers go and misuse their services.
>
> Building a module into ZAP that requires this file first to verify you own
> the web app and then attack will make it harder for hackers to just
> download and use ZAP for evil purpose
>
> I know the project is open source and a hacker can go and modify the
> module but that will be more work for him and will refrain the lazy hackers
> or the ones without Java knowledge and resources, they will have better to
> move to another tool without this feature.
>
> This way we are helping the white hats and not the black ones. Is not the
> final solution but I think in this way OWASP builds breakers attempting to
> also help Applications security.
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160522/ac92e756/attachment.html>


More information about the OWASP-Leaders mailing list