[Owasp-board] Project Platform

Josh Sokol josh.sokol at owasp.org
Mon Jun 1 18:20:51 UTC 2015


Can you get a quote for time and dollars to build this out?  Are there
other things that we could have this top-tier researcher do to add value
here?  Demonstration site?  A quick guide to XSS?  Just wondering how we
can scope this to get the most bang for our buck.

~josh

On Mon, Jun 1, 2015 at 11:04 AM, Timo Goosen <timo.goosen at owasp.org> wrote:

> I talked to the researcher I that I have in mind. He said that the guide
> should include something about including text in the search bar to parse
> besides just talking about filter evasion (in the case of reflected XSS.
>
> He said there is also nothing on the XSS Evasion cheat sheet on scriptless
> or tagless XSS such as:
> http://www.darkreading.com/search.asp?q=Kenan%5C%27;(alert)(/0/)//Brute%5C
>
>
> Regards.
> Timo
>
> On Mon, Jun 1, 2015 at 5:42 PM, Timo Goosen <timo.goosen at owasp.org> wrote:
>
>> I might know of  such a XSS assessment professional. I can ask if he will
>> be willing to update the information in exchange for payment. He is not an
>> OWASP volunteer. How do I go about setting up a budget and requesting
>> funding for such an effort?
>>
>> "More than money, I think we need top tier XSS assessment professionals
>> to evaluate and expand on the current XSS filter evasion cheat sheet. And
>> more than static payloads I'd love someone to contribute advice on more
>> contextual filter evasion.
>>
>> If anyone is interested in working on this or even "owning" this cheat
>> sheet as the lead editor, please drop me a line and let's talk.
>>
>> Aloha,
>> Jim"
>>
>>
>> On Fri, May 29, 2015 at 10:43 PM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>
>>> Timo,
>>>
>>> Could you please elaborate on what you would actually use these funds
>>> for and how much you think you need to update the XSS Evasion Cheat Sheet?
>>> OWASP Austin donated some money to the Foundation which we have been given
>>> the opportunity to choose how it is allocated and this sounds like it may
>>> be an area we can assist.
>>>
>>> ~josh
>>>
>>> On Fri, May 29, 2015 at 5:29 AM, Timo Goosen <timo.goosen at owasp.org>
>>> wrote:
>>>
>>>> I support this initiative.
>>>>
>>>> I'd like to see some funds allocated to updating the XSS Evasion Cheat
>>>> Sheet as well as all the other offensive related cheatsheets.
>>>>
>>>> Attacks are changing all the time and we need to put some money towards
>>>> having the latest info.
>>>>
>>>> Regards.
>>>> Timo
>>>>
>>>>
>>>>
>>>> On Thu, May 28, 2015 at 6:00 PM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>
>>>>> Some great thoughts and ideas here Matt and I agree with pretty much
>>>>> everything you've said.  IIRC, I think there were challenges with using
>>>>> Meetup as a platform over in APAC (China?) which I think is why it hasn't
>>>>> received a more global adoption.  In general, I do like the idea of a
>>>>> centralized platform for our chapters to organize events in a way where
>>>>> they are easily found by people in other communities.  For example, a
>>>>> search for "security" in Meetup should yield the OWASP meeting in your area.
>>>>>
>>>>> One thing that I also like about Meetup is the open Discussions
>>>>> forums.  I've tried for years now to get a social platform for OWASP that
>>>>> isn't the mailing list.  I've spent quite a bit of personal time with the
>>>>> content on http://my.owasp.org, and promoted it a few times, but
>>>>> despite my best efforts, it seems that OWASP very much prefers these old
>>>>> school mailing lists for communication.  It's been a great platform for
>>>>> OWASP Austin, but there's not much activity outside of that,
>>>>> unfortunately.  My ideal would be a scenario where content on the mailing
>>>>> list is sync'd to the discussion forums and vice-versa.  I'm not sure how
>>>>> possible that would be, but it would certainly make these kinds of
>>>>> conversations more available and searchable to those not "in the know".
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Thu, May 28, 2015 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> Sorry in advance for the long email.
>>>>>>
>>>>>> Following up on our meeting and some discussions at AppSecEU, I
>>>>>> wanted to think more about the OWASP "platform".  I see one role of the
>>>>>> board as working to make it easy for the volunteers and leaders to succeed
>>>>>> with their projects, events and community building (chapters).
>>>>>>
>>>>>> I'm a visual person so I put this presentation together with boxes
>>>>>> and colors as a point of reference.  I'm interested in your feedback
>>>>>> (comments enabled).  Please be patient with me, this is just a rough idea
>>>>>> and is not intended in any way to be a criticism of where we are and what
>>>>>> we are doing!!!  I made notes in the notes area to explain my color choices.
>>>>>>
>>>>>>
>>>>>> https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing
>>>>>>
>>>>>> Getting more concrete, I want to suggest based on this thought
>>>>>> process that we invest in Meetup as an organization and hire a technical
>>>>>> writer on a 3 month contract basis.
>>>>>>
>>>>>> Here is the long story of why:
>>>>>>
>>>>>> I asked one successful project leader what OWASP could do to remove
>>>>>> obstacles to success and their answer (paraphrasing) was something like
>>>>>> this:
>>>>>>
>>>>>> "We struggle with:  publicity, documentation and training courses."
>>>>>>
>>>>>> This made me think that a concrete investment we could make to
>>>>>> support projects would be to hire a contract technical writer to help with
>>>>>> documentation across projects and the wiki.  Assuming a 3 month, full time
>>>>>> gig at a rate of $40 per hour (75th percentile according to this
>>>>>> http://www.bls.gov/oes/current/oes273042.htm) would cost
>>>>>> approximately 21K.
>>>>>>
>>>>>> We could build a list of tasks focused on:
>>>>>>
>>>>>>    - Documentation for 3 projects
>>>>>>    - 10 wiki page updates per week (2 per day based on google
>>>>>>    analytics top hits)
>>>>>>
>>>>>> I imagine the person would work closely with the project co-ordinator
>>>>>> and community manager.
>>>>>>
>>>>>> I don't know just what is realistic, but I am interested in exploring
>>>>>> ways that we can model and then build a platform of core services that the
>>>>>> foundation can provide to support projects, chapters and events - with the
>>>>>> goal of making it easier to have success with our volunteers and leaders.
>>>>>>
>>>>>> What do you think?  One thing that would help me is if we can think
>>>>>> about the metrics we wanted to measure in strategic goals and whether these
>>>>>> things would move the needle.  I haven't gotten there yet, but it seems to
>>>>>> make sense...
>>>>>>
>>>>>> Input appreciated!!!
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150601/60289383/attachment-0001.html>


More information about the Owasp-board mailing list