[Owasp-leaders] Bring balance: force verification in scanning tools

Eoin Keary eoin.keary at owasp.org
Tue May 24 13:28:34 UTC 2016


The Internet is evil also. It needs to be banned/restricted!
No Internet == no cyber hackers!!
😀

On Tue, May 24, 2016 at 2:52 AM, Mario Robles <mario.robles at owasp.org>
wrote:

> Hmm
> "Hacking Tools" find the bad stuff, the pentester should include how to
> fix it in the report then later will meet with the development team to
> guide them on how to fix the issues
>
> I prefer Zap team focusing on how to find more stuff rather than spending
> time on generic remediation steps that most likely will be different for
> every issue on every development project, that's a complaint developers
> have about generic reports right ?
>
> If the dev team is committed with security then they use tools made for
> prevention directly in their IDE, zap is made for detection if their
> prevention was not enough
>
> :)
>
> Mario
> # Please excuse any typos as this was sent from a mobile device
>
> El 23 may 2016, a las 1:33 p.m., johanna curiel curiel <
> johanna.curiel at owasp.org> escribió:
>
> >>There is nothing stopping defenders from using "attacking" tools to
> secure their networks, servers, etc. After all we all port scan and
> vulnerability scan our infrastructure, right?
>
> Hi Liam
>
> I can see majority of the people answering are pen testers. I'm a
> developer that learn pen testing to so called 'secure' apps
>
>  It all depends on the technology and system.You find the holes but this
> per se does not fix them or even worse, makes you realise that if the
> developer knew how to code securely from the beginning a lot of headaches
> could have been avoided.
>
> Recently I tested a .NET app build using 3.5 SP1 and no master pages or
> MVC(available in +4). The so called 'ViewState' did not help against CRSF .
> In fact the developer has to rebuild the whole thing using MVC +.NET 4.0.if
> he wants to protect this properly.
>
> IS it feasible at this point? Nope. Will the company release the code even
> with the issue? Yep.
>
> pen testing only helps find the wholes. Fixing them is another
> story.Hacking tools don't help you 'secure' applications. They only help
> you verify the security built by them.
>
> Another anecdote. I used to work as RPG developer for a legacy AS/400
> banking system. The whole things works with cgi (yikes!)
> The pen tester found a CRSF attack. The architect said: prove it. Then the
> bug headache came: How to fix this?
> Yes, it was a headache to fix and it did not happened immediately.In fact
> that architect 'hates' pen testers...😜
>
> I think we should stop this discussion.
>
> I think I'm starting a survey just to check how many of you work defending
> applications, I mean like *patching, fixing vulnerabilities in code*, so
> I might verify if I'm the only developer in OWASP trying to defend
> applications and that I'm alone among pen testers...
>
> Then I'm definitely in the wrong community 😁
>
>
> Cheers
>
> Johanna
>
>
>
> On Mon, May 23, 2016 at 2:49 PM, Liam Smit <liam.smit at gmail.com> wrote:
>
>> Hi Simon
>>
>> ZAP needs to be as effective as possible at finding vulnerabilities.
>> Hobbling it by making it easier to detect makes it less effective. E.g.
>> some vendor's firewall detects the scan and blocks it. When the actual
>> exploit comes along it is not detected and the application is compromised.
>>
>> The better it is at detecting vulnerabilities the better it can be used
>> by defenders to plug the holes. There is nothing stopping defenders from
>> using "attacking" tools to secure their networks, servers, etc. After all
>> we all port scan and vulnerability scan our infrastructure, right?
>>
>>
>> Regards,
>>
>> Liam
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP Volunteer
@eoinkeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160524/a06f7ea5/attachment.html>


More information about the OWASP-Leaders mailing list