[Owasp-leaders] Bring balance: force verification in scanning tools

Gregory Disney gregory.disney at owasp.org
Tue May 24 23:43:23 UTC 2016


This is just silly,  Black hats happen, accept its part of the ecosystem
and move on.

On Tuesday, May 24, 2016, johanna curiel curiel <johanna.curiel at owasp.org>
wrote:

> >>I just don't worry about such things.
>
> All that is necessary for evil to succeed is that good men do nothing.
> <http://www.wisdomquotes.com/quote/edmund-burke-1.html>
> - Edmund Burke
>
> On Tue, May 24, 2016 at 5:22 PM, Eoin Keary <eoin.keary at owasp.org
> <javascript:_e(%7B%7D,'cvml','eoin.keary at owasp.org');>> wrote:
>
>> Yep,
>> You can't ban anything it's the Internet.
>> Anything over used, consumed or abused can be bad.
>> I just don't worry about such things.
>>
>>
>> Eoin Keary
>> OWASP Volunteer
>> @eoinkeary
>>
>>
>>
>> On 24 May 2016, at 21:54, johanna curiel curiel <johanna.curiel at owasp.org
>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>
>> Eoin
>>
>> I think you got my point. Setting restrictions like verifications are not
>> the final solution but I wonder what will happen because whether you like
>> it or not, makes it more difficult for everyone to use it, however if you
>> are a white hat, you will verify . Blackhats will definitely move to
>> another tool than go and adapt it.
>>
>>
>> For those who have not seen the video and read Phineas hacking
>> instructions I highly recommended
>>
>> https://tune.pk/video/6528544/hack
>>
>> BTW: You can use it as learning video 😝
>> I call this lesson:
>> *Angels and Demons: Do bad things using ZAP *
>>  for the good reasons (if you hate police abuse)😇
>>  for the bad reason ,leaking the entire catalan Union data online😈 and
>> inviting others to hack back!
>>
>> VOTE ANARCHIST!!!!!!!
>>
>>
>> http://www.nltimes.nl/2015/06/30/riots-in-the-hague-after-aruban-dies-in-police-custody/
>> https://www.youtube.com/watch?v=Zxp2C6yuTao
>>
>> On Tue, May 24, 2016 at 9:28 AM, Eoin Keary <eoin.keary at owasp.org
>> <javascript:_e(%7B%7D,'cvml','eoin.keary at owasp.org');>> wrote:
>>
>>> The Internet is evil also. It needs to be banned/restricted!
>>> No Internet == no cyber hackers!!
>>> 😀
>>>
>>> On Tue, May 24, 2016 at 2:52 AM, Mario Robles <mario.robles at owasp.org
>>> <javascript:_e(%7B%7D,'cvml','mario.robles at owasp.org');>> wrote:
>>>
>>>> Hmm
>>>> "Hacking Tools" find the bad stuff, the pentester should include how to
>>>> fix it in the report then later will meet with the development team to
>>>> guide them on how to fix the issues
>>>>
>>>> I prefer Zap team focusing on how to find more stuff rather than
>>>> spending time on generic remediation steps that most likely will be
>>>> different for every issue on every development project, that's a complaint
>>>> developers have about generic reports right ?
>>>>
>>>> If the dev team is committed with security then they use tools made for
>>>> prevention directly in their IDE, zap is made for detection if their
>>>> prevention was not enough
>>>>
>>>> :)
>>>>
>>>> Mario
>>>> # Please excuse any typos as this was sent from a mobile device
>>>>
>>>> El 23 may 2016, a las 1:33 p.m., johanna curiel curiel <
>>>> johanna.curiel at owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> escribió:
>>>>
>>>> >>There is nothing stopping defenders from using "attacking" tools to
>>>> secure their networks, servers, etc. After all we all port scan and
>>>> vulnerability scan our infrastructure, right?
>>>>
>>>> Hi Liam
>>>>
>>>> I can see majority of the people answering are pen testers. I'm a
>>>> developer that learn pen testing to so called 'secure' apps
>>>>
>>>>  It all depends on the technology and system.You find the holes but
>>>> this per se does not fix them or even worse, makes you realise that if the
>>>> developer knew how to code securely from the beginning a lot of headaches
>>>> could have been avoided.
>>>>
>>>> Recently I tested a .NET app build using 3.5 SP1 and no master pages or
>>>> MVC(available in +4). The so called 'ViewState' did not help against CRSF .
>>>> In fact the developer has to rebuild the whole thing using MVC +.NET 4.0.if
>>>> he wants to protect this properly.
>>>>
>>>> IS it feasible at this point? Nope. Will the company release the code
>>>> even with the issue? Yep.
>>>>
>>>> pen testing only helps find the wholes. Fixing them is another
>>>> story.Hacking tools don't help you 'secure' applications. They only help
>>>> you verify the security built by them.
>>>>
>>>> Another anecdote. I used to work as RPG developer for a legacy AS/400
>>>> banking system. The whole things works with cgi (yikes!)
>>>> The pen tester found a CRSF attack. The architect said: prove it. Then
>>>> the bug headache came: How to fix this?
>>>> Yes, it was a headache to fix and it did not happened immediately.In
>>>> fact that architect 'hates' pen testers...😜
>>>>
>>>> I think we should stop this discussion.
>>>>
>>>> I think I'm starting a survey just to check how many of you work
>>>> defending applications, I mean like *patching, fixing vulnerabilities
>>>> in code*, so I might verify if I'm the only developer in OWASP trying
>>>> to defend applications and that I'm alone among pen testers...
>>>>
>>>> Then I'm definitely in the wrong community 😁
>>>>
>>>>
>>>> Cheers
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>> On Mon, May 23, 2016 at 2:49 PM, Liam Smit <liam.smit at gmail.com
>>>> <javascript:_e(%7B%7D,'cvml','liam.smit at gmail.com');>> wrote:
>>>>
>>>>> Hi Simon
>>>>>
>>>>> ZAP needs to be as effective as possible at finding vulnerabilities.
>>>>> Hobbling it by making it easier to detect makes it less effective. E.g.
>>>>> some vendor's firewall detects the scan and blocks it. When the actual
>>>>> exploit comes along it is not detected and the application is compromised.
>>>>>
>>>>> The better it is at detecting vulnerabilities the better it can be
>>>>> used by defenders to plug the holes. There is nothing stopping defenders
>>>>> from using "attacking" tools to secure their networks, servers, etc. After
>>>>> all we all port scan and vulnerability scan our infrastructure, right?
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Liam
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP Volunteer
>>> @eoinkeary
>>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160524/60c4a1a9/attachment-0001.html>


More information about the OWASP-Leaders mailing list