[Global_education_committee] OWASP Secure Coding Competition

Mark Bristow mark.bristow at owasp.org
Wed Nov 24 17:29:14 EST 2010


Funny you should be mentioning this.  I've been working with the projects
committee to set up a competition just like this (in fact I have a baseline
spec done and have started working a implementation plan).

My concept was to provide developers requirements a few days ahead of the
competition and provide a cloud based VM.  The entrants would than get thoes
days (say 5) to develop a basic web application based on the requirements.
For each feature implemented, they get a set amount of points, some features
are required and some are more risky than others.  Then we have a team of
pen-testers attack the applications for a fixed period of time (same team
works on all apps, and same amount of time to be fair).  For every
vulnerability the testers find, points are deducted.  Team with the best
score at the end of the competition wins.

Not sure if it's an exact overlap, buy may combine the "fun" of a CTF with a
developer/secure coding spin.  I'm calling it Secure the Flag.

I think we could easily build in a "tournament" type system and have
regional/global winners.  My initial thought was to take this competition to
developer conferences (like Java One) and offer prizes, but your model could
work too.


On Wed, Nov 24, 2010 at 5:11 PM, Fabio Cerullo <fcerullo at owasp.org> wrote:

> Hi Wong,
> Nice meeting you at DC! Following up our conversation about a secure coding
> competition let's do a bit of brainstorm so we have a clear roadmap to
> present at the Summit.
> Basically the idea is:
> - To organize regional competitions across Asia, EU, America, Latin America
> following the same model as the one Cecil Su from OWASP used in Singapore.
> - The format would be: 3 day event where teams from universities and higher
> learning education institutes are asked to code an application in a secure
> fashion.
> - The criteria for judging is based both on the functionality of the
> application as well as the security aspects (ie. how many vulnerabilities
> are discovered).
> - Winners of each region will go into an international competition that
> could be held at one of the major OWASP Appsec conferences.
> - Commercial firms could be sponsors/judges of the competition.
> - OWASP being a central part as judge panel/organizer.
> I'm including Jeff Williams and the OWASP Global Education Committee in
> this mail as they are very keen to engage with educational institutions.
> Thanks,
> Fabio
> _______________________________________________
> Global_education_committee mailing list
> Global_education_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_education_committee

Mark Bristow

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
AppSec DC 2010 Organizer - https://www.appsecdc.org
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20101124/6a64d8e3/attachment.html 

More information about the Global_education_committee mailing list