[Owasp-board] ACTION: Help Secure OWASP assest

johanna curiel curiel johanna.curiel at owasp.org
Sat Feb 13 01:46:42 UTC 2016


Frank,

Would you like to help us as adviser for hiring (if  a barter deal is
reached) a Bug Bounty management services such as BugCrowd ?
These efforts can be combined with the Bounty Program for OWASP wiki.

We will cc you the info, if  you have time.

Cheers

Johanna


On Fri, Feb 12, 2016 at 9:10 PM, Frank Catucci <frank.catucci at owasp.org>
wrote:

> Johanna,
>
> I have signed up on the wiki you created for assets and provided some
> edits. I think combining efforts from:
>
> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>
> And
>
> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>
> will provide with a good start. I still think addressing resources and the
> formal bug bounty program discussion will be valuable as well. I look
> forward to the collaboration.
>
> Regards,
>
> Frank
>
>
> On Feb 12, 2016, at 5:48 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> Andrew H, Frank and all of those volunteers that have kindly offer their
> help.
>
> Thank you very much for volunteering to secure OWASP assets and web
> applications.
>
> I will set this topic on the board's agenda.
>
> For everyone that wants to help instead of preach, I have set this wiki
> page:
> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>
> Set you name if you have editing rights to the wiki
> Otherwise contact me, I'll gladly set you name on the list
>
>
> Cheers
>
> Johanna
>
>
>
> On Fri, Feb 12, 2016 at 5:57 PM, Andrew Hamilton <
> andrew.hamilton at owasp.org> wrote:
>
>> Hello,
>>
>> I'm CTO of Primus Services (http://www.primusservices.com).  I'm willing
>> to volunteer my team's time and our services as a SOC to handle SIEM,
>> scheduled vulnerability testing, and a general security assessment to build
>> an IR plan.  We can also help with an IT transformation strategy like what
>> Andrew van der Stock suggests earlier in the list.  In short, we're happy
>> to donate our time as this is a project we believe in.
>>
>> Cheers,
>> Andrew Hamilton
>>
>> On Fri, Feb 12, 2016 at 2:53 PM, Frank Catucci <frank.catucci at owasp.org>
>> wrote:
>>
>>> All,
>>>
>>> I spoke to Jim briefly about this at AppSec Cali, and I am still willing
>>> to assist but I am afraid we are at a crossroads. I still think a bug
>>> bounty program is a great idea no matter what scope we start with or
>>> progress to. However, the issue of security resources dedicated to this
>>> effort needs to be discussed with a very real and tangible outcome and
>>> timeline. Whether we decide to pay for these positions and resources or
>>> not, the discussion needs to happen. How important is this to OWASP? That's
>>> a great starting point IMO....
>>>
>>> Regards,
>>>
>>> Frank
>>>
>>> On Feb 12, 2016, at 2:46 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>> *>>For OWASP  website did you conduct a risk analysis, threat modelling,
>>> secure code and security testing ? *
>>> *We must apply these application security on our assets first. We must
>>> be a good example for others.*
>>>
>>> Are you serious 😏?
>>> We are a bunch of 'appsec experts' volunteers that have no time for
>>> that...😝
>>>
>>> Wait, 😓that looks like the excuse the developer gave me last week when
>>> I tested his app,
>>>
>>> 🙁 he told me he didn't have time to implement security because he had
>>> to push the release
>>> and all those OWASP's guidelines are making him crazy 😒
>>>
>>> We are a volunteer based org that promotes web security🤔
>>> No resources to maintain and manage properly, no time for planning, risk
>>> analysing, patching, testing...😓
>>> just like that Dev without time to implement 😕security, or that
>>> company without budget...😧
>>>
>>> OWASP top ten, OpenSAMM, ASVS, Code Review....🤔
>>>
>>> XSS bugs on XSS cheat sheet wiki was found and reported months ago 😕
>>>
>>> 😵 wait...we don't practice what we preach 😨😲😱
>>>
>>>
>>>
>>> Ok folks I'm poking you, seriously, are we now at the same level than
>>> those companies and devs we advise so hardly about security and always with
>>> excuse why they can't ?
>>>
>>> You see now how hard is to do it sometimes...those guidelines &
>>> knowledge are worth nothing if there is no proper execution.
>>>
>>> On Fri, Feb 12, 2016 at 2:43 PM, Azzeddine Ramrami <
>>> azzeddine.ramrami at owasp.org> wrote:
>>>
>>>> Hi,
>>>> For OWASP  website did you conduct a risk analysis, threat modeling,
>>>> secure code and security testing ?
>>>>
>>>> We must apply these application security on our assets first. We must
>>>> be a good example for others.
>>>>
>>>> Regards
>>>> Azzeddine RAMRAMI
>>>> Le 12 févr. 2016 7:34 PM, "Richard Greenberg" <
>>>> richard.greenberg at owasp.org> a écrit :
>>>>
>>>>> +1
>>>>>
>>>>> Richard Greenberg, CISSP
>>>>> President, OWASP Los Angeles, www.owaspla.org
>>>>> <http://www.appsecusa.org/>
>>>>> ISSA Fellow
>>>>> President, ISSA Los Angeles, www.issa-la.org
>>>>> <http://www.appsecusa.org/>
>>>>> LinkedIn:  http://www.linkedin.com/in/richardagreenberg
>>>>> (424) 261-8111
>>>>>
>>>>> On Thu, Feb 11, 2016 at 10:11 PM, Andrew van der Stock <
>>>>> vanderaj at owasp.org> wrote:
>>>>>
>>>>>> Agreed.
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>> On Fri, Feb 12, 2016 at 4:54 PM, Jim Manico <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> > we run around with our hands in the air when drama hits Twitter
>>>>>>> more than than normal.
>>>>>>>
>>>>>>> I would rephrase that as "some of us who actually give a sh%t go and
>>>>>>> fix the problem as best we can"
>>>>>>>
>>>>>>> - Jim
>>>>>>>
>>>>>>>
>>>>>>> On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>>>>>>>
>>>>>>> I think this also comes down to the infrastructure transformation
>>>>>>> that I've asked Matt T to get ready for us since our last F2F at AppSec
>>>>>>> USA. We need to simplify our IT fleet, and really get it behind a proper
>>>>>>> enterprise architecture, rather than a rag tag collection of out of date
>>>>>>> stuff that we inherit. We only have so much Matt T time to maintain this
>>>>>>> stuff, and so pen testing it without also addressing the root cause: we
>>>>>>> have no idea where all our stuff is, who has admin, how it authenticates,
>>>>>>> we don't monitor it for attacks, and we don't have an IR plan and we run
>>>>>>> around with our hands in the air when drama hits Twitter more than than
>>>>>>> normal.
>>>>>>>
>>>>>>> I want a transformation plan, where we have only one of everything,
>>>>>>> and all the things we have is well managed and monitored. This will reduce
>>>>>>> our IT costs, and be better aligned with the resources we currently
>>>>>>> allocate to this task.
>>>>>>>
>>>>>>> This is not rocket science.
>>>>>>>
>>>>>>> thanks,
>>>>>>> Andrew
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> +1 Thank you wall for security researchers who have helped us find
>>>>>>>> bugs!
>>>>>>>>
>>>>>>>> Good stuff Tom, thanks for getting this started. I'm sure Josh will
>>>>>>>> be especially interested in this.
>>>>>>>>
>>>>>>>> Aloha,
>>>>>>>> Jim
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>>>>>>>
>>>>>>>> Post mortem of fixes would be nice to have and a wall of thank you
>>>>>>>> should be established yes?
>>>>>>>>
>>>>>>>> *draft*
>>>>>>>> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>>>>>>>
>>>>>>>> Tom Brennan
>>>>>>>> Global Board of Directors
>>>>>>>> (d) 973-506-9304
>>>>>>>>
>>>>>>>> OWASP Foundation | www.owasp.org
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico <
>>>>>>>> <jim.manico at owasp.org>jim.manico at owasp.org> wrote:
>>>>>>>> > Right, but two OWASP researchers posted live bugs over Twitter
>>>>>>>> today. We
>>>>>>>> > have to deal with it Kevin. I'd rather we know than not know,
>>>>>>>> sooner than
>>>>>>>> > later. One of the bugs noted I fixed earlier today.
>>>>>>>> >
>>>>>>>> > Knowing is half the battle.
>>>>>>>> >
>>>>>>>> > Aloha,
>>>>>>>> > Jim
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>>>>>>> >
>>>>>>>> > And to add to Timo's thoughts...if we have an RFP to redo the
>>>>>>>> OWASP site, if
>>>>>>>> > we do put out a bug bounty, perhaps we should wait until that
>>>>>>>> effort is
>>>>>>>> > finished, otherwise we may end up fixing things twice.
>>>>>>>> >
>>>>>>>> > -kevin
>>>>>>>> >
>>>>>>>> > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <
>>>>>>>> timo.goosen at owasp.org> wrote:
>>>>>>>> >>
>>>>>>>> >> "But in the meantime, here are a few resources to report your
>>>>>>>> findings to
>>>>>>>> >> if you run into security issues (and I use "run into" with
>>>>>>>> intention because
>>>>>>>> >> you would never just start actively testing a website for
>>>>>>>> security without
>>>>>>>> >> permission in some way, right? Because doing so is a major
>>>>>>>> criminal act in
>>>>>>>> >> most countries, right?)"
>>>>>>>> >> Depends. I've found bugs on sites before, unintentionally just
>>>>>>>> by clicking
>>>>>>>> >> around.
>>>>>>>> >>
>>>>>>>> >> On the idea of a bug bounty project for OWASP. The idea is good,
>>>>>>>> but I
>>>>>>>> >> don't think that OWASP has the resources to deal with a bug
>>>>>>>> bounty program
>>>>>>>> >> and the flood of reports that will becoming in. Researchers get
>>>>>>>> very annoyed
>>>>>>>> >> if you don't respond promptly and take them seriously. Just
>>>>>>>> something to
>>>>>>>> >> consider.
>>>>>>>> >>
>>>>>>>> >> Regards.
>>>>>>>> >> Timo
>>>>>>>> >>
>>>>>>>> >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <
>>>>>>>> jim.manico at owasp.org> wrote:
>>>>>>>> >>>
>>>>>>>> >>> Folks,
>>>>>>>> >>>
>>>>>>>> >>> A few OWASP researchers have found bugs on OWASP's wiki and
>>>>>>>> decided to
>>>>>>>> >>> disclose them in public over twitter before reporting to OWASP.
>>>>>>>> >>>
>>>>>>>> >>> Can you please disclose to me or Matt Tesauro or use the
>>>>>>>> contact form or
>>>>>>>> >>> do anything other than disclose in public before discussing
>>>>>>>> this with OWASP
>>>>>>>> >>> IT staff and support?
>>>>>>>> >>>
>>>>>>>> >>> Also, Josh Sokol is in the middle of ramping up a more formal
>>>>>>>> bug bounty
>>>>>>>> >>> program and will provide a more formal method for disclosure in
>>>>>>>> the near
>>>>>>>> >>> future.
>>>>>>>> >>>
>>>>>>>> >>> But in the meantime, here are a few resources to report your
>>>>>>>> findings to
>>>>>>>> >>> if you run into security issues (and I use "run into" with
>>>>>>>> intention because
>>>>>>>> >>> you would never just start actively testing a website for
>>>>>>>> security without
>>>>>>>> >>> permission in some way, right? Because doing so is a major
>>>>>>>> criminal act in
>>>>>>>> >>> most countries, right?)
>>>>>>>> >>>
>>>>>>>> >>> Thanks all.
>>>>>>>> >>>
>>>>>>>> >>> Matt Tesauro: matt.tesauro at owasp.org
>>>>>>>> >>> Jim Manico:  jim at owasp.org
>>>>>>>> >>> Contact Form: <https://www.tfaforms.com/308703>
>>>>>>>> https://www.tfaforms.com/308703
>>>>>>>> >>>
>>>>>>>> >>> Aloha,
>>>>>>>> >>> Jim Manico
>>>>>>>> >>> OWASP Global Board Member
>>>>>>>> >>>
>>>>>>>> >>> _______________________________________________
>>>>>>>> >>> OWASP-Leaders mailing list
>>>>>>>> >>> OWASP-Leaders at lists.owasp.org
>>>>>>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>> >>>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> _______________________________________________
>>>>>>>> >> Owasp-community mailing list
>>>>>>>> >> Owasp-community at lists.owasp.org
>>>>>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>>> >>
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>>>>>> @KevinWWall
>>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > _______________________________________________
>>>>>>>> > Owasp-community mailing list
>>>>>>>> > Owasp-community at lists.owasp.org
>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>>> >
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Tom Brennan
>>>>>>>> Global Board of Directors
>>>>>>>> NYC/NJ Metro Chapter Leader
>>>>>>>> (d) 973-506-9304
>>>>>>>>
>>>>>>>> OWASP Foundation | www.owasp.org
>>>>>>>>
>>>>>>>> The information contained in this message and any attachments may
>>>>>>>> be privileged, confidential, proprietary or otherwise protected from
>>>>>>>> disclosure. If you, the reader of this message, are not the intended
>>>>>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>>>>>> copying or use of this message and any attachment is strictly prohibited.
>>>>>>>> If you have received this message in error, please notify the sender
>>>>>>>> immediately by replying to the message, permanently delete it from your
>>>>>>>> computer and destroy any printout.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-community mailing list
>>>>>> Owasp-community at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-community mailing list
>>>>> Owasp-community at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Owasp-community mailing list
>>>> Owasp-community at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160212/a3de4314/attachment-0001.html>


More information about the Owasp-board mailing list