[Esapi-user] Call for review of crypto code

Jim Manico jim.manico at owasp.org
Fri Apr 30 01:27:50 EDT 2010


Please get some quotes to me. I'll pay for the review myself for fucks  
sake.

Jim Manico

On Apr 29, 2010, at 7:39 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com>  
wrote:

> Jeff Williams wrote:
>> I think creating some competition to make ESAPI better is a good  
>> idea. I'm
>> not sure how to do this exactly without making it seem like a "Bug  
>> Bounty"
>> program.  We can give honorary OWASP memberships.  We could  
>> recognize people
>> and fly them to OWASP AppSec conferences to receive their award.   
>> We could
>> open the competition and create a judges panel that will decide the  
>> 3 "best"
>> vulnerabilities discovered in ESAPI, and give out prizes at AppSec.
>>
>> Any of this appeal to you?  I can work it with the board.
>
> I think all of those you mentioned are some good incentives. (Hey,  
> if it
> were up to me, I'd do it for a case of Guiness or a crate of chocolate
> chip cookies, but I'm easily persuaded. ;-)
>
> Only thing is you have to be careful of how you phrase it if what you
> really want is to focus on the crypto code. (Which is what I want, but
> of course, I'm a bit biased there.)
>
> Most of all, I want to have the implementation of the design  
> examined...to
> see if I did it correctly or not based on Wagner's and Grigg's  
> feedback.
> Personally, I think someone with good security skills can catch  
> things like
> just coding mistakes. What almost all of us are lacking--myself  
> included--
> are good cryptanalytic skills.  You have to know how to *break*  
> crypto and
> cryptographic protocols.  I can generally pick up on things pretty  
> quickly
> if a lucid explanation is given, but I don't have experience  
> *breaking*
> ciphers to know what to look for in terms of weakness of design. I am
> only smart enough to know to ask for help--first in the design, and  
> then
> in the review of the code. In other words, I know that I don't know.
>
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts  
> agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of  
> MIME


More information about the Esapi-user mailing list