[Owasp-board] Project Platform

Eoin Keary eoin.keary at owasp.org
Thu Jun 4 19:51:32 UTC 2015


I'd suggest you keep old vectors? It would be nice to discuss the evolution and why they are not effective anymore....?

Eoin Keary
BCC Risk Advisory - edgescan CTO
Gartner "notable vendor" MSSP MQ



> On 4 Jun 2015, at 20:44, Jim Manico <jim.manico at owasp.org> wrote:
> 
> Also,
> 
> Tons of the vectors in this cheat sheet are for older browsers. As part of this paid effort, I'd be stoked to see all vectors verified against the main browsers in use today.
> 
> I am happy to use any budget left from the Cheatsheet series (if we have any) to support this effort. The XSS filter evasion cheatsheet is one of the top viewed pages in all of OWASP.
> 
> Aloha,
> Jim
> 
> 
>> On 6/1/15 11:20 AM, Josh Sokol wrote:
>> Can you get a quote for time and dollars to build this out?  Are there other things that we could have this top-tier researcher do to add value here?  Demonstration site?  A quick guide to XSS?  Just wondering how we can scope this to get the most bang for our buck.
>> 
>> ~josh
>> 
>> On Mon, Jun 1, 2015 at 11:04 AM, Timo Goosen <timo.goosen at owasp.org> wrote:
>>> I talked to the researcher I that I have in mind. He said that the guide should include something about including text in the search bar to parse besides just talking about filter evasion (in the case of reflected XSS.
>>> 
>>> He said there is also nothing on the XSS Evasion cheat sheet on scriptless or tagless XSS such as:
>>> http://www.darkreading.com/search.asp?q=Kenan%5C%27;(alert)(/0/)//Brute%5C
>>> 
>>> 
>>> Regards.
>>> Timo
>>> 
>>> On Mon, Jun 1, 2015 at 5:42 PM, Timo Goosen <timo.goosen at owasp.org> wrote:
>>>> I might know of  such a XSS assessment professional. I can ask if he will be willing to update the information in exchange for payment. He is not an OWASP volunteer. How do I go about setting up a budget and requesting funding for such an effort?
>>>> 
>>>> "More than money, I think we need top tier XSS assessment professionals to evaluate and expand on the current XSS filter evasion cheat sheet. And more than static payloads I'd love someone to contribute advice on more contextual filter evasion.
>>>> 
>>>> If anyone is interested in working on this or even "owning" this cheat sheet as the lead editor, please drop me a line and let's talk.
>>>> 
>>>> Aloha,
>>>> Jim"
>>>> 
>>>> 
>>>> On Fri, May 29, 2015 at 10:43 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>> Timo,
>>>>> 
>>>>> Could you please elaborate on what you would actually use these funds for and how much you think you need to update the XSS Evasion Cheat Sheet?  OWASP Austin donated some money to the Foundation which we have been given the opportunity to choose how it is allocated and this sounds like it may be an area we can assist.
>>>>> 
>>>>> ~josh
>>>>> 
>>>>>> On Fri, May 29, 2015 at 5:29 AM, Timo Goosen <timo.goosen at owasp.org> wrote:
>>>>>> I support this initiative. 
>>>>>> 
>>>>>> I'd like to see some funds allocated to updating the XSS Evasion Cheat Sheet as well as all the other offensive related cheatsheets. 
>>>>>> 
>>>>>> Attacks are changing all the time and we need to put some money towards having the latest info.
>>>>>> 
>>>>>> Regards.
>>>>>> Timo
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Thu, May 28, 2015 at 6:00 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>>>> Some great thoughts and ideas here Matt and I agree with pretty much everything you've said.  IIRC, I think there were challenges with using Meetup as a platform over in APAC (China?) which I think is why it hasn't received a more global adoption.  In general, I do like the idea of a centralized platform for our chapters to organize events in a way where they are easily found by people in other communities.  For example, a search for "security" in Meetup should yield the OWASP meeting in your area.
>>>>>>> 
>>>>>>> One thing that I also like about Meetup is the open Discussions forums.  I've tried for years now to get a social platform for OWASP that isn't the mailing list.                                                          I've spent quite a bit of personal time with the content on http://my.owasp.org, and promoted it a few times, but despite my best efforts, it seems that OWASP very much prefers these old school mailing lists for communication.  It's been a great platform for OWASP Austin, but there's not much activity outside of that, unfortunately.  My ideal would be a scenario where content on the mailing list is sync'd to the discussion forums and vice-versa.  I'm not sure how possible that would be, but it would certainly make these kinds of conversations more available and searchable to those not "in the know".
>>>>>>> 
>>>>>>> ~josh
>>>>>>> 
>>>>>>> On Thu, May 28, 2015 at 10:07 AM, Matt Konda <matt.konda at owasp.org> wrote:
>>>>>>>> Hello all,
>>>>>>>> 
>>>>>>>> Sorry in advance for the long email.
>>>>>>>> 
>>>>>>>> Following up on our meeting and some discussions at AppSecEU, I wanted to think more about the OWASP "platform".  I see one role of the board as working to make it easy for the volunteers and leaders to succeed with their projects, events and community                                                           building (chapters).
>>>>>>>> 
>>>>>>>> I'm a visual person so I put this presentation together with boxes and colors as a point of reference.  I'm interested in your                                                           feedback (comments enabled).  Please be patient with me, this is just a rough idea and is not intended in any way to be a criticism of where we are and what we are doing!!!  I made notes in the notes area to explain my color choices.
>>>>>>>> 
>>>>>>>> https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing
>>>>>>>> 
>>>>>>>> Getting more concrete, I want to                                                           suggest based on this thought process that we invest in Meetup as an organization and hire a technical writer on a 3 month contract basis.
>>>>>>>> 
>>>>>>>> Here is the long story of why: 
>>>>>>>> 
>>>>>>>> I asked one successful project leader what OWASP could do to                                                           remove obstacles to success and their answer (paraphrasing) was something like this: 
>>>>>>>> 
>>>>>>>> "We struggle with:  publicity, documentation and training courses."
>>>>>>>> 
>>>>>>>> This made me think that a concrete investment we could make to support projects would be to hire a contract technical writer to help with documentation across projects and the wiki.  Assuming a 3 month, full time gig at a rate of $40 per hour (75th percentile according to this http://www.bls.gov/oes/current/oes273042.htm) would cost approximately 21K.  
>>>>>>>> 
>>>>>>>> We could build a list of tasks focused on:  
>>>>>>>> Documentation for 3 projects
>>>>>>>> 10 wiki page updates per week (2 per day based on google analytics top hits)
>>>>>>>> I imagine the person would work closely with the project co-ordinator and community manager.
>>>>>>>> 
>>>>>>>> I don't know just what is realistic, but I am interested in exploring ways that we can model and then build a platform of core services that the foundation can provide to support projects, chapters and events - with the goal of making it easier to have success with our volunteers and leaders.
>>>>>>>> 
>>>>>>>> What do you think?  One thing that would help me is if we can think about the metrics we wanted to measure in strategic goals and whether these things would move the needle.  I haven't gotten there yet, but it seems to make sense...
>>>>>>>> 
>>>>>>>> Input appreciated!!!
>>>>>>>> 
>>>>>>>> Matt
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> 
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150604/1d8b6ab0/attachment-0001.html>


More information about the Owasp-board mailing list