[Owasp-leaders] Bring balance: force verification in scanning tools

johanna curiel curiel johanna.curiel at owasp.org
Mon May 23 21:16:09 UTC 2016


Agree with all you mentioned

But all this are afterwards measurements.

The real issue I see is that people building system know so little about
how to program and implement secure coding strategies

Pen testing is one of them but we need to focus more on developers and less
in building pen testing tools

Less this:
https://twitter.com/pencilsareneat/status/724711158863790084
https://twitter.com/davidrook/status/715109247202246656

More this: Is all about coders
https://www.youtube.com/watch?v=fi44mL7mcq0


On Mon, May 23, 2016 at 4:27 PM, Liam Smit <liam.smit at gmail.com> wrote:

> Hi Johanna
>
> On Mon, May 23, 2016 at 9:31 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> >>There is nothing stopping defenders from using "attacking" tools to
>> secure their networks, servers, etc. After all we all port scan and
>> vulnerability scan our infrastructure, right?
>>
>> Hi Liam
>>
>> I can see majority of the people answering are pen testers. I'm a
>> developer that learn pen testing to so called 'secure' apps
>>
>
> I'm not a pen tester. How does one see that people are pen testers?
>
>
>>  It all depends on the technology and system.You find the holes but this
>> per se does not fix them or even worse, makes you realise that if the
>> developer knew how to code securely from the beginning a lot of headaches
>> could have been avoided.
>>
>
> I'd agree that secure coding practices help prevent many vulnerabilities.
>
>
>> Recently I tested a .NET app build using 3.5 SP1 and no master pages or
>> MVC(available in +4). The so called 'ViewState' did not help against CRSF .
>> In fact the developer has to rebuild the whole thing using MVC +.NET 4.0.if
>> he wants to protect this properly.
>>
>> IS it feasible at this point? Nope. Will the company release the code
>> even with the issue? Yep.
>>
>> pen testing only helps find the wholes. Fixing them is another
>> story.Hacking tools don't help you 'secure' applications. They only help
>> you verify the security built by them.
>>
>
> If you don't know about the holes you can't patch them, migrate to newer
> system libraries, disable certain functionality, firewall off or air gap
> vulnerable systems, switch to another product, etc.
>
> <snip>
>
>
> I like to view things from the perspective of the customer or end user.
> Their personal, sensitive, business, etc data is at risk. They deserve to
> know the risk that they or their organisation are running by using a
> particular (software) product. I'm in favour of any tool that allows them
> to more accurately assess their risk. Whether they run it themselves are
> pay someone to do it doesn't matter. Same applies to code audits, secure
> development practices, etc.
>
>
> Regards,
>
> Liam
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/4ac86d96/attachment.html>


More information about the OWASP-Leaders mailing list