[Global_education_committee] OWASP Secure Coding Competition

Mark Bristow mark.bristow at owasp.org
Wed Nov 24 17:41:39 EST 2010


It's actually on my netbook, in another state right now.  I plan to get it
to Paulo Monday and get the official page up.  I'll link this thread when
that is done.

I wouldn't go selling it yet, it's just a project idea, but some of the guys
who helped build the AppSecDC CTF and I have been kicking this around for a
few months.  I think we have a good outline for a scoring system and for an
initial set of requirements (the challenge here is that you have to come up
with whole new requirements sets for every competition as once they are
released they can't be re-used).

-Mark

On Wed, Nov 24, 2010 at 5:33 PM, kuai hinojosa <kuai.hinojosa at owasp.org>wrote:

> These are great ideas! Mark can you provide a link to your plan? We need to
> be able to sell this to EDU supporters as we  talk to them.
>
> Kuai
>
> On Nov 24, 2010, at 5:29 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>
> Fabio,
>
> Funny you should be mentioning this.  I've been working with the projects
> committee to set up a competition just like this (in fact I have a baseline
> spec done and have started working a implementation plan).
>
> My concept was to provide developers requirements a few days ahead of the
> competition and provide a cloud based VM.  The entrants would than get thoes
> days (say 5) to develop a basic web application based on the requirements.
> For each feature implemented, they get a set amount of points, some features
> are required and some are more risky than others.  Then we have a team of
> pen-testers attack the applications for a fixed period of time (same team
> works on all apps, and same amount of time to be fair).  For every
> vulnerability the testers find, points are deducted.  Team with the best
> score at the end of the competition wins.
>
> Not sure if it's an exact overlap, buy may combine the "fun" of a CTF with
> a developer/secure coding spin.  I'm calling it Secure the Flag.
>
> I think we could easily build in a "tournament" type system and have
> regional/global winners.  My initial thought was to take this competition to
> developer conferences (like Java One) and offer prizes, but your model could
> work too.
>
> -Mark
>
> On Wed, Nov 24, 2010 at 5:11 PM, Fabio Cerullo < <fcerullo at owasp.org>
> fcerullo at owasp.org> wrote:
>
>> Hi Wong,
>>
>> Nice meeting you at DC! Following up our conversation about a secure
>> coding competition let's do a bit of brainstorm so we have a clear roadmap
>> to present at the Summit.
>>
>> Basically the idea is:
>>
>> - To organize regional competitions across Asia, EU, America, Latin
>> America following the same model as the one Cecil Su from OWASP used in
>> Singapore.
>> - The format would be: 3 day event where teams from universities and
>> higher learning education institutes are asked to code an application in a
>> secure fashion.
>> - The criteria for judging is based both on the functionality of the
>> application as well as the security aspects (ie. how many vulnerabilities
>> are discovered).
>> - Winners of each region will go into an international competition that
>> could be held at one of the major OWASP Appsec conferences.
>> - Commercial firms could be sponsors/judges of the competition.
>> - OWASP being a central part as judge panel/organizer.
>>
>> I'm including Jeff Williams and the OWASP Global Education Committee in
>> this mail as they are very keen to engage with educational institutions.
>>
>> Thanks,
>>
>> Fabio
>>
>>
>> _______________________________________________
>> Global_education_committee mailing list
>>  <Global_education_committee at lists.owasp.org>
>> Global_education_committee at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/global_education_committee>
>> https://lists.owasp.org/mailman/listinfo/global_education_committee
>>
>>
>
>
> --
> Mark Bristow
>
> OWASP Global Conferences Committee Chair - <http://is.gd/5MTvF>
> http://is.gd/5MTvF
> AppSec DC 2010 Organizer - <https://www.appsecdc.org>
> https://www.appsecdc.org
> OWASP DC Chapter Co-Chair - <http://is.gd/5MTwu>http://is.gd/5MTwu
>
> _______________________________________________
> Global_education_committee mailing list
> Global_education_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_education_committee
>
>


-- 
Mark Bristow

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
AppSec DC 2010 Organizer - https://www.appsecdc.org
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20101124/b49a5cff/attachment-0001.html 


More information about the Global_education_committee mailing list