[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Colin Watson colin.watson at owasp.org
Wed Jan 26 10:46:07 EST 2011


I agree with Mark.

I think we should have a "secure OWASP.org" competition first.

Colin

On 26 January 2011 15:17, Mark Bristow <mark.bristow at owasp.org> wrote:
> I must have missed this in the flurry of "request for cycles" emails.
>
> I can't disagree with this initiative more.
>
> First off, there are tons of operational and legal challenges to this.
> Those of us who to professional web app pen testing know that you really
> should (and in some countries NEED) clear rules of engagement and hold
> harmless and other agreements in place to provide cover for these types of
> activities.  OWASP does not own it's entire infrastructure that supports the
> website.  Even if OWASP provided cart-blanch approval to anyone who wishes
> to hack the OWASP.org website there could be "collateral dammage" to
> entities other than OWASP.  As I understand it the production wiki server is
> still housed in an Aspect data center, what if someone, as part of the
> challenge, took down ASPECT's common network?  What if someone used an
> attack on ASPECT's upstream provider?  This type of activity is usually
> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
> upstream would not (completely legally) pull their network connection for
> allowing hacking activities?
>
> That doesn't even get into the operational aspects.  So we are inviting
> people to potentially take down, compromise and/or deface the OWASP wiki?
> Especially during a time while we are trying to promote the Summit?  What
> happens when they are sucessful and we can't get the site back for hours, or
> even days?  What if the entire username/password database is compromised?
> Inviting this behavior against a production system, with "real" data in it
> is just crazy.
>
> Then I have a fundamental objection.  OWASP is about fixing application
> security issues through tools and education.  This is solely a "hey, look
> what I can hack" exercise which IMO does not line up with OWASP core
> values.  We need to promote more FIX and less HAX.
> </soapbox>
>
> -Mark
>
> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>
> wrote:
>>
>> The biggest challenge is that finding solutions to breaking tends to
>> take a lot longer than the actual breaking itself...
>>
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
>> Harisfazillah Jamel
>> Sent: Wednesday, January 26, 2011 8:13 AM
>> To: owasp-leaders at lists.owasp.org
>> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
>> Durkee; Loredana Mancini
>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>> SummitCompetition
>>
>> Hi,
>>
>> I disagree using hacking to find vulnerabilities, as a way of promoting.
>>
>> It's hard to find a contest that relate to hardening of server and
>> application or making codes better as part of a contest. We already
>> expose OWASP members with many ways of finding vulnerabilities. Lets
>> we balance with how to defense ourself from attack.
>>
>> For example. We ask the contestant to fixed problem with all the
>> vulnerabilities listed and make report on the effort.
>>
>> Or we can balance both. They find the vulnerabilities and do the
>> reports on how to fix it.
>>
>> Haris ....
>>
>> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
>> wrote:
>> > This practice is starting to be quite common these days. Google,
>> Microsoft,
>> > Mozilla (and others) have similar arrangements.
>> >
>> > But you raise good questions, and we should have answers for it on an
>> FAQ
>> > (Loredana can you add an FAQ to that page (here is a good template
>> > http://www.owasp.org/index.php/Summit_2011_FAQ))
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
>> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list
>> and 2010 FinTech 100 among others.
>>
>>
>> ---------------------------------------------------------------------------------------------
>>
>> This message, including any attachments, contains confidential information
>> intended for a specific individual and purpose, and is intended for the
>> addressee only. Any unauthorized disclosure, use, dissemination, copying, or
>> distribution of this message or any of its attachments or the information
>> contained in this e-mail, or the taking of any action based on it, is
>> strictly prohibited. If you are not the intended recipient, please notify
>> the sender immediately by return e-mail and delete this message.
>>
>>
>> ---------------------------------------------------------------------------------------------
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list