[Owasp-board] PLEASE LOOK AT ASAP

Matt Tesauro matt.tesauro at owasp.org
Wed Jan 12 14:14:39 UTC 2011


>From what I've gathered in conversations with Kate about RegOnline:
(1) It is *SIGNIFICANTLY* better then CVENT, both in terms of
functionality offered and price
(2) RegOnline has been eager and approachable when OWASP has made
requests to date

So, since we all know that most sites have problems++, lets report them
to RegOnline and see if they address them.

If they refuse to fix and/or acknowledge them, the we will have an issue
to discuss at the board level as raised by Dinis:
> *if OWASP as a commercial
>> entity accepts this behaviour from one of its vendors,*

BTW, to be pedantic, OWASP is (and never has been) a commercial entity
;) but we have entered into a commercial relationship with a vendor.

Also, for the near term, consider the fact that we have a contract with
them and the known alternative (CVENT) is not a very good option.  Does
our contract say anything about security vulnerabilities in their
service?  If not, OWASP should really use the recommendations we propose
for other entities (e.g. dog food the OWASP Legal Project's Contract Annex).

Cheers!

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 01/12/2011 05:11 AM, dinis cruz wrote:
> well .... lets put this in perspective ....  as I mentioned on the
> leaders list there is a much worse vulnerability in regonline at the moment
> 
> Seba found an Sql Injecton which I believe Kate already reported it
> 
> Sarah, please don't change anything, this is just the nature of the web
> today, where big commercial websites have massive vulnerabilities that
> happen not be exploited in a massive way so nobody notices it (hence the
> importance of OWASP who is trying to change this status quo).
> 
> There is an interesting question here where *if OWASP as a commercial
> entity accepts this behaviour from one of its vendors,* but I leave that
> to the Board (CCed) to comment about it.
> 
> Dinis Cruz
> 
> On 12 January 2011 02:39, Sarah Baso <sarah.baso at owasp.org
> <mailto:sarah.baso at owasp.org>> wrote:
> 
>     Dinis and Jason,
>     Would you please assess the JavaScript that Ralph raised a concern
>     about?  Also, would you please reply independently on the leaders
>     thread about the CVV concern that Ofer Maor brought up?  I am not
>     sure that the CVV is technically required (probably depends on an
>     internal risk assessment), but I still think we want to act
>     proactively in addressing these things.
> 
>     Thanks -- I do not have anywhere near the technical expertise or the
>     time to really do much with this other than understand that it is a
>     problem and communicate it to the right people:)
> 
>     Thanks,
>     Sarah
> 
>     ---------- Forwarded message ----------
>     From: *Sarah Baso* <sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>>
>     Date: Tue, Jan 11, 2011 at 8:32 PM
>     Subject: Fwd: Summit Sponsorship and booking your trip
>     To: Ralph Durkee <ralph.durkee at owasp.org
>     <mailto:ralph.durkee at owasp.org>>
> 
> 
>     Ralph, thank you for the update. We'll forward this onto the
>     technical team for an assessment of the risk introduced by the third
>     party JavaScript and whether it can be remediated. We probably can't
>     change this in time for the Summit, but will work aggressively to
>     handle this.
> 
>     I will also get back to you with an updated discount code asap
>     tomorrow morning.
> 
>     Thanks,
>     Sarah Baso
>     ---------- Forwarded message ----------
>     From: *Ralph Durkee* <rd at rd1.net <mailto:rd at rd1.net>>
>     Date: Tue, Jan 11, 2011 at 8:25 PM
>     Subject: Re: Summit Sponsorship and booking your trip
>     To: Sarah Baso <sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>>
>     Cc: Ralph Durkee <rd at rd1.net <mailto:rd at rd1.net>>
> 
> 
>     It took a lot of playing with the web site to make the discount code
>     text
>     box appear.  I'm using FireFox on Linux, with no-script, which blocks
>     JavaScript, and allows you to selectively enable JavaScript from trusted
>     sites.   I think FireFox users on Windows are likely to experience the
>     same problem.  What I found:
> 
>     In addition to enabling JavaScript from regonline.com
>     <http://regonline.com> (which is expected)
>     I had to enable JavaScript from the domain ActiveStaic.net  and had to
>     re-select the registration type.
> 
>     My recommendation is to avoid any 3rd party JavaScript, as users should
>     not be expected to trust 3rd parties, and the approach places the
>     security
>     of the regonline web site in the hands of third parties.
> 
>     Hope this helps.
>     --Ralph
> 
> 
> 
> 
>     > Ralph... Did you figure it out or do you still need help?
>     >
>     > On the very first page aftere you selected your 4 night option, the
>     > discount code box should appear. Call me on my cell at 651 233 6334 if
>     > you want me to walk you through it.
>     >
>     > Sarah
>     >
>     > On 1/11/11, Ralph Durkee <rd at rd1.net <mailto:rd at rd1.net>> wrote:
>     >> Thanks!
>     >>
>     >>
>     >>> Ralph-
>     >>>
>     >>> To book your Summit Ticket and Accommodations, please go to our
>     online
>     >>> registration system at:
>     >>>
>     >>> http://www.regonline.com/owasp_global_summit_2011
>     >>>
>     >>>
>     >>> When you select one of the 4 night lodging options on the main page
>     >>> (either
>     >>> shared or private -- OWASP is paying for the shared, but you can
>     cover
>     >>> the
>     >>> difference yourself if you want private), enter your discount code
>     >>> *Durkee2
>     >>> *, which will take the OWASP sponsored portion ($800 USD + $180
>     for the
>     >>> two
>     >>> extra nights = $980) from the total amount due on your summit ticket
>     >>> and
>     >>> accommodations.
>     >>>
>     >>> You will need to add the two extra nights accommodation later in the
>     >>> registration process (the 3rd or 4th screen i think), but this
>     should
>     >>> be
>     >>> covered by your coupon code so you won't end up paying for them.
>     >>>
>     >>> Also, the system will ask for your flight details (optionally), I
>     >>> already
>     >>> have that so you can enter it if you want but it is not necessary.
>     >>>
>     >>> Let me know if you have any questions --
>     >>>
>     >>> Sarah Baso
>     >>>
>     >>>
>     >>> On Tue, Jan 11, 2011 at 6:45 AM, Ralph Durkee <rd at rd1.net
>     <mailto:rd at rd1.net>> wrote:
>     >>>
>     >>>> Home & office is 585-624-9551
>     >>>> Cell 585-755-9551
>     >>>>
>     >>>> --
>     >>>> Sent from my phone.  Please excuse my brevity.
>     >>>>
>     >>>> "Sarah Baso" <sarah.baso at owasp.org
>     <mailto:sarah.baso at owasp.org>> wrote:
>     >>>>
>     >>>> >Ralph -  I also need your home phone number.
>     >>>> >
>     >>>> > Thanks,
>     >>>> >Sarah
>     >>>> >
>     >>>> >On Tue, Jan 11, 2011 at 5:40 AM, Ralph Durkee
>     >>>> ><ralph.durkee at owasp.org <mailto:ralph.durkee at owasp.org>>wrote:
>     >>>> >
>     >>>> >>  Flight sounds fine. Go ahead and book.
>     >>>> >> Ralph L Durkee   11-03-1960
>     >>>> >> Thanks a bunch!
>     >>>> >>
>     >>>> >> --Ralph
>     >>>> >>
>     >>>> >>
>     >>>> >> On 1/11/2011 1:31 AM, Sarah Baso wrote:
>     >>>> >>
>     >>>> >> Ralph,
>     >>>> >> Leaving Monday and arriving Tuesday morning would certainly be
>     >>>> >acceptable;
>     >>>> >> however, our recommendation is that you arrive on Monday so that
>     >>>> you
>     >>>> >can be
>     >>>> >> at the Summit for 4 full days (Tues, Wed, Thurs, Fri) and depart
>     >>>> >Friday
>     >>>> >> evening or Sat/Sunday depending on flight availability and
>     pricing.
>     >>>> >>
>     >>>> >> I have included a proposed flight inerary (below) which
>     leaves ROC
>     >>>> on
>     >>>> >> Sunday evening, arriving in Lisbon on Monday.  Then you would
>     >>>> depart
>     >>>> >Lisbon
>     >>>> >> on Sunday (13th) arriving back in ROC on the 13th.  Because a
>     >>>> flight
>     >>>> >that
>     >>>> >> leaves Lisbon on Sunday (instead of Friday evening or
>     Saturday) is
>     >>>> >> significantly cheaper, OWASP would be willing to pay for the
>     extra
>     >>>> >two
>     >>>> >> nights of accommodation.
>     >>>> >>
>     >>>> >> Look at the itinerary below and let me know your thoughts. I can
>     >>>> >adjust it
>     >>>> >> accordingly or even book this if you think it will work.  In
>     order
>     >>>> to
>     >>>> >book
>     >>>> >> your trip I will need your name as it appears on your
>     passport and
>     >>>> >date of
>     >>>> >> birth.
>     >>>> >>
>     >>>> >> Regards,
>     >>>> >> Sarah Baso
>     >>>> >>
>     >>>> >>   Sunday, February 6, 2011 Leave   Continental Airlines 2516
>     >>>> >Operated
>     >>>> >> by: /EXPRESSJET AIRLINES INC DBA CO EXPRESS
>     >>>> >>
>     >>>> >>    - Economy
>     >>>> >>    - 60% on time
>     >>>> >>    - Embraer RJ135-145
>     >>>> >>    - 1hr 33min
>     >>>> >>    - 255 miles
>     >>>> >>
>     >>>> >>
>     >>>> >>  Depart: 5:32pm evening Rochester, NY Rochester Monroe
>     County (ROC)
>     >>>> >1
>     >>>> >> stop
>     >>>> >>  Arrive: 7:05pm evening Newark, NJ Newark Liberty Int'l (EWR)
>     >>>> >>
>     >>>> >> *Change planes.* Time between flights: *1hr 10min*****
>     >>>> >>
>     >>>> >>    Continental Airlines 64
>     >>>> >>
>     >>>> >>    - Economy
>     >>>> >>    - Boeing 757
>     >>>> >>    - 6hr 55min
>     >>>> >>    - 3366 miles
>     >>>> >>
>     >>>> >>
>     >>>> >>  Depart: 8:15pm evening Newark, NJ Newark Liberty Int'l (EWR)
>     >>>> >>  Arrive: 8:10am morning Lisbon, Portugal Lisbon Lisboa (LIS)
>     >>>> >>
>     >>>> >>    This is an overnight flight.
>     >>>> >>
>     >>>> >>   Total duration: 9hr 38min Total miles: 3621 miles     Sunday,
>     >>>> >February
>     >>>> >> 13, 2011 Return   Continental Airlines 65
>     >>>> >>
>     >>>> >>    - Economy
>     >>>> >>    - Boeing 757
>     >>>> >>    - 8hr 15min
>     >>>> >>    - 3366 miles
>     >>>> >>
>     >>>> >>
>     >>>> >>  Depart: 10:15am morning Lisbon, Portugal Lisbon Lisboa (LIS)  1
>     >>>> stop
>     >>>> >>  Arrive: 1:30pm afternoon Newark, NJ Newark Liberty Int'l (EWR)
>     >>>> >>
>     >>>> >> *Change planes.* Time between flights: *3hr 30min*****
>     >>>> >>
>     >>>> >>    Continental Airlines 2144   Operated by: /EXPRESSJET AIRLINES
>     >>>> INC
>     >>>> >DBA
>     >>>> >> CO EXPRESS
>     >>>> >>
>     >>>> >>    - Economy
>     >>>> >>    - 70% on time
>     >>>> >>    - Embraer RJ135-145
>     >>>> >>    - 1hr 22min
>     >>>> >>    - 255 miles
>     >>>> >>
>     >>>> >>
>     >>>> >>  Depart: 5:00pm evening Newark, NJ Newark Liberty Int'l (EWR)
>     >>>> >>  Arrive: 6:22pm evening Rochester, NY Rochester Monroe
>     County (ROC)
>     >>>> >>
>     >>>> >>
>     >>>> >>   Total duration: 13hr 7min Total miles: 3621 miles
>     >>>> >>
>     >>>> >> On Mon, Jan 10, 2011 at 1:36 PM, Ralph Durkee
>     >>>> ><ralph.durkee at owasp.org <mailto:ralph.durkee at owasp.org>>wrote:
>     >>>> >>
>     >>>> >>>  Thanks! Looking through the various pages and workshops, it's
>     >>>> hard
>     >>>> >to get
>     >>>> >>> a feel for the schedule.  What's the recommended arrival and
>     >>>> depart
>     >>>> >time
>     >>>> >>> window.  I'm seeing flights from Rochester that if I leave
>     early
>     >>>> >Monday am
>     >>>> >>> I'd get there Tuesday 8:10am, does that work?
>     >>>> >>>
>     >>>> >>> --Ralph
>     >>>> >>>
>     >>>> >>> On 1/10/2011 1:04 PM, Sarah Baso wrote:
>     >>>> >>>
>     >>>> >>> Ralph-
>     >>>> >>>
>     >>>> >>> You have been selected to receive an OWASP sponsorship to
>     attend
>     >>>> the
>     >>>> >>> Summit.  To see the final list and stats, please visit:*
>     >>>> >>>
>     >>>> >
>     >>>>
>     http://www.owasp.org/index.php/Summit_2011_Attendee/Summit_Attendees_Funds_-_Ranking_for_10th_Jan_2010
>     >>>> >>> * (note that the previous wiki page
>     /Summit_2011_Attendee/Stats is
>     >>>> >>> decommissioned)
>     >>>> >>>
>     >>>> >>> In order to expedite the reservation process - Kate
>     Hartmann and I
>     >>>> >will
>     >>>> >>> now be handling the bookings (both accommodations and
>     ticketing)
>     >>>> for
>     >>>> >the
>     >>>> >>> Summit instead of Maria at Diplomata (who was previously
>     the point
>     >>>> >of
>     >>>> >>> contact).
>     >>>> >>>
>     >>>> >>> We are finalizing an online system for the Summit ticket and
>     >>>> >>> accommodations and I should be able to send you a follow up
>     email
>     >>>> >with a
>     >>>> >>> link to the site and instructions by the end of the day.
>      In the
>     >>>> >meantime,
>     >>>> >>> please go to www.orbitz.com <http://www.orbitz.com> and
>     decide what flight you prefer to
>     >>>> get
>     >>>> >to
>     >>>> >>> the Summit (arriving in Lisbon).  Save the trip as an itinerary
>     >>>> and
>     >>>> >then
>     >>>> >>> email the itinerary for me.  I will do my best to
>     accommodate your
>     >>>> >>> preferences - and letting you know before I book if I cannot.
>     >>>> >>>
>     >>>> >>>  Also, please visit
>     >>>> >>>
>     http://www.owasp.org/index.php/Summit_2011_Summit_Sponsorship_Fund
>     >>>> >for
>     >>>> >>> details on the sponsorship process and
>     >>>> >>> http://www.owasp.org/index.php/Summit_2011_Reservations for
>     >>>> details
>     >>>> >on
>     >>>> >>> the pricing, etc.  *These pages may take up to 24 hours to
>     reflect
>     >>>> >the
>     >>>> >>> new information on booking through me instead of Diplomata.*
>     >>>> >>>
>     >>>> >>> Look for another email from me later tonight with more
>     details on
>     >>>> >the
>     >>>> >>> online booking process for accommodations.
>     >>>> >>>
>     >>>> >>> Thanks for your patience as we iron out the process and get
>     >>>> >everything
>     >>>> >>> booked!
>     >>>> >>>
>     >>>> >>> Sarah Baso
>     >>>> >>>
>     >>>> >>>
>     >>>> >>> --
>     >>>> >>> OWASP Global Summit Organizing Committee
>     >>>> >>> Secretary for OWASP Global Industry Committee
>     >>>> >>>
>     >>>> >>> Dir: 651-233-6334
>     >>>> >>> skype: sarah.baso
>     >>>> >>> sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>     <lorna.alamri at owasp.org <mailto:lorna.alamri at owasp.org>>
>     >>>> >>>
>     >>>> >>>
>     >>>> >>
>     >>>> >>
>     >>>> >> --
>     >>>> >> OWASP Global Summit Organizing Committee
>     >>>> >> Secretary for OWASP Global Industry Committee
>     >>>> >>
>     >>>> >> Dir: 651-233-6334
>     >>>> >> skype: sarah.baso
>     >>>> >> sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>     <lorna.alamri at owasp.org <mailto:lorna.alamri at owasp.org>>
>     >>>> >>
>     >>>> >>
>     >>>> >
>     >>>> >
>     >>>> >--
>     >>>> >OWASP Global Summit Organizing Committee
>     >>>> >Secretary for OWASP Global Industry Committee
>     >>>> >
>     >>>> >Dir: 651-233-6334
>     >>>> >skype: sarah.baso
>     >>>> >sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>     <lorna.alamri at owasp.org <mailto:lorna.alamri at owasp.org>>
>     >>>>
>     >>>>
>     >>>
>     >>>
>     >>> --
>     >>> OWASP Global Summit Organizing Committee
>     >>> Secretary for OWASP Global Industry Committee
>     >>>
>     >>> Dir: 651-233-6334
>     >>> skype: sarah.baso
>     >>> sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>     <lorna.alamri at owasp.org <mailto:lorna.alamri at owasp.org>>
>     >>>
>     >>
>     >>
>     >>
>     >
>     > --
>     > Sent from my mobile device
>     >
>     > OWASP Global Summit Organizing Committee
>     > Secretary for OWASP Global Industry Committee
>     >
>     > Dir: 651-233-6334
>     > skype: sarah.baso
>     > sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>     <lorna.alamri at owasp.org <mailto:lorna.alamri at owasp.org>>
>     >
> 
> 
> 
> 
> 
>     -- 
>     OWASP Global Summit Organizing Committee
>     Secretary for OWASP Global Industry Committee
> 
>     Dir: 651-233-6334
>     skype: sarah.baso
>     sarah.baso at owasp.org <mailto:lorna.alamri at owasp.org>
> 
> 
> 
> 
>     -- 
>     OWASP Global Summit Organizing Committee
>     Secretary for OWASP Global Industry Committee
> 
>     Dir: 651-233-6334
>     skype: sarah.baso
>     sarah.baso at owasp.org <mailto:lorna.alamri at owasp.org>
> 
> 
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board





More information about the Owasp-board mailing list