<p dir="ltr">+1</p>
<p dir="ltr">I have one remark about using the term "hacker" as bad thing.</p>
<p dir="ltr">If a hacker attack a vulnerable web app without authorization he becomes a malicious or a cracker or "pirate".</p>
<p dir="ltr">By the way ZAP or any other tool can be used for defense or attack like in the real life.</p>
<p dir="ltr">If we publish a web application written by foot, with no secure by design, any tool can break it.</p>
<p dir="ltr">Thanks <br>
Azzeddine</p>
<div class="gmail_quote">Le 20 mai 2016 5:57 AM, "Jim Manico" <<a href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>> a écrit :<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>+1 <br>
    </p>
    <p>This is a very astute perspective, Tony. Thanks for diving in and
      bringing clarity.</p>
    <p>Aloha, Jim<br>
    </p>
    <div>On 5/19/16 7:14 PM, Tony UV wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>
              <div>
                <div>1. If giving an F is hating on a tool versus
                  understanding the threat actors and real threat
                  motives, then sorry to break it to you that the
                  Catalan police don't give a "PM" (spanish) or "F"
                  about your F.<br>
                </div>
                2. Having more defender tools will still not instruct
                'security professionals' to interact effectively with
                developers.  Knowing the precepts of coding, development
                frameworks, threat modeling, good architecture will.  So
                in terms of more defender tools helping, that wouldn't
                do jack. <br>
              </div>
              3. ModSecurity Ruleset is highly utilized individually and
              by commercial products that have pwned its G status
              effectiveness and baked it into their commercial rule
              sets.  Maybe not as hyped as ZAP but per other previous
              responses, there's a lot of good Defender stuff in the
              vault.<br>
            </div>
            4. Your right.  Too much pen tester rhetoric.  But I say up
            the level and call it what it is - attack.  No hacker is
            like 'hey boss, i'm gonna pen test this web api real quick'.
            Get real.  We need more pros to understand real criminal
            exploitation and leave this pen testing BS for PCI 3.2. 
            This includes a greater understanding of encoding techniques
            for obfuscating payloads, new evasion techniques, payloads
            against new web app frameworks, reversing, etc. This is real
            stuff that transcends simply payload replaying via tools and
            we need more of that skill set in order to educate
            developers on how these parameters get compromised b/c of
            well crafted payloads.<br>
          </div>
          5.  Helping Dev shops requires more understanding of things
          that they are working with, but crawl, walk, run.  Right now,
          IMHO, I think most want to know how to break and are still
          maturing there.  From there, they'll run into the wall of not
          being able to message to dev teams.  Then they'll need to
          mature in that respect and either (a) tell them
          countermeasures that are upstream from the API or service
          listener or whatever (WEAK) or (b) help them to improve their
          secure coding measures and leveraging of security class
          objects in frameworks, hardening techniques, secure coding
          snippets, etc.  OWASP Cheatsheets, Secure Dev Guide all help
          with this btw so recognize. <br>
          <br>
        </div>
        Not gonna get into the whole US violent BS. Stay topical to
        appsec and leave the political remarks for the comments section
        of Anderson Cooper's blog.  I can gladly entertain those later
        if you want to debate causal factors at BH/ DC over pisco
        sours.  </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, May 19, 2016 at 9:31 PM,
          johanna curiel curiel <span dir="ltr"><<a href="mailto:johanna.curiel@owasp.org" target="_blank"><a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a></a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr"><span style="font-size:13px">>>So
                Phineas used ZAP to hack Catalan police - who gives an
                F?!?!?! </span><br>
              <div><span style="font-size:13px"><br>
                </span></div>
              <div>I give a f*ck...;-P. </div>
              <div><br>
              </div>
              <div>>><span style="font-size:13px"> </span><span style="font-size:13px">The intent of ZAP is to allow
                  for more security professionals to understand how and
                  why apps fall to common attack patterns.</span></div>
              <div><span style="font-size:13px"><br>
                </span></div>
              <div>Look. A 'security professional'  tells the developer
                all the security bugs she has, but if she is not able to
                fix them then what? Nothing gets fixed properly. </div>
              <div><br>
              </div>
              <div>Most pen testers work is focused on showing
                vulnerabilities instead of helping fixing them because
                for most part pen testers cannot code applications
                neither is their work, like this joke on Twitter:<br>
              </div>
              <div><a href="https://twitter.com/pencilsareneat/status/724711158863790084" target="_blank">https://twitter.com/pencilsareneat/status/724711158863790084</a><br>
              </div>
              <div><br>
              </div>
              <div>I think OWASP is way too focused on Pen testers and
                this discussion just shows me that.</div>
              <div><br>
              </div>
              <div>Defender projects are poor compare to ZAP. </div>
              <div><br>
              </div>
              <div>Have anyone of you download and test ALL the so
                called 'top' defender projects we have, have you
                actually USE them ?</div>
              <div>Who has? I have, can you say the same?</div>
              <div><br>
              </div>
              <div>I have and I can tell you that for sure.<br>
              </div>
              <div><br>
              </div>
              <div><b>Read team is important but Blue team as much. I'm
                  talking about Yin Yang. </b></div>
              <div><b>Balance my friends. OWASP has the power to shape
                  that balance.</b><br>
              </div>
              <div><br>
              </div>
              <div>And BTW thats US is the country with high rate murder
                with guns. </div>
              <div><a href="http://www.nytimes.com/2012/12/20/opinion/blow-on-guns-america-stands-out.html?_r=1" target="_blank">http://www.nytimes.com/2012/12/20/opinion/blow-on-guns-america-stands-out.html?_r=1</a><br>
              </div>
              <div><br>
              </div>
              <div>And talking about Columbine and School
                killings...yea, but is off course none is to blame...</div>
              <div><br>
              </div>
              <div>Hey Viva US and the second ammendment , each country
                should know what they do. </div>
              <div>I just love my little island where they forbid
                guns...thanks God...<br>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
            </div>
            <div class="gmail_extra"><br>
              <div class="gmail_quote">On Thu, May 19, 2016 at 9:02 PM,
                Tony UV <span dir="ltr"><<a href="mailto:tonyuv@owasp.org" target="_blank">tonyuv@owasp.org</a>></span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div dir="ltr">
                    <div>
                      <div>
                        <div>Johanna,<b><br>
                          </b></div>
                        <div><b><br>
                            On the issue of ZAP / Hurting or Helping
                            AppSec.<br>
                          </b>So Phineas used ZAP to hack Catalan police
                          - who gives an F?!?!?!  Since the beginning of
                          time, tools of any type (either hardware or
                          software or virtual) will be used for whatever
                          motive the handler wants to use them.  This
                          shouldn't at all shape the perspective that
                          ZAP or any other tool is hurting rather than
                          helping an industry or sub-industry.  That is
                          absurd.  Those that think that in AppSec or in
                          security in general don't get the fact that
                          when doing criminal actions, any means
                          necessary will encompass the use of products
                          and services not intended or designed for a
                          criminal's nefarious actions.  Tainting ZAP
                          (either deliberately or not) is not helping
                          the ignorance that blames tools for
                          facilitating hacks.  The intent of ZAP is to
                          allow for more security professionals to
                          understand how and why apps fall to common
                          attack patterns.  If that same tool is used to
                          do bad, in no way shape or form should the
                          weakly formed argument of 'are we helping or
                          hurting' be thrown into a conversation piece
                          within this industry b/c there are far too
                          many tools that break that have come before
                          ZAP and are used much more widely than ZAP
                          that are open source and those frames of
                          thought never got good traction and
                          deservingly so.  If there is some emotional
                          infosec asshat that wants to ask that question
                          and allude to an 'OWASP' project as a
                          facilitator to these types of activities, then
                          we should all be able to easily defend the
                          number of instances of whitehat efforts that
                          ZAP supports that dwarf undoubted blackhat
                          used of that tool (or any other that is or
                          becomes flagship). <br>
                          <br>
                        </div>
                        <b>On the issue of quantity vs quality.</b><br>
                      </div>
                      Agreed that we have WAY too many projects.  I'm on
                      that bandwagon.  But the one I'm not is believing
                      that the intent of the disparity between notorious
                      breaker tools that are flagship vs. defender tools
                      is based upon anything but simply a factor of (a)
                      time of interested people/ persons devoted to a
                      project (b) level of interest of said people in a
                      track of security (breaking vs building vs
                      defending, etc.).  What's the saying - the road to
                      hell is paved with good intentions - in this case,
                      I don't think there was a deliberate intent to
                      sway one way (break, defend, build) versus another
                      at all but things have gotten away from us.  I do
                      think that greater project governance and
                      leadership can force a more balanced project
                      roster which would reflect what everyone has had
                      in mind for OWASP, which is well developed and
                      maintained projects. Mark's blog post, although
                      true, is true only at the superficial level.  The
                      causal factors need to be clearly understood.  If
                      there was project governance and we could
                      collectively drive to a smaller project footprint,
                      then our execution would be better, but its not by
                      design and that's what I disagree with in the blog
                      and those that follow that credence.  <br>
                      <span><font color="#888888"><br>
                        </font></span></div>
                    <span><font color="#888888">Tony UV<br>
                      </font></span></div>
                  <div class="gmail_extra"><br>
                    <div class="gmail_quote"><span>On Thu, May 19, 2016
                        at 8:25 PM, johanna curiel curiel <span dir="ltr"><<a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a>></span>
                        wrote:<br>
                      </span>
                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                        <div>
                          <div>
                            <div dir="ltr"><font face="arial, helvetica,
                                sans-serif" color="#000000">Hi All,<br>
                              </font>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000">Not sure
                                  if you have heard the news that
                                  Phineas Fisher, the hacker that hacked
                                  HackingTeam, has made public a couple
                                  of days ago a video showing how he
                                  hacked the Spanish (Catalan) police
                                  using ZAP.</font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000">Video in
                                  the mean time has been removed but I
                                  made a copy for anyone that wants it
                                  ;-P</font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000">Phineas
                                  goes ahead and made comments to
                                  encourage and teach others to 'hack
                                  back'(nice music background 'f*ck the
                                  police'). In his own words:</font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><b>“That's
                                    the plan,” the hacker told
                                    Motherboard in an email. “Like
                                    subverso says in the lyrics of the
                                    song at the end of the video, ‘el
                                    que comparte lo que aprende, es
                                    peligroso.’”</b><br>
                                </font></div>
                              <span>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000"><br>
                                  </font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000">While
                                    I'm a big fan of ZAP, this has hit a
                                    deep core in my conscious.</font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000"><br>
                                  </font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000">OWASP is
                                    supposed to be about 'Application
                                    Security' and right now, hackers
                                    like this are doing the opposite
                                    with the same tools we promote .</font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000"><br>
                                  </font></div>
                              </span><span>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000">OWASP
                                    has a huge misbalance of tools
                                    between 'breakers' and 'defenders'. </font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000"><br>
                                  </font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000">ZAP on
                                    one side , with a quality and level
                                    of development that is competing
                                    with the commercial tools like Burp,
                                    but on the other side, to balance
                                    the equation, what are we actually
                                    doing to improve defense? What kind
                                    of defender projects does OWASP has
                                    to compete what ZAP is doing?</font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000"><br>
                                  </font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000">Sorry to
                                    say, none. No defender project at
                                    OWASP has a full time developer
                                    working on it nor the quality that
                                    ZAP does.</font></div>
                                <div><font face="arial, helvetica,
                                    sans-serif" color="#000000"> </font></div>
                              </span>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000">@Tom:</font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000">I think
                                  one of the things OWASP projects needs
                                  to focus on is to bring a balance and
                                  incentive the development of <b>Quality</b>
                                  defender projects to teach developers
                                  how to protect applications. Not to
                                  keep focusing on teaching hacking.
                                  Developers are not going to become
                                  hackers to protect applications. </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000">Mark
                                  Curphey, the co-fouder of OWASP had a
                                  vision to develop security tools for
                                  developers. And he left because
                                  OWASP management  focused in quantity
                                  and not in quality. Timo and I, the
                                  last reviewers were standing for this
                                  principle.But we couldn't fight
                                  how management though about and we
                                  left.</font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><span style="line-height:21px"><b>"I do
                                      suspect that it maybe time for a
                                      different kind of open source
                                      software security project that
                                      focuses on a small number of high
                                      quality, high impact projects. ..</b></span></font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><b><br>
                                  </b></font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><b>So long
                                    OWASP, you were a fun ride and I
                                    wish you the very best for the
                                    future. Remember that a “Jack of all
                                    trades is a master of none”!</b></font><font face="arial, helvetica, sans-serif" color="#000000"><span style="line-height:21px"><b>"</b></span><br>
                                </font></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><span style="line-height:21px"><b><br>
                                    </b></span></font></div>
                              <div><span style="line-height:21px"><font face="arial, helvetica, sans-serif" color="#000000"><br>
                                  </font></span></div>
                              <div><font face="arial, helvetica,
                                  sans-serif" color="#000000"><span style="line-height:21px">In the mean
                                    time Marc is the founder of </span>SRC:CLR, </font><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;background-color:transparent">based
                                  startup that helps companies use
                                  open-source code safely</span></div>
                              <div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;background-color:transparent"><br>
                                </span></div>
                              <div><a href="http://www.curphey.com" target="_blank">http://www.curphey.com</a><br>
                              </div>
                              <div><br>
                              </div>
                              <div>regards</div>
                              <span><font color="#888888">
                                  <div><br>
                                  </div>
                                  -- <br>
                                  <div>
                                    <div dir="ltr">
                                      <div>Johanna Curiel </div>
                                      OWASP Volunteer</div>
                                  </div>
                                </font></span></div>
                            <br>
                          </div>
                        </div>
                        <span><span>_______________________________________________<br>
                            OWASP-Leaders mailing list<br>
                            <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                            <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                            <br>
                          </span></span></blockquote>
                    </div>
                    <br>
                  </div>
                  <span><font color="#888888">
                    </font></span></blockquote>
              </div>
              <span><font color="#888888"><br>
                  <br clear="all">
                  <div><br>
                  </div>
                  -- <br>
                  <div>
                    <div dir="ltr">
                      <div>Johanna Curiel </div>
                      OWASP Volunteer</div>
                  </div>
                </font></span></div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </div>

<br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div>