[Owasp-leaders] Bring balance: force verification in scanning tools

johanna curiel curiel johanna.curiel at owasp.org
Wed May 25 02:31:45 UTC 2016


Hey peeps I got enough with your almost insults because

I had the 'silly and stupid moronic' idea to suggest adding verification to
a HACKING TOOL

Don't compare plane, screwdrivers with hacking tools , that seems like very
far example

Could we please now,  move on?

Promise I wont launch any questions anymore

Thank you for your time and consideration folks

Thank you for spamming the list 😁

Talking about crushing ideas...

On Tue, May 24, 2016 at 9:45 PM, Arturo 'Buanzo' Busleiman <
buanzo at buanzo.com.ar> wrote:

> Agree with Eoin.
>
> I assume all governments have stopped developing airplanes, because they
> can be hijacked and used for terrorism?
>
> I cannot believe some of the things I have read in this thread.
>
> Seems we are walking backwards.
> On 24 May 2016 10:30 am, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>
>> The Internet is evil also. It needs to be banned/restricted!
>> No Internet == no cyber hackers!!
>> 😀
>>
>> On Tue, May 24, 2016 at 2:52 AM, Mario Robles <mario.robles at owasp.org>
>> wrote:
>>
>>> Hmm
>>> "Hacking Tools" find the bad stuff, the pentester should include how to
>>> fix it in the report then later will meet with the development team to
>>> guide them on how to fix the issues
>>>
>>> I prefer Zap team focusing on how to find more stuff rather than
>>> spending time on generic remediation steps that most likely will be
>>> different for every issue on every development project, that's a complaint
>>> developers have about generic reports right ?
>>>
>>> If the dev team is committed with security then they use tools made for
>>> prevention directly in their IDE, zap is made for detection if their
>>> prevention was not enough
>>>
>>> :)
>>>
>>> Mario
>>> # Please excuse any typos as this was sent from a mobile device
>>>
>>> El 23 may 2016, a las 1:33 p.m., johanna curiel curiel <
>>> johanna.curiel at owasp.org> escribió:
>>>
>>> >>There is nothing stopping defenders from using "attacking" tools to
>>> secure their networks, servers, etc. After all we all port scan and
>>> vulnerability scan our infrastructure, right?
>>>
>>> Hi Liam
>>>
>>> I can see majority of the people answering are pen testers. I'm a
>>> developer that learn pen testing to so called 'secure' apps
>>>
>>>  It all depends on the technology and system.You find the holes but this
>>> per se does not fix them or even worse, makes you realise that if the
>>> developer knew how to code securely from the beginning a lot of headaches
>>> could have been avoided.
>>>
>>> Recently I tested a .NET app build using 3.5 SP1 and no master pages or
>>> MVC(available in +4). The so called 'ViewState' did not help against CRSF .
>>> In fact the developer has to rebuild the whole thing using MVC +.NET 4.0.if
>>> he wants to protect this properly.
>>>
>>> IS it feasible at this point? Nope. Will the company release the code
>>> even with the issue? Yep.
>>>
>>> pen testing only helps find the wholes. Fixing them is another
>>> story.Hacking tools don't help you 'secure' applications. They only help
>>> you verify the security built by them.
>>>
>>> Another anecdote. I used to work as RPG developer for a legacy AS/400
>>> banking system. The whole things works with cgi (yikes!)
>>> The pen tester found a CRSF attack. The architect said: prove it. Then
>>> the bug headache came: How to fix this?
>>> Yes, it was a headache to fix and it did not happened immediately.In
>>> fact that architect 'hates' pen testers...😜
>>>
>>> I think we should stop this discussion.
>>>
>>> I think I'm starting a survey just to check how many of you work
>>> defending applications, I mean like *patching, fixing vulnerabilities
>>> in code*, so I might verify if I'm the only developer in OWASP trying
>>> to defend applications and that I'm alone among pen testers...
>>>
>>> Then I'm definitely in the wrong community 😁
>>>
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>>
>>>
>>> On Mon, May 23, 2016 at 2:49 PM, Liam Smit <liam.smit at gmail.com> wrote:
>>>
>>>> Hi Simon
>>>>
>>>> ZAP needs to be as effective as possible at finding vulnerabilities.
>>>> Hobbling it by making it easier to detect makes it less effective. E.g.
>>>> some vendor's firewall detects the scan and blocks it. When the actual
>>>> exploit comes along it is not detected and the application is compromised.
>>>>
>>>> The better it is at detecting vulnerabilities the better it can be used
>>>> by defenders to plug the holes. There is nothing stopping defenders from
>>>> using "attacking" tools to secure their networks, servers, etc. After all
>>>> we all port scan and vulnerability scan our infrastructure, right?
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Liam
>>>>
>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> OWASP Volunteer
>> @eoinkeary
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160524/edad6c4a/attachment.html>


More information about the OWASP-Leaders mailing list