[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Matthew Chalmers matthew.chalmers at owasp.org
Wed Jan 26 11:07:45 EST 2011


Playing a bit of a devil's advocate here, how do we have a "secure owasp.org"
competition without allowing people to look for vulnerabilities to fix?

Also, there are generally/broadly two methods for finding vulnerabilities:
testing and code-review. If OWASP is free and open, should we not publish
all the code for the website?

I don't know the details of how owasp.org is hosted but it would probably be
best to stand up physically identical but separate hardware with a
bit-for-bit mirror image of the site at a given point in time as a 'test
environment' for this and make sure the Foundation has the OK from any third
parties involved with its hosting. Larry or someone intimately familiar with
the site in all respects might have to cut off any interfaces to make sure
no on 'accidentally' modifies another production site/file/system that
trusts the real owasp.org.

And I'm not saying any of the above will be easy, either.

Matt


On Wed, Jan 26, 2011 at 9:46 AM, Colin Watson <colin.watson at owasp.org>wrote:

> I agree with Mark.
>
> I think we should have a "secure OWASP.org" competition first.
>
> Colin
>
> On 26 January 2011 15:17, Mark Bristow <mark.bristow at owasp.org> wrote:
> > I must have missed this in the flurry of "request for cycles" emails.
> >
> > I can't disagree with this initiative more.
> >
> > First off, there are tons of operational and legal challenges to this.
> > Those of us who to professional web app pen testing know that you really
> > should (and in some countries NEED) clear rules of engagement and hold
> > harmless and other agreements in place to provide cover for these types
> of
> > activities.  OWASP does not own it's entire infrastructure that supports
> the
> > website.  Even if OWASP provided cart-blanch approval to anyone who
> wishes
> > to hack the OWASP.org website there could be "collateral dammage" to
> > entities other than OWASP.  As I understand it the production wiki server
> is
> > still housed in an Aspect data center, what if someone, as part of the
> > challenge, took down ASPECT's common network?  What if someone used an
> > attack on ASPECT's upstream provider?  This type of activity is usually
> > explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
> > upstream would not (completely legally) pull their network connection for
> > allowing hacking activities?
> >
> > That doesn't even get into the operational aspects.  So we are inviting
> > people to potentially take down, compromise and/or deface the OWASP wiki?
> > Especially during a time while we are trying to promote the Summit?  What
> > happens when they are sucessful and we can't get the site back for hours,
> or
> > even days?  What if the entire username/password database is compromised?
> > Inviting this behavior against a production system, with "real" data in
> it
> > is just crazy.
> >
> > Then I have a fundamental objection.  OWASP is about fixing application
> > security issues through tools and education.  This is solely a "hey, look
> > what I can hack" exercise which IMO does not line up with OWASP core
> > values.  We need to promote more FIX and less HAX.
> > </soapbox>
> >
> > -Mark
> >
> > On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>
> > wrote:
> >>
> >> The biggest challenge is that finding solutions to breaking tends to
> >> take a lot longer than the actual breaking itself...
> >>
> >> -----Original Message-----
> >> From: owasp-leaders-bounces at lists.owasp.org
> >> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
> >> Harisfazillah Jamel
> >> Sent: Wednesday, January 26, 2011 8:13 AM
> >> To: owasp-leaders at lists.owasp.org
> >> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
> >> Durkee; Loredana Mancini
> >> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
> >> SummitCompetition
> >>
> >> Hi,
> >>
> >> I disagree using hacking to find vulnerabilities, as a way of promoting.
> >>
> >> It's hard to find a contest that relate to hardening of server and
> >> application or making codes better as part of a contest. We already
> >> expose OWASP members with many ways of finding vulnerabilities. Lets
> >> we balance with how to defense ourself from attack.
> >>
> >> For example. We ask the contestant to fixed problem with all the
> >> vulnerabilities listed and make report on the effort.
> >>
> >> Or we can balance both. They find the vulnerabilities and do the
> >> reports on how to fix it.
> >>
> >> Haris ....
> >>
> >> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
> >> wrote:
> >> > This practice is starting to be quite common these days. Google,
> >> Microsoft,
> >> > Mozilla (and others) have similar arrangements.
> >> >
> >> > But you raise good questions, and we should have answers for it on an
> >> FAQ
> >> > (Loredana can you add an FAQ to that page (here is a good template
> >> > http://www.owasp.org/index.php/Summit_2011_FAQ))
> >> >
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> Virtusa was recently ranked and featured in 2010 Deloitte Technology
> Fast
> >> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100
> sub-list
> >> and 2010 FinTech 100 among others.
> >>
> >>
> >>
> ---------------------------------------------------------------------------------------------
> >>
> >> This message, including any attachments, contains confidential
> information
> >> intended for a specific individual and purpose, and is intended for the
> >> addressee only. Any unauthorized disclosure, use, dissemination,
> copying, or
> >> distribution of this message or any of its attachments or the
> information
> >> contained in this e-mail, or the taking of any action based on it, is
> >> strictly prohibited. If you are not the intended recipient, please
> notify
> >> the sender immediately by return e-mail and delete this message.
> >>
> >>
> >>
> ---------------------------------------------------------------------------------------------
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> > --
> > Mark Bristow
> > (703) 596-5175 <tel:+17035965175>
> > mark.bristow at owasp.org
> >
> > OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> > OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> > AppSec DC Organizer - https://www.appsecdc.org
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110126/dbecd5a4/attachment.html 


More information about the OWASP-Leaders mailing list