[Owasp-leaders] Bring balance: force verification in scanning tools

Ali Razmjoo ali.razmjoo at owasp.org
Mon May 23 18:38:55 UTC 2016


Hi everyone,

It's definitely not good idea to add a verification in ZAP, I don't think
owasp should be responsible for usage of scanners.

Also I don't think that users like would like this too.
On May 23, 2016 10:21 PM, "johanna curiel curiel" <johanna.curiel at owasp.org>
wrote:

> >>You ask which tools were created by hackers? All of them. None of them.
> Take your pick.
> Actually the list is empty to me,  since all the open source tools hacking
> tools I know are built by 'security pro's' so far
> Except malware. Exploit-kits are for sell in the onion and you have to pay
> for it.
>
>
> >>This is a pointless conversation as eventually you will be talking
> about how you could suffocate someone by cramming bandages down their
> throat.
>
> >>You can use anything for evil.
> Yes but there are tools build with a purpose in mind. Like ZAP, was built
> to hack
> A screwdriver was not build to kill neither bandages.
>
> The question and subject of this email was to add a verification to ZAP.
> Simon responded that he will not and gave his reasons.
> Some people went into discussing why that's not a good idea.
>
> Thats is the answer what I was looking for, whether you find it a
> pointless conversation.
>
>
>
> On Mon, May 23, 2016 at 1:36 PM, Tony Turner <tony.turner at owasp.org>
> wrote:
>
>> You can use anything for evil. This is a pointless conversation as
>> eventually you will be talking about how you could suffocate someone by
>> cramming bandages down their throat.
>>
>> You ask which tools were created by hackers? All of them. None of them.
>> Take your pick. Theres a very fine line between a hacker and a security
>> pro. Its just a word. My point is it doesnt matter. Look at
>> http://www.l0phtcrack.com/ - Today its a security tool, but it was not
>> always considered as such.
>>
>> On Mon, May 23, 2016 at 12:51 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >>Don't put too much faith in any infosec stat.
>>> Would we agree at least that data breaches are rising and not
>>> decreasing?
>>>
>>> My question was an ethical one:
>>> *Do creators of hacking tools feel any remorse regarding their tools
>>> being misused? *
>>> *Do they feel they should take some responsibility by making the misused
>>> more difficult?*
>>>
>>> The answer is sound and clear.
>>>
>>> Comparing hacking tools to screw drivers or unsafe cars is like
>>> comparing apple with oranges.
>>> Google and LinkedIn are used for hacking , but google was not built to
>>> hack, ZAP was.
>>>
>>> Now you better compare that to guns . Guns
>>> <http://science.howstuffworks.com/innovation/inventions/who-invented-the-first-gun.htm>
>>> were built to kill.
>>> Do gun producers feel any remorse about their creations? How they are
>>> used or misused?
>>> We can say guns defend us but they are also to blame of murders
>>> worldwide.
>>>
>>> Unsafe cars are called back to return and producers get sued if people
>>> get killed because of them.
>>>
>>> http://www.bankrate.com/finance/auto/the-8-most-infamous-car-recalls-in-history-1.aspx
>>>
>>> >>Hackers use tools developed for Security Pros. Security Pros use
>>> tools developed for hackers
>>>
>>> @Tony, could you provide me a list of tools developed by hackers?
>>> So far the list <http://pastebin.com/raw/GPSHF04A> Phineas provided had
>>> all offensive security tools built by 'Security Pro's'😝.
>>> And his nice video contained a nice display using offensive security
>>> tools only.
>>>
>>> *>>In the end I feel that this discussing is a bit like the dilemma
>>> that Alfred Nobel had in regards to dynamite. Perhaps we as OWASP can
>>> find another way in help/promote security to become more mainstream. I
>>> am hopeful that with this discussion we can find this way forward.*
>>>
>>> YES. @Steven, to me, you could be more right.
>>> We keep on thinking like we are,  focusing on the same old, nothing will
>>> change and hackers will keep on using offensive 'security' tools to
>>> compromise systems.
>>>
>>> You might all want to read this research and the Washington post article
>>> and think a little more regarding the core of the discussion.
>>>
>>> *In this paper I'll evaluate how some of the most popular security tools
>>> are intended to be used, how they have or may be used in sinister ways, and
>>> how the risks associated with them may be mitigated (If I am able to
>>> determine that in my research). *
>>>
>>>
>>> https://sever.wustl.edu/degreeprograms/cyber-security-management/SiteAssets/DENTON%20FINAL%20PAPER%20Security%20Tools%20v5%207-27-15.pdf
>>>
>>>
>>> https://www.washingtonpost.com/postlive/the-ethics-of-hacking-101/2014/10/07/39529518-4014-11e4-b0ea-8141703bbf6f_story.html
>>>
>>>
>>> P.S: ZAP is an awesome tool, whether is used for evil or good. But lets
>>> not deny it,  that is being used for evil too.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, May 23, 2016 at 11:11 AM, Timothy D. Morgan <
>>> tim.morgan at owasp.org> wrote:
>>>
>>>>
>>>> > The stats regarding data breaches are uprise. Why? Now more than ever,
>>>> > there are more data breaches and for what the data and stats tells me
>>>> is
>>>> > what ever is happening, we don't do enough or we do the wrong things
>>>> to
>>>> > help appsec security.
>>>>
>>>> Don't put too much faith in any infosec stat.  When you look hard at
>>>> how the
>>>> data is collected, you quickly realize it is the tip of the tip of the
>>>> tip of
>>>> an iceberg.  There's huge room for bias in the collection.  It's easy
>>>> to ask
>>>> for more data, but getting *good* data of the *kind we want* is usually
>>>> impossible.  After all, those that have the most knowledge of breaches
>>>> are the
>>>> intruders, not the defenders, and they usually aren't very forthcoming.
>>>>
>>>> tim
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Tony Turner
>> OWASP Orlando Chapter Founder/Co-Leader
>> WAFEC Project Leader
>> STING Game Project Leader
>> tony.turner at owasp.org
>> https://www.owasp.org/index.php/Orlando
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/c1102feb/attachment-0001.html>


More information about the OWASP-Leaders mailing list