[Owasp-board] PLEASE LOOK AT ASAP

Eoin eoin.keary at owasp.org
Wed Jan 12 11:16:33 UTC 2011


Looks like we did not do any due dilligance on the site/solution
we at least need to formally inform the organisation that their site is not
leading practice.
Eoin




On 12 January 2011 11:11, dinis cruz <dinis.cruz at owasp.org> wrote:

> well .... lets put this in perspective ....  as I mentioned on the leaders
> list there is a much worse vulnerability in regonline at the moment
>
> Seba found an Sql Injecton which I believe Kate already reported it
>
> Sarah, please don't change anything, this is just the nature of the web
> today, where big commercial websites have massive vulnerabilities that
> happen not be exploited in a massive way so nobody notices it (hence the
> importance of OWASP who is trying to change this status quo).
>
> There is an interesting question here where *if OWASP as a commercial
> entity accepts this behaviour from one of its vendors,* but I leave that
> to the Board (CCed) to comment about it.
>
> Dinis Cruz
>
> On 12 January 2011 02:39, Sarah Baso <sarah.baso at owasp.org> wrote:
>
>> Dinis and Jason,
>> Would you please assess the JavaScript that Ralph raised a concern about?
>> Also, would you please reply independently on the leaders thread about the
>> CVV concern that Ofer Maor brought up?  I am not sure that the CVV is
>> technically required (probably depends on an internal risk assessment), but
>> I still think we want to act proactively in addressing these things.
>>
>> Thanks -- I do not have anywhere near the technical expertise or the time
>> to really do much with this other than understand that it is a problem and
>> communicate it to the right people:)
>>
>> Thanks,
>> Sarah
>>
>> ---------- Forwarded message ----------
>> From: Sarah Baso <sarah.baso at owasp.org>
>> Date: Tue, Jan 11, 2011 at 8:32 PM
>> Subject: Fwd: Summit Sponsorship and booking your trip
>> To: Ralph Durkee <ralph.durkee at owasp.org>
>>
>>
>> Ralph, thank you for the update. We'll forward this onto the technical
>> team for an assessment of the risk introduced by the third party JavaScript
>> and whether it can be remediated. We probably can't change this in time for
>> the Summit, but will work aggressively to handle this.
>>
>> I will also get back to you with an updated discount code asap tomorrow
>> morning.
>>
>> Thanks,
>> Sarah Baso
>>  ---------- Forwarded message ----------
>> From: Ralph Durkee <rd at rd1.net>
>> Date: Tue, Jan 11, 2011 at 8:25 PM
>> Subject: Re: Summit Sponsorship and booking your trip
>>  To: Sarah Baso <sarah.baso at owasp.org>
>> Cc: Ralph Durkee <rd at rd1.net>
>>
>>
>> It took a lot of playing with the web site to make the discount code text
>> box appear.  I'm using FireFox on Linux, with no-script, which blocks
>> JavaScript, and allows you to selectively enable JavaScript from trusted
>> sites.   I think FireFox users on Windows are likely to experience the
>> same problem.  What I found:
>>
>> In addition to enabling JavaScript from regonline.com (which is expected)
>> I had to enable JavaScript from the domain ActiveStaic.net  and had to
>> re-select the registration type.
>>
>> My recommendation is to avoid any 3rd party JavaScript, as users should
>> not be expected to trust 3rd parties, and the approach places the security
>> of the regonline web site in the hands of third parties.
>>
>> Hope this helps.
>> --Ralph
>>
>>
>>
>>
>> > Ralph... Did you figure it out or do you still need help?
>> >
>> > On the very first page aftere you selected your 4 night option, the
>> > discount code box should appear. Call me on my cell at 651 233 6334 if
>> > you want me to walk you through it.
>> >
>> > Sarah
>> >
>> > On 1/11/11, Ralph Durkee <rd at rd1.net> wrote:
>> >> Thanks!
>> >>
>> >>
>> >>> Ralph-
>> >>>
>> >>> To book your Summit Ticket and Accommodations, please go to our online
>> >>> registration system at:
>> >>>
>> >>> http://www.regonline.com/owasp_global_summit_2011
>> >>>
>> >>>
>> >>> When you select one of the 4 night lodging options on the main page
>> >>> (either
>> >>> shared or private -- OWASP is paying for the shared, but you can cover
>> >>> the
>> >>> difference yourself if you want private), enter your discount code
>> >>> *Durkee2
>> >>> *, which will take the OWASP sponsored portion ($800 USD + $180 for
>> the
>> >>> two
>> >>> extra nights = $980) from the total amount due on your summit ticket
>> >>> and
>> >>> accommodations.
>> >>>
>> >>> You will need to add the two extra nights accommodation later in the
>> >>> registration process (the 3rd or 4th screen i think), but this should
>> >>> be
>> >>> covered by your coupon code so you won't end up paying for them.
>> >>>
>> >>> Also, the system will ask for your flight details (optionally), I
>> >>> already
>> >>> have that so you can enter it if you want but it is not necessary.
>> >>>
>> >>> Let me know if you have any questions --
>> >>>
>> >>> Sarah Baso
>> >>>
>> >>>
>> >>> On Tue, Jan 11, 2011 at 6:45 AM, Ralph Durkee <rd at rd1.net> wrote:
>> >>>
>> >>>> Home & office is 585-624-9551
>> >>>> Cell 585-755-9551
>> >>>>
>> >>>> --
>> >>>> Sent from my phone.  Please excuse my brevity.
>> >>>>
>> >>>> "Sarah Baso" <sarah.baso at owasp.org> wrote:
>> >>>>
>> >>>> >Ralph -  I also need your home phone number.
>> >>>> >
>> >>>> > Thanks,
>> >>>> >Sarah
>> >>>> >
>> >>>> >On Tue, Jan 11, 2011 at 5:40 AM, Ralph Durkee
>> >>>> ><ralph.durkee at owasp.org>wrote:
>> >>>> >
>> >>>> >>  Flight sounds fine. Go ahead and book.
>> >>>> >> Ralph L Durkee   11-03-1960
>> >>>> >> Thanks a bunch!
>> >>>> >>
>> >>>> >> --Ralph
>> >>>> >>
>> >>>> >>
>> >>>> >> On 1/11/2011 1:31 AM, Sarah Baso wrote:
>> >>>> >>
>> >>>> >> Ralph,
>> >>>> >> Leaving Monday and arriving Tuesday morning would certainly be
>> >>>> >acceptable;
>> >>>> >> however, our recommendation is that you arrive on Monday so that
>> >>>> you
>> >>>> >can be
>> >>>> >> at the Summit for 4 full days (Tues, Wed, Thurs, Fri) and depart
>> >>>> >Friday
>> >>>> >> evening or Sat/Sunday depending on flight availability and
>> pricing.
>> >>>> >>
>> >>>> >> I have included a proposed flight inerary (below) which leaves ROC
>> >>>> on
>> >>>> >> Sunday evening, arriving in Lisbon on Monday.  Then you would
>> >>>> depart
>> >>>> >Lisbon
>> >>>> >> on Sunday (13th) arriving back in ROC on the 13th.  Because a
>> >>>> flight
>> >>>> >that
>> >>>> >> leaves Lisbon on Sunday (instead of Friday evening or Saturday) is
>> >>>> >> significantly cheaper, OWASP would be willing to pay for the extra
>> >>>> >two
>> >>>> >> nights of accommodation.
>> >>>> >>
>> >>>> >> Look at the itinerary below and let me know your thoughts. I can
>> >>>> >adjust it
>> >>>> >> accordingly or even book this if you think it will work.  In order
>> >>>> to
>> >>>> >book
>> >>>> >> your trip I will need your name as it appears on your passport and
>> >>>> >date of
>> >>>> >> birth.
>> >>>> >>
>> >>>> >> Regards,
>> >>>> >> Sarah Baso
>> >>>> >>
>> >>>> >>   Sunday, February 6, 2011 Leave   Continental Airlines 2516
>> >>>> >Operated
>> >>>> >> by: /EXPRESSJET AIRLINES INC DBA CO EXPRESS
>> >>>> >>
>> >>>> >>    - Economy
>> >>>> >>    - 60% on time
>> >>>> >>    - Embraer RJ135-145
>> >>>> >>    - 1hr 33min
>> >>>> >>    - 255 miles
>> >>>> >>
>> >>>> >>
>> >>>> >>  Depart: 5:32pm evening Rochester, NY Rochester Monroe County
>> (ROC)
>> >>>> >1
>> >>>> >> stop
>> >>>> >>  Arrive: 7:05pm evening Newark, NJ Newark Liberty Int'l (EWR)
>> >>>> >>
>> >>>> >> *Change planes.* Time between flights: *1hr 10min*****
>> >>>> >>
>> >>>> >>    Continental Airlines 64
>> >>>> >>
>> >>>> >>    - Economy
>> >>>> >>    - Boeing 757
>> >>>> >>    - 6hr 55min
>> >>>> >>    - 3366 miles
>> >>>> >>
>> >>>> >>
>> >>>> >>  Depart: 8:15pm evening Newark, NJ Newark Liberty Int'l (EWR)
>> >>>> >>  Arrive: 8:10am morning Lisbon, Portugal Lisbon Lisboa (LIS)
>> >>>> >>
>> >>>> >>    This is an overnight flight.
>> >>>> >>
>> >>>> >>   Total duration: 9hr 38min Total miles: 3621 miles     Sunday,
>> >>>> >February
>> >>>> >> 13, 2011 Return   Continental Airlines 65
>> >>>> >>
>> >>>> >>    - Economy
>> >>>> >>    - Boeing 757
>> >>>> >>    - 8hr 15min
>> >>>> >>    - 3366 miles
>> >>>> >>
>> >>>> >>
>> >>>> >>  Depart: 10:15am morning Lisbon, Portugal Lisbon Lisboa (LIS)  1
>> >>>> stop
>> >>>> >>  Arrive: 1:30pm afternoon Newark, NJ Newark Liberty Int'l (EWR)
>> >>>> >>
>> >>>> >> *Change planes.* Time between flights: *3hr 30min*****
>> >>>> >>
>> >>>> >>    Continental Airlines 2144   Operated by: /EXPRESSJET AIRLINES
>> >>>> INC
>> >>>> >DBA
>> >>>> >> CO EXPRESS
>> >>>> >>
>> >>>> >>    - Economy
>> >>>> >>    - 70% on time
>> >>>> >>    - Embraer RJ135-145
>> >>>> >>    - 1hr 22min
>> >>>> >>    - 255 miles
>> >>>> >>
>> >>>> >>
>> >>>> >>  Depart: 5:00pm evening Newark, NJ Newark Liberty Int'l (EWR)
>> >>>> >>  Arrive: 6:22pm evening Rochester, NY Rochester Monroe County
>> (ROC)
>> >>>> >>
>> >>>> >>
>> >>>> >>   Total duration: 13hr 7min Total miles: 3621 miles
>> >>>> >>
>> >>>> >> On Mon, Jan 10, 2011 at 1:36 PM, Ralph Durkee
>> >>>> ><ralph.durkee at owasp.org>wrote:
>> >>>> >>
>> >>>> >>>  Thanks! Looking through the various pages and workshops, it's
>> >>>> hard
>> >>>> >to get
>> >>>> >>> a feel for the schedule.  What's the recommended arrival and
>> >>>> depart
>> >>>> >time
>> >>>> >>> window.  I'm seeing flights from Rochester that if I leave early
>> >>>> >Monday am
>> >>>> >>> I'd get there Tuesday 8:10am, does that work?
>> >>>> >>>
>> >>>> >>> --Ralph
>> >>>> >>>
>> >>>> >>> On 1/10/2011 1:04 PM, Sarah Baso wrote:
>> >>>> >>>
>> >>>> >>> Ralph-
>> >>>> >>>
>> >>>> >>> You have been selected to receive an OWASP sponsorship to attend
>> >>>> the
>> >>>> >>> Summit.  To see the final list and stats, please visit:*
>> >>>> >>>
>> >>>> >
>> >>>>
>> http://www.owasp.org/index.php/Summit_2011_Attendee/Summit_Attendees_Funds_-_Ranking_for_10th_Jan_2010
>> >>>> >>> * (note that the previous wiki page /Summit_2011_Attendee/Stats
>> is
>> >>>> >>> decommissioned)
>> >>>> >>>
>> >>>> >>> In order to expedite the reservation process - Kate Hartmann and
>> I
>> >>>> >will
>> >>>> >>> now be handling the bookings (both accommodations and ticketing)
>> >>>> for
>> >>>> >the
>> >>>> >>> Summit instead of Maria at Diplomata (who was previously the
>> point
>> >>>> >of
>> >>>> >>> contact).
>> >>>> >>>
>> >>>> >>> We are finalizing an online system for the Summit ticket and
>> >>>> >>> accommodations and I should be able to send you a follow up email
>> >>>> >with a
>> >>>> >>> link to the site and instructions by the end of the day.  In the
>> >>>> >meantime,
>> >>>> >>> please go to www.orbitz.com and decide what flight you prefer to
>> >>>> get
>> >>>> >to
>> >>>> >>> the Summit (arriving in Lisbon).  Save the trip as an itinerary
>> >>>> and
>> >>>> >then
>> >>>> >>> email the itinerary for me.  I will do my best to accommodate
>> your
>> >>>> >>> preferences - and letting you know before I book if I cannot.
>> >>>> >>>
>> >>>> >>>  Also, please visit
>> >>>> >>>
>> http://www.owasp.org/index.php/Summit_2011_Summit_Sponsorship_Fund
>> >>>> >for
>> >>>> >>> details on the sponsorship process and
>> >>>> >>> http://www.owasp.org/index.php/Summit_2011_Reservations for
>> >>>> details
>> >>>> >on
>> >>>> >>> the pricing, etc.  *These pages may take up to 24 hours to
>> reflect
>> >>>> >the
>> >>>> >>> new information on booking through me instead of Diplomata.*
>> >>>> >>>
>> >>>> >>> Look for another email from me later tonight with more details on
>> >>>> >the
>> >>>> >>> online booking process for accommodations.
>> >>>> >>>
>> >>>> >>> Thanks for your patience as we iron out the process and get
>> >>>> >everything
>> >>>> >>> booked!
>> >>>> >>>
>> >>>> >>> Sarah Baso
>> >>>> >>>
>> >>>> >>>
>> >>>> >>> --
>> >>>> >>> OWASP Global Summit Organizing Committee
>> >>>> >>> Secretary for OWASP Global Industry Committee
>> >>>> >>>
>> >>>> >>> Dir: 651-233-6334
>> >>>> >>> skype: sarah.baso
>> >>>> >>> sarah.baso at owasp.org <lorna.alamri at owasp.org>
>> >>>> >>>
>> >>>> >>>
>> >>>> >>
>> >>>> >>
>> >>>> >> --
>> >>>> >> OWASP Global Summit Organizing Committee
>> >>>> >> Secretary for OWASP Global Industry Committee
>> >>>> >>
>> >>>> >> Dir: 651-233-6334
>> >>>> >> skype: sarah.baso
>> >>>> >> sarah.baso at owasp.org <lorna.alamri at owasp.org>
>> >>>> >>
>> >>>> >>
>> >>>> >
>> >>>> >
>> >>>> >--
>> >>>> >OWASP Global Summit Organizing Committee
>> >>>> >Secretary for OWASP Global Industry Committee
>> >>>> >
>> >>>> >Dir: 651-233-6334
>> >>>> >skype: sarah.baso
>> >>>> >sarah.baso at owasp.org <lorna.alamri at owasp.org>
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>> OWASP Global Summit Organizing Committee
>> >>> Secretary for OWASP Global Industry Committee
>> >>>
>> >>> Dir: 651-233-6334
>> >>> skype: sarah.baso
>> >>> sarah.baso at owasp.org <lorna.alamri at owasp.org>
>> >>>
>> >>
>> >>
>> >>
>> >
>> > --
>> > Sent from my mobile device
>> >
>> > OWASP Global Summit Organizing Committee
>> > Secretary for OWASP Global Industry Committee
>> >
>> > Dir: 651-233-6334
>> > skype: sarah.baso
>> > sarah.baso at owasp.org <lorna.alamri at owasp.org>
>> >
>>
>>
>>
>>
>>
>> --
>>  OWASP Global Summit Organizing Committee
>> Secretary for OWASP Global Industry Committee
>>
>> Dir: 651-233-6334
>> skype: sarah.baso
>> sarah.baso at owasp.org <lorna.alamri at owasp.org>
>>
>>
>>
>>
>> --
>> OWASP Global Summit Organizing Committee
>> Secretary for OWASP Global Industry Committee
>>
>> Dir: 651-233-6334
>> skype: sarah.baso
>> sarah.baso at owasp.org <lorna.alamri at owasp.org>
>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110112/7bd19bd7/attachment-0002.html>


More information about the Owasp-board mailing list