[Owasp-leaders] Bring balance: force verification in scanning tools

Mario Robles mario.robles at owasp.org
Tue May 24 01:52:36 UTC 2016

"Hacking Tools" find the bad stuff, the pentester should include how to fix
it in the report then later will meet with the development team to guide
them on how to fix the issues

I prefer Zap team focusing on how to find more stuff rather than spending
time on generic remediation steps that most likely will be different for
every issue on every development project, that's a complaint developers
have about generic reports right ?

If the dev team is committed with security then they use tools made for
prevention directly in their IDE, zap is made for detection if their
prevention was not enough


# Please excuse any typos as this was sent from a mobile device

El 23 may 2016, a las 1:33 p.m., johanna curiel curiel <
johanna.curiel at owasp.org> escribió:

>>There is nothing stopping defenders from using "attacking" tools to
secure their networks, servers, etc. After all we all port scan and
vulnerability scan our infrastructure, right?

Hi Liam

I can see majority of the people answering are pen testers. I'm a developer
that learn pen testing to so called 'secure' apps

 It all depends on the technology and system.You find the holes but this
per se does not fix them or even worse, makes you realise that if the
developer knew how to code securely from the beginning a lot of headaches
could have been avoided.

Recently I tested a .NET app build using 3.5 SP1 and no master pages or
MVC(available in +4). The so called 'ViewState' did not help against CRSF .
In fact the developer has to rebuild the whole thing using MVC +.NET 4.0.if
he wants to protect this properly.

IS it feasible at this point? Nope. Will the company release the code even
with the issue? Yep.

pen testing only helps find the wholes. Fixing them is another
story.Hacking tools don't help you 'secure' applications. They only help
you verify the security built by them.

Another anecdote. I used to work as RPG developer for a legacy AS/400
banking system. The whole things works with cgi (yikes!)
The pen tester found a CRSF attack. The architect said: prove it. Then the
bug headache came: How to fix this?
Yes, it was a headache to fix and it did not happened immediately.In fact
that architect 'hates' pen testers...😜

I think we should stop this discussion.

I think I'm starting a survey just to check how many of you work defending
applications, I mean like *patching, fixing vulnerabilities in code*, so I
might verify if I'm the only developer in OWASP trying to defend
applications and that I'm alone among pen testers...

Then I'm definitely in the wrong community 😁



On Mon, May 23, 2016 at 2:49 PM, Liam Smit <liam.smit at gmail.com> wrote:

> Hi Simon
> ZAP needs to be as effective as possible at finding vulnerabilities.
> Hobbling it by making it easier to detect makes it less effective. E.g.
> some vendor's firewall detects the scan and blocks it. When the actual
> exploit comes along it is not detected and the application is compromised.
> The better it is at detecting vulnerabilities the better it can be used by
> defenders to plug the holes. There is nothing stopping defenders from using
> "attacking" tools to secure their networks, servers, etc. After all we all
> port scan and vulnerability scan our infrastructure, right?
> Regards,
> Liam

Johanna Curiel
OWASP Volunteer

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/d66f6c5d/attachment.html>

More information about the OWASP-Leaders mailing list