[Owasp-leaders] Bring balance: force verification in scanning tools

Liam Smit liam.smit at gmail.com
Mon May 23 20:27:33 UTC 2016

Hi Johanna

On Mon, May 23, 2016 at 9:31 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >>There is nothing stopping defenders from using "attacking" tools to
> secure their networks, servers, etc. After all we all port scan and
> vulnerability scan our infrastructure, right?
> Hi Liam
> I can see majority of the people answering are pen testers. I'm a
> developer that learn pen testing to so called 'secure' apps

I'm not a pen tester. How does one see that people are pen testers?

>  It all depends on the technology and system.You find the holes but this
> per se does not fix them or even worse, makes you realise that if the
> developer knew how to code securely from the beginning a lot of headaches
> could have been avoided.

I'd agree that secure coding practices help prevent many vulnerabilities.

> Recently I tested a .NET app build using 3.5 SP1 and no master pages or
> MVC(available in +4). The so called 'ViewState' did not help against CRSF .
> In fact the developer has to rebuild the whole thing using MVC +.NET 4.0.if
> he wants to protect this properly.
> IS it feasible at this point? Nope. Will the company release the code even
> with the issue? Yep.
> pen testing only helps find the wholes. Fixing them is another
> story.Hacking tools don't help you 'secure' applications. They only help
> you verify the security built by them.

If you don't know about the holes you can't patch them, migrate to newer
system libraries, disable certain functionality, firewall off or air gap
vulnerable systems, switch to another product, etc.


I like to view things from the perspective of the customer or end user.
Their personal, sensitive, business, etc data is at risk. They deserve to
know the risk that they or their organisation are running by using a
particular (software) product. I'm in favour of any tool that allows them
to more accurately assess their risk. Whether they run it themselves are
pay someone to do it doesn't matter. Same applies to code audits, secure
development practices, etc.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/9eb91783/attachment.html>

More information about the OWASP-Leaders mailing list