[Owasp-leaders] Bring balance: force verification in scanning tools

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Wed May 25 10:36:33 UTC 2016


Not talking about you, Johanna.
On 25 May 2016 12:39 am, "johanna curiel curiel" <johanna.curiel at owasp.org>
wrote:

> Andrew
> >>no one is insulting you
>
> Really?
>
> I just made a question. I'm not imposing anything. Some comments here
> categorised my idea literally as :
> silly, pointless, walking backwards...
> On twitter even worse...
>
> I think the end of the conversion came when  Simon said he did not find
> this a good idea.  He owns the hacking tool, he decides if he wants to do
> it or not.
>
> If the majority thinks this is a bad idea, thats ok, but why call it
> silly, pointless etc?
>
> Some folks here like Kevin went in quite detail discussing at a technical
> level that I actually enjoyed, like others did
>
> So is not directed to you. People talk about crushing ideas this is an
> excellent example. Is enough to give your point saying
> +1 or -1 or I don't agree. Why is it necessary to call it silly or point
> less or that the catalan police gives an F .... about the fact that I did
> not like seeing a Hacking tool like ZAP being used this way.
>
> >>>Please, I implore you - before responding angrily to any imagined
> slight, no one is out to get you, no one is insulting you. Please be
> respectful of OWASP volunteers and leaders.
>
> Why I'm the only one that you call the attention, Tony UV did't get
> reprehended on the list when he says the catalan police gives an F or
> PM(spanish) about my F...
>
> I kind of feel discriminated right now.
>
> Don't worry Andrew.
>
> I wont be on this list anymore...bothering peeps with my stupid, silly,
> moronic questions about the idea of putting some controls in Hacking tools
> used by criminals too.Nevermind.
>
> Good luck with the projects and the wiki that no one helps to clean except
> a very few, silly like me...
>
> Cheers and good bye
>
>
>
>
>
> On Tue, May 24, 2016 at 11:24 PM, Andrew van der Stock <vanderaj at owasp.org
> > wrote:
>
>> Johanna,
>>
>> I did not insult you - almost or actually - in any way. Please re-read my
>> post in its entirety.
>>
>> I am all for discussing things, but please don't be annoyed because folks
>> have a differing view.
>>
>> We are all volunteers here, and we don't need this level of angst. You
>> bring up the state of projects again, and there is movement on two fronts
>> from the Board. Tom is running very fast with a new hire, as well as the
>> Sooryen revamp of our website with their needs assessment that I encourage
>> ALL to participate to have their voices heard on this vital topic to
>> OWASP's future. Engaging fully with these two initiatives should lead to
>> the sorts of outcomes you are looking for, but we can't do those
>> improvements overnight, and we can't do it if volunteers leave because they
>> are forced to do things that they have zero interest in doing.
>>
>> We are here to encourage all projects, chapters and outreach, and this
>> sort of discourse is discourteous to all those who have donated their time.
>> The loudest voices do not get their way at OWASP, it's those who
>> participate in a friendly, encouraging manner who get in there and create
>> our great projects who do.
>>
>> Please, I implore you - before responding angrily to any imagined slight,
>> no one is out to get you, no one is insulting you. Please be respectful of
>> OWASP volunteers and leaders.
>>
>> thanks,
>> Andrew
>>
>> On Wed, May 25, 2016 at 12:59 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> You seek and you will find...incomplete empty pages....
>>>
>>>
>>> https://www.owasp.org/index.php/Access_control_enforced_by_presentation_layer
>>> https://www.owasp.org/index.php/OWASP_.NET_Vulnerability_Research
>>>
>>> https://www.owasp.org/index.php/J2EE_Misconfiguration:_Unsafe_Bean_Declaration
>>> https://www.owasp.org/index.php/Allowing_password_aging
>>> https://www.owasp.org/index.php/Assigning_instead_of_comparing
>>>
>>> https://www.owasp.org/index.php/Authentication_Bypass_via_Assumed-Immutable_Data
>>> https://www.owasp.org/index.php/Business_logic_vulnerability
>>> https://www.owasp.org/index.php/Comparing_classes_by_name
>>> https://www.owasp.org/index.php/Uncaught_exception
>>> https://www.owasp.org/index.php/Empty_String_Password
>>> https://www.owasp.org/index.php/Failure_of_true_random_number_generator
>>> https://www.owasp.org/index.php/Failure_to_add_integrity_check_value
>>> https://www.owasp.org/index.php/Addition_of_data-structure_sentinel
>>> https://www.owasp.org/index.php/Buffer_Overflow
>>> https://www.owasp.org/index.php/Buffer_underwrite
>>> https://www.owasp.org/index.php/Capture-replay
>>> https://www.owasp.org/index.php/Catch_NullPointerException
>>> https://www.owasp.org/index.php/Comparing_instead_of_assigning
>>>
>>> On Tue, May 24, 2016 at 10:44 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>>
>>>> *>>Let's get back to improving our projects and being appsec leaders.*
>>>>
>>>> *yea peeps *
>>>>
>>>> *take the time to help clean the wiki is full of outdated useless
>>>> information...and projects that...you better take a look your**self*
>>>> *Warning: we can't delete them but you can label them😂*
>>>>
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_Python_Static_Analysis_Project
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project/es
>>>>
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project/es
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_JBroFuzz/es
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_Jobs_Project
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_LAPSE_Project/es
>>>>
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_Learn_About_Encoding_Project
>>>>
>>>>
>>>> On Tue, May 24, 2016 at 10:31 PM, Andrew van der Stock <
>>>> vanderaj at owasp.org> wrote:
>>>>
>>>>> All good security tools are dual purpose. Browsers, telnet, the
>>>>> Testing Guide, the ASVS, Zap, all of our training materials can be used for
>>>>> negative purposes as much as the voices in someone's head. The majority of
>>>>> the tools used in hacks are built into Kali, and in many cases, exploit
>>>>> kits are self sustaining without using anything like the many commercial
>>>>> and open source web application scanners.
>>>>>
>>>>> We are about enabling folks to add security to their programs. We are
>>>>> an open, transparent community for application security. We are not a
>>>>> forensics or law enforcement community.
>>>>>
>>>>> I use Zap regularly in environments with no Internet access. There is
>>>>> no method of making Zap or any of our other tools or documents phone home
>>>>> in a forensically safe manner.
>>>>>
>>>>> Of all the things we should be doing, this is the last. It represents
>>>>> a massive opportunity cost for a use case that we just aren't responsible
>>>>> for. We have a code of ethics as a compensating control, and of all the
>>>>> things we have actually seen, we have only ever had one member participate
>>>>> in the hactivist attacks back in the day. This is simply a non-issue.
>>>>>
>>>>> Let's get back to improving our projects and being appsec leaders.
>>>>>
>>>>> thanks,
>>>>> Andrew
>>>>>
>>>>> On Wed, May 25, 2016 at 11:45 AM, Arturo 'Buanzo' Busleiman <
>>>>> buanzo at buanzo.com.ar> wrote:
>>>>>
>>>>>> Agree with Eoin.
>>>>>>
>>>>>> I assume all governments have stopped developing airplanes, because
>>>>>> they can be hijacked and used for terrorism?
>>>>>>
>>>>>> I cannot believe some of the things I have read in this thread.
>>>>>>
>>>>>> Seems we are walking backwards.
>>>>>> On 24 May 2016 10:30 am, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>>>>>>
>>>>>>> The Internet is evil also. It needs to be banned/restricted!
>>>>>>> No Internet == no cyber hackers!!
>>>>>>> 😀
>>>>>>>
>>>>>>> On Tue, May 24, 2016 at 2:52 AM, Mario Robles <
>>>>>>> mario.robles at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hmm
>>>>>>>> "Hacking Tools" find the bad stuff, the pentester should include
>>>>>>>> how to fix it in the report then later will meet with the development team
>>>>>>>> to guide them on how to fix the issues
>>>>>>>>
>>>>>>>> I prefer Zap team focusing on how to find more stuff rather than
>>>>>>>> spending time on generic remediation steps that most likely will be
>>>>>>>> different for every issue on every development project, that's a complaint
>>>>>>>> developers have about generic reports right ?
>>>>>>>>
>>>>>>>> If the dev team is committed with security then they use tools made
>>>>>>>> for prevention directly in their IDE, zap is made for detection if their
>>>>>>>> prevention was not enough
>>>>>>>>
>>>>>>>> :)
>>>>>>>>
>>>>>>>> Mario
>>>>>>>> # Please excuse any typos as this was sent from a mobile device
>>>>>>>>
>>>>>>>> El 23 may 2016, a las 1:33 p.m., johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> escribió:
>>>>>>>>
>>>>>>>> >>There is nothing stopping defenders from using "attacking" tools
>>>>>>>> to secure their networks, servers, etc. After all we all port scan and
>>>>>>>> vulnerability scan our infrastructure, right?
>>>>>>>>
>>>>>>>> Hi Liam
>>>>>>>>
>>>>>>>> I can see majority of the people answering are pen testers. I'm a
>>>>>>>> developer that learn pen testing to so called 'secure' apps
>>>>>>>>
>>>>>>>>  It all depends on the technology and system.You find the holes but
>>>>>>>> this per se does not fix them or even worse, makes you realise that if the
>>>>>>>> developer knew how to code securely from the beginning a lot of headaches
>>>>>>>> could have been avoided.
>>>>>>>>
>>>>>>>> Recently I tested a .NET app build using 3.5 SP1 and no master
>>>>>>>> pages or MVC(available in +4). The so called 'ViewState' did not help
>>>>>>>> against CRSF . In fact the developer has to rebuild the whole thing using
>>>>>>>> MVC +.NET 4.0.if he wants to protect this properly.
>>>>>>>>
>>>>>>>> IS it feasible at this point? Nope. Will the company release the
>>>>>>>> code even with the issue? Yep.
>>>>>>>>
>>>>>>>> pen testing only helps find the wholes. Fixing them is another
>>>>>>>> story.Hacking tools don't help you 'secure' applications. They only help
>>>>>>>> you verify the security built by them.
>>>>>>>>
>>>>>>>> Another anecdote. I used to work as RPG developer for a legacy
>>>>>>>> AS/400 banking system. The whole things works with cgi (yikes!)
>>>>>>>> The pen tester found a CRSF attack. The architect said: prove it.
>>>>>>>> Then the bug headache came: How to fix this?
>>>>>>>> Yes, it was a headache to fix and it did not happened
>>>>>>>> immediately.In fact that architect 'hates' pen testers...😜
>>>>>>>>
>>>>>>>> I think we should stop this discussion.
>>>>>>>>
>>>>>>>> I think I'm starting a survey just to check how many of you work
>>>>>>>> defending applications, I mean like *patching, fixing
>>>>>>>> vulnerabilities in code*, so I might verify if I'm the only
>>>>>>>> developer in OWASP trying to defend applications and that I'm alone among
>>>>>>>> pen testers...
>>>>>>>>
>>>>>>>> Then I'm definitely in the wrong community 😁
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, May 23, 2016 at 2:49 PM, Liam Smit <liam.smit at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Simon
>>>>>>>>>
>>>>>>>>> ZAP needs to be as effective as possible at finding
>>>>>>>>> vulnerabilities. Hobbling it by making it easier to detect makes it less
>>>>>>>>> effective. E.g. some vendor's firewall detects the scan and blocks it. When
>>>>>>>>> the actual exploit comes along it is not detected and the application is
>>>>>>>>> compromised.
>>>>>>>>>
>>>>>>>>> The better it is at detecting vulnerabilities the better it can be
>>>>>>>>> used by defenders to plug the holes. There is nothing stopping defenders
>>>>>>>>> from using "attacking" tools to secure their networks, servers, etc. After
>>>>>>>>> all we all port scan and vulnerability scan our infrastructure, right?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> Liam
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Johanna Curiel
>>>>>>>> OWASP Volunteer
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> OWASP Volunteer
>>>>>>> @eoinkeary
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160525/98b3dbb6/attachment-0001.html>


More information about the OWASP-Leaders mailing list