[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Mark Bristow mark.bristow at owasp.org
Wed Jan 26 10:17:18 EST 2011


I must have missed this in the flurry of "request for cycles" emails.

I can't disagree with this initiative more.

First off, there are tons of operational and legal challenges to this.
Those of us who to professional web app pen testing know that you really
should (and in some countries NEED) clear rules of engagement and hold
harmless and other agreements in place to provide cover for these types of
activities.  OWASP does not own it's entire infrastructure that supports the
website.  Even if OWASP provided cart-blanch approval to anyone who wishes
to hack the OWASP.org website there could be "collateral dammage" to
entities other than OWASP.  As I understand it the production wiki server is
still housed in an Aspect data center, what if someone, as part of the
challenge, took down ASPECT's common network?  What if someone used an
attack on ASPECT's upstream provider?  This type of activity is usually
explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
upstream would not (completely legally) pull their network connection for
allowing hacking activities?

That doesn't even get into the operational aspects.  So we are inviting
people to potentially take down, compromise and/or deface the OWASP wiki?
Especially during a time while we are trying to promote the Summit?  What
happens when they are sucessful and we can't get the site back for hours, or
even days?  What if the entire username/password database is compromised?
Inviting this behavior against a production system, with "real" data in it
is just crazy.

Then I have a fundamental objection.  OWASP is about fixing application
security issues through tools and education.  This is solely a "hey, look
what I can hack" exercise which IMO does not line up with OWASP core
values.  We need to promote more FIX and less HAX.
</soapbox>

-Mark

On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>wrote:

> The biggest challenge is that finding solutions to breaking tends to
> take a lot longer than the actual breaking itself...
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
> Harisfazillah Jamel
> Sent: Wednesday, January 26, 2011 8:13 AM
> To: owasp-leaders at lists.owasp.org
> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
> Durkee; Loredana Mancini
> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
> SummitCompetition
>
> Hi,
>
> I disagree using hacking to find vulnerabilities, as a way of promoting.
>
> It's hard to find a contest that relate to hardening of server and
> application or making codes better as part of a contest. We already
> expose OWASP members with many ways of finding vulnerabilities. Lets
> we balance with how to defense ourself from attack.
>
> For example. We ask the contestant to fixed problem with all the
> vulnerabilities listed and make report on the effort.
>
> Or we can balance both. They find the vulnerabilities and do the
> reports on how to fix it.
>
> Haris ....
>
> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
> wrote:
> > This practice is starting to be quite common these days. Google,
> Microsoft,
> > Mozilla (and others) have similar arrangements.
> >
> > But you raise good questions, and we should have answers for it on an
> FAQ
> > (Loredana can you add an FAQ to that page (here is a good template
> > http://www.owasp.org/index.php/Summit_2011_FAQ))
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list
> and 2010 FinTech 100 among others.
>
>
> ---------------------------------------------------------------------------------------------
>
> This message, including any attachments, contains confidential information
> intended for a specific individual and purpose, and is intended for the
> addressee only. Any unauthorized disclosure, use, dissemination, copying, or
> distribution of this message or any of its attachments or the information
> contained in this e-mail, or the taking of any action based on it, is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail and delete this message.
>
>
> ---------------------------------------------------------------------------------------------
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110126/af1c684d/attachment.html 


More information about the OWASP-Leaders mailing list