[Owasp-infrastructure] [Owasp-board] [GPC] OWASP.org SSL/TLSscan

Laurence Casey larry.casey at aspectsecurity.com
Tue May 31 09:50:57 EDT 2011

I don't see any problem with it either.




From: owasp-infrastructure-bounces at lists.owasp.org
[mailto:owasp-infrastructure-bounces at lists.owasp.org] On Behalf Of Jason
Sent: Monday, May 30, 2011 3:39 PM
To: Paulo Coimbra; Laurence Casey
Cc: Raul Siles; Dinis Cruz; Kate Hartmann;
owasp-infrastructure at lists.owasp.org; owasp-board at lists.owasp.org; GPC
Subject: Re: [Owasp-infrastructure] [Owasp-board] [GPC] OWASP.org




The scan Raul is suggesting sounds non-intrusive, non-destructive, and
non-load bearing. I personally don't see any issues with such a scan and
Matt has already given his assent.


For future reference though, I don't believe the GPC is the appropriate
party to give consent regarding scans against the OWASP website.



On Mon, May 30, 2011 at 3:25 PM, Matt Tesauro <matt.tesauro at owasp.org>

I have not problem with it.

-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site

On Mon, May 30, 2011 at 2:19 PM, Paulo Coimbra <pcoimbra at owasp.org>

	Board & GPC, 


	As you can see below, Raul Siles, being carbon copied, is
requesting authorization to target our website, run a SSL/TLS scan and
publish the results. 


	Dinis has already assumed a position of agreement but, since he
has forwarded the question to me and Kate, I thought that consulting
with you was also appropriate. Can we have your understanding on this
matter please?




	- Paulo


	Paulo Coimbra

	OWASP Project Manager


	From: Raul Siles <raul at taddong.com>
	Date: Fri, 27 May 2011 23:30:22 +0200
	To: Dinis Cruz <dinis.cruz at owasp.org>
	Cc: Kate Hartmann <kate.hartmann at owasp.org>, Paulo Coimbra
<paulo.coimbra at owasp.org>
	Subject: Re: OWASP.org SSL/TLS scan


	FYI. This was the blog post, tool, and scan I referred to:


	Raul Siles

	Founder & Senior Security Analyst


	raul at taddong.com | +34-639109172 <tel:%2B34-639109172>  |




	On May 27, 2011, at 4:15 PM, Raul Siles wrote:


		Thanks Dinis!


		Raul Siles

		Founder & Senior Security Analyst


		raul at taddong.com | +34-639109172 <tel:%2B34-639109172>
| www.taddong.com

		On May 27, 2011, at 11:03 AM, dinis cruz wrote:

			I don't think you need permission, but if you
want one, Kate or Paulo

			(CCed) should be able to give you one

			Dinis Cruz

			On 27 May 2011, at 09:34, Raul Siles
<raul at taddong.com> wrote:

				Hi Dinis,

				I hope to find you well... and sure busy

				I plan to publish a blog post with a new
tool/script to help people

				evaluate the security of their SSL/TLS
(HTTPS) implementation. I

				plan to submit it to the OWASP Testing
Guide too [0], and I would

				like to show an example of the script
running on a target website,

				so I thought https://www.owasp.org would
be a great target example.


				Who (within OWASP) should I ask for
authorization to run the SSL/TLS

				scan (based on sslscan and openssl; no
risk) and publish the results

				on the blog?



				Raul Siles

				Founder & Senior Security Analyst


				raul at taddong.com | +34-639109172
<tel:%2B34-639109172>  | www.taddong.com




	Global-projects-committee mailing list
	Global-projects-committee at lists.owasp.org


Owasp-board mailing list
Owasp-board at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-infrastructure/attachments/20110531/cfb7c75b/attachment-0001.html 

More information about the Owasp-infrastructure mailing list