[Owasp-leaders] Bring balance: force verification in scanning tools

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Wed May 25 01:45:12 UTC 2016


Agree with Eoin.

I assume all governments have stopped developing airplanes, because they
can be hijacked and used for terrorism?

I cannot believe some of the things I have read in this thread.

Seems we are walking backwards.
On 24 May 2016 10:30 am, "Eoin Keary" <eoin.keary at owasp.org> wrote:

> The Internet is evil also. It needs to be banned/restricted!
> No Internet == no cyber hackers!!
> 😀
>
> On Tue, May 24, 2016 at 2:52 AM, Mario Robles <mario.robles at owasp.org>
> wrote:
>
>> Hmm
>> "Hacking Tools" find the bad stuff, the pentester should include how to
>> fix it in the report then later will meet with the development team to
>> guide them on how to fix the issues
>>
>> I prefer Zap team focusing on how to find more stuff rather than spending
>> time on generic remediation steps that most likely will be different for
>> every issue on every development project, that's a complaint developers
>> have about generic reports right ?
>>
>> If the dev team is committed with security then they use tools made for
>> prevention directly in their IDE, zap is made for detection if their
>> prevention was not enough
>>
>> :)
>>
>> Mario
>> # Please excuse any typos as this was sent from a mobile device
>>
>> El 23 may 2016, a las 1:33 p.m., johanna curiel curiel <
>> johanna.curiel at owasp.org> escribió:
>>
>> >>There is nothing stopping defenders from using "attacking" tools to
>> secure their networks, servers, etc. After all we all port scan and
>> vulnerability scan our infrastructure, right?
>>
>> Hi Liam
>>
>> I can see majority of the people answering are pen testers. I'm a
>> developer that learn pen testing to so called 'secure' apps
>>
>>  It all depends on the technology and system.You find the holes but this
>> per se does not fix them or even worse, makes you realise that if the
>> developer knew how to code securely from the beginning a lot of headaches
>> could have been avoided.
>>
>> Recently I tested a .NET app build using 3.5 SP1 and no master pages or
>> MVC(available in +4). The so called 'ViewState' did not help against CRSF .
>> In fact the developer has to rebuild the whole thing using MVC +.NET 4.0.if
>> he wants to protect this properly.
>>
>> IS it feasible at this point? Nope. Will the company release the code
>> even with the issue? Yep.
>>
>> pen testing only helps find the wholes. Fixing them is another
>> story.Hacking tools don't help you 'secure' applications. They only help
>> you verify the security built by them.
>>
>> Another anecdote. I used to work as RPG developer for a legacy AS/400
>> banking system. The whole things works with cgi (yikes!)
>> The pen tester found a CRSF attack. The architect said: prove it. Then
>> the bug headache came: How to fix this?
>> Yes, it was a headache to fix and it did not happened immediately.In fact
>> that architect 'hates' pen testers...😜
>>
>> I think we should stop this discussion.
>>
>> I think I'm starting a survey just to check how many of you work
>> defending applications, I mean like *patching, fixing vulnerabilities in
>> code*, so I might verify if I'm the only developer in OWASP trying to
>> defend applications and that I'm alone among pen testers...
>>
>> Then I'm definitely in the wrong community 😁
>>
>>
>> Cheers
>>
>> Johanna
>>
>>
>>
>> On Mon, May 23, 2016 at 2:49 PM, Liam Smit <liam.smit at gmail.com> wrote:
>>
>>> Hi Simon
>>>
>>> ZAP needs to be as effective as possible at finding vulnerabilities.
>>> Hobbling it by making it easier to detect makes it less effective. E.g.
>>> some vendor's firewall detects the scan and blocks it. When the actual
>>> exploit comes along it is not detected and the application is compromised.
>>>
>>> The better it is at detecting vulnerabilities the better it can be used
>>> by defenders to plug the holes. There is nothing stopping defenders from
>>> using "attacking" tools to secure their networks, servers, etc. After all
>>> we all port scan and vulnerability scan our infrastructure, right?
>>>
>>>
>>> Regards,
>>>
>>> Liam
>>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> OWASP Volunteer
> @eoinkeary
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160524/89732954/attachment.html>


More information about the OWASP-Leaders mailing list