[Owasp-leaders] Are we helping Hackers or helping Application security?
casey.dunham at owasp.org
Fri May 27 18:14:37 UTC 2016
As a software developer across multiple stacks for over twelve years you have absolutely hit it on the head.
Security or defender tools are not the solution. Frameworks need to start incorporating and promoting more secure practices.
Tools also need to be seamlessly integrated into the development environment and not get in the way of business critical development.
> On May 20, 2016, at 1:02 PM, Timothy D. Morgan <tim.morgan at owasp.org> wrote:
>> Respectfully, and that you understand, I'm more than a ZAP fan. I
>> contribute/promote this project . Don't get me wrong, ZAP is my favourite
>> tool and I just feel like they have used something I care for bad purposes,
>> like thieves that steals your car to commit a bank robbery.
>> I think we need to at least incentive(not only financially) and motivate
>> more research into defending applications. Our defender projects help but
>> they are far out cry to really make a difference.
> Ok, so we all agree tools are just tools and they can be used for good or
> evil. Let's put that behind us, yeah?
> I think the point Johanna is making is that while there are a lot of offensive
> tools in the OWASP lineup to help everyone *understand* what the security
> problems are, there are fewer mature tools projects on the defense side to help
> developers solve them.
> Is that a problem? Is it just the nature of the beast that our solutions on
> the defense side involve more documentation, testing guides, and awareness
> campaigns? I'm actually not sure the answer to that.
> What I do think, however, is that while technical frameworks designed for
> defense are a great idea, they aren't going to be adopted by the
> majority of developers who need it if they are developed as independent
> libraries/modules/etc. The developers who need it have never heard of OWASP,
> and even if they have, they aren't sufficiently motivated to go out of their way
> to integrate a security framework into their day-to-day development. So I
> don't think adding a bunch more defense tools is really the answer unless those
> are somehow integrated into standard frameworks and development platforms.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders