[Owasp-leaders] Bring balance: force verification in scanning tools

johanna curiel curiel johanna.curiel at owasp.org
Wed May 25 02:59:28 UTC 2016


You seek and you will find...incomplete empty pages....

https://www.owasp.org/index.php/Access_control_enforced_by_presentation_layer
https://www.owasp.org/index.php/OWASP_.NET_Vulnerability_Research
https://www.owasp.org/index.php/J2EE_Misconfiguration:_Unsafe_Bean_Declaration
https://www.owasp.org/index.php/Allowing_password_aging
https://www.owasp.org/index.php/Assigning_instead_of_comparing
https://www.owasp.org/index.php/Authentication_Bypass_via_Assumed-Immutable_Data
https://www.owasp.org/index.php/Business_logic_vulnerability
https://www.owasp.org/index.php/Comparing_classes_by_name
https://www.owasp.org/index.php/Uncaught_exception
https://www.owasp.org/index.php/Empty_String_Password
https://www.owasp.org/index.php/Failure_of_true_random_number_generator
https://www.owasp.org/index.php/Failure_to_add_integrity_check_value
https://www.owasp.org/index.php/Addition_of_data-structure_sentinel
https://www.owasp.org/index.php/Buffer_Overflow
https://www.owasp.org/index.php/Buffer_underwrite
https://www.owasp.org/index.php/Capture-replay
https://www.owasp.org/index.php/Catch_NullPointerException
https://www.owasp.org/index.php/Comparing_instead_of_assigning

On Tue, May 24, 2016 at 10:44 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

>
> *>>Let's get back to improving our projects and being appsec leaders.*
>
> *yea peeps *
>
> *take the time to help clean the wiki is full of outdated useless
> information...and projects that...you better take a look your**self*
> *Warning: we can't delete them but you can label them😂*
>
>
> https://www.owasp.org/index.php/Category:OWASP_Python_Static_Analysis_Project
>
> https://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project/es
>
> https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project/es
>
> https://www.owasp.org/index.php/Category:OWASP_JBroFuzz/es
>
> https://www.owasp.org/index.php/Category:OWASP_Jobs_Project
>
> https://www.owasp.org/index.php/Category:OWASP_LAPSE_Project/es
>
> https://www.owasp.org/index.php/Category:OWASP_Learn_About_Encoding_Project
>
>
> On Tue, May 24, 2016 at 10:31 PM, Andrew van der Stock <vanderaj at owasp.org
> > wrote:
>
>> All good security tools are dual purpose. Browsers, telnet, the Testing
>> Guide, the ASVS, Zap, all of our training materials can be used for
>> negative purposes as much as the voices in someone's head. The majority of
>> the tools used in hacks are built into Kali, and in many cases, exploit
>> kits are self sustaining without using anything like the many commercial
>> and open source web application scanners.
>>
>> We are about enabling folks to add security to their programs. We are an
>> open, transparent community for application security. We are not a
>> forensics or law enforcement community.
>>
>> I use Zap regularly in environments with no Internet access. There is no
>> method of making Zap or any of our other tools or documents phone home in a
>> forensically safe manner.
>>
>> Of all the things we should be doing, this is the last. It represents a
>> massive opportunity cost for a use case that we just aren't responsible
>> for. We have a code of ethics as a compensating control, and of all the
>> things we have actually seen, we have only ever had one member participate
>> in the hactivist attacks back in the day. This is simply a non-issue.
>>
>> Let's get back to improving our projects and being appsec leaders.
>>
>> thanks,
>> Andrew
>>
>> On Wed, May 25, 2016 at 11:45 AM, Arturo 'Buanzo' Busleiman <
>> buanzo at buanzo.com.ar> wrote:
>>
>>> Agree with Eoin.
>>>
>>> I assume all governments have stopped developing airplanes, because they
>>> can be hijacked and used for terrorism?
>>>
>>> I cannot believe some of the things I have read in this thread.
>>>
>>> Seems we are walking backwards.
>>> On 24 May 2016 10:30 am, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>>>
>>>> The Internet is evil also. It needs to be banned/restricted!
>>>> No Internet == no cyber hackers!!
>>>> 😀
>>>>
>>>> On Tue, May 24, 2016 at 2:52 AM, Mario Robles <mario.robles at owasp.org>
>>>> wrote:
>>>>
>>>>> Hmm
>>>>> "Hacking Tools" find the bad stuff, the pentester should include how
>>>>> to fix it in the report then later will meet with the development team to
>>>>> guide them on how to fix the issues
>>>>>
>>>>> I prefer Zap team focusing on how to find more stuff rather than
>>>>> spending time on generic remediation steps that most likely will be
>>>>> different for every issue on every development project, that's a complaint
>>>>> developers have about generic reports right ?
>>>>>
>>>>> If the dev team is committed with security then they use tools made
>>>>> for prevention directly in their IDE, zap is made for detection if their
>>>>> prevention was not enough
>>>>>
>>>>> :)
>>>>>
>>>>> Mario
>>>>> # Please excuse any typos as this was sent from a mobile device
>>>>>
>>>>> El 23 may 2016, a las 1:33 p.m., johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> escribió:
>>>>>
>>>>> >>There is nothing stopping defenders from using "attacking" tools to
>>>>> secure their networks, servers, etc. After all we all port scan and
>>>>> vulnerability scan our infrastructure, right?
>>>>>
>>>>> Hi Liam
>>>>>
>>>>> I can see majority of the people answering are pen testers. I'm a
>>>>> developer that learn pen testing to so called 'secure' apps
>>>>>
>>>>>  It all depends on the technology and system.You find the holes but
>>>>> this per se does not fix them or even worse, makes you realise that if the
>>>>> developer knew how to code securely from the beginning a lot of headaches
>>>>> could have been avoided.
>>>>>
>>>>> Recently I tested a .NET app build using 3.5 SP1 and no master pages
>>>>> or MVC(available in +4). The so called 'ViewState' did not help against
>>>>> CRSF . In fact the developer has to rebuild the whole thing using MVC +.NET
>>>>> 4.0.if he wants to protect this properly.
>>>>>
>>>>> IS it feasible at this point? Nope. Will the company release the code
>>>>> even with the issue? Yep.
>>>>>
>>>>> pen testing only helps find the wholes. Fixing them is another
>>>>> story.Hacking tools don't help you 'secure' applications. They only help
>>>>> you verify the security built by them.
>>>>>
>>>>> Another anecdote. I used to work as RPG developer for a legacy AS/400
>>>>> banking system. The whole things works with cgi (yikes!)
>>>>> The pen tester found a CRSF attack. The architect said: prove it. Then
>>>>> the bug headache came: How to fix this?
>>>>> Yes, it was a headache to fix and it did not happened immediately.In
>>>>> fact that architect 'hates' pen testers...😜
>>>>>
>>>>> I think we should stop this discussion.
>>>>>
>>>>> I think I'm starting a survey just to check how many of you work
>>>>> defending applications, I mean like *patching, fixing vulnerabilities
>>>>> in code*, so I might verify if I'm the only developer in OWASP trying
>>>>> to defend applications and that I'm alone among pen testers...
>>>>>
>>>>> Then I'm definitely in the wrong community 😁
>>>>>
>>>>>
>>>>> Cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>> On Mon, May 23, 2016 at 2:49 PM, Liam Smit <liam.smit at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Simon
>>>>>>
>>>>>> ZAP needs to be as effective as possible at finding vulnerabilities.
>>>>>> Hobbling it by making it easier to detect makes it less effective. E.g.
>>>>>> some vendor's firewall detects the scan and blocks it. When the actual
>>>>>> exploit comes along it is not detected and the application is compromised.
>>>>>>
>>>>>> The better it is at detecting vulnerabilities the better it can be
>>>>>> used by defenders to plug the holes. There is nothing stopping defenders
>>>>>> from using "attacking" tools to secure their networks, servers, etc. After
>>>>>> all we all port scan and vulnerability scan our infrastructure, right?
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Liam
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160524/88d823ba/attachment-0001.html>


More information about the OWASP-Leaders mailing list