[Owasp-leaders] Bring balance: force verification in scanning tools

johanna curiel curiel johanna.curiel at owasp.org
Mon May 23 16:51:11 UTC 2016


>>Don't put too much faith in any infosec stat.
Would we agree at least that data breaches are rising and not decreasing?

My question was an ethical one:
*Do creators of hacking tools feel any remorse regarding their tools being
misused? *
*Do they feel they should take some responsibility by making the misused
more difficult?*

The answer is sound and clear.

Comparing hacking tools to screw drivers or unsafe cars is like comparing
apple with oranges.
Google and LinkedIn are used for hacking , but google was not built to
hack, ZAP was.

Now you better compare that to guns . Guns
<http://science.howstuffworks.com/innovation/inventions/who-invented-the-first-gun.htm>
were built to kill.
Do gun producers feel any remorse about their creations? How they are used
or misused?
We can say guns defend us but they are also to blame of murders worldwide.

Unsafe cars are called back to return and producers get sued if people get
killed because of them.
http://www.bankrate.com/finance/auto/the-8-most-infamous-car-recalls-in-history-1.aspx

>>Hackers use tools developed for Security Pros. Security Pros use tools
developed for hackers

@Tony, could you provide me a list of tools developed by hackers?
So far the list <http://pastebin.com/raw/GPSHF04A> Phineas provided had all
offensive security tools built by 'Security Pro's'😝.
And his nice video contained a nice display using offensive security tools
only.

*>>In the end I feel that this discussing is a bit like the dilemma
that Alfred Nobel had in regards to dynamite. Perhaps we as OWASP can
find another way in help/promote security to become more mainstream. I
am hopeful that with this discussion we can find this way forward.*

YES. @Steven, to me, you could be more right.
We keep on thinking like we are,  focusing on the same old, nothing will
change and hackers will keep on using offensive 'security' tools to
compromise systems.

You might all want to read this research and the Washington post article
and think a little more regarding the core of the discussion.

*In this paper I'll evaluate how some of the most popular security tools
are intended to be used, how they have or may be used in sinister ways, and
how the risks associated with them may be mitigated (If I am able to
determine that in my research). *

https://sever.wustl.edu/degreeprograms/cyber-security-management/SiteAssets/DENTON%20FINAL%20PAPER%20Security%20Tools%20v5%207-27-15.pdf

https://www.washingtonpost.com/postlive/the-ethics-of-hacking-101/2014/10/07/39529518-4014-11e4-b0ea-8141703bbf6f_story.html


P.S: ZAP is an awesome tool, whether is used for evil or good. But lets not
deny it,  that is being used for evil too.








On Mon, May 23, 2016 at 11:11 AM, Timothy D. Morgan <tim.morgan at owasp.org>
wrote:

>
> > The stats regarding data breaches are uprise. Why? Now more than ever,
> > there are more data breaches and for what the data and stats tells me is
> > what ever is happening, we don't do enough or we do the wrong things to
> > help appsec security.
>
> Don't put too much faith in any infosec stat.  When you look hard at how
> the
> data is collected, you quickly realize it is the tip of the tip of the tip
> of
> an iceberg.  There's huge room for bias in the collection.  It's easy to
> ask
> for more data, but getting *good* data of the *kind we want* is usually
> impossible.  After all, those that have the most knowledge of breaches are
> the
> intruders, not the defenders, and they usually aren't very forthcoming.
>
> tim
>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/249898df/attachment.html>


More information about the OWASP-Leaders mailing list