[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Jim Manico jim.manico at owasp.org
Wed Jan 26 12:56:46 EST 2011


I agree with Larry and others who have tried to steer us away from a
OWASP.org hackathon. Until we have written permission from all of the
hosting and ISP providers, we should hold off.

However, if you are interested in helping secure OWASP.org's mediawiki,
please contact Larry off-list. We are indeed a not-for-profit
organization that could use the infrastructure help!

Aloha,
Jim



> Setting  up a honeypot of OWASP's site is a real bad idea. As Mark said in a
> previous email, this could have potential risks to other areas not part of
> the "Contest".  I would much rather see people who have experience securing
> servers offer assistance in maintaining them. Finding a flaw is the easy
> part, helping to mitigate/prevent them would be more important to me.
> 
>  
> 
> I've heard the argument that OWASP is free and open and with that we should
> fully disclose everything. I don't totally agree with this as this is hosted
> at Aspect's facility. On the other hand, the website is Open source, you can
> check the wiki for the version number and download it from MediaWiki. 
> 
>  
> 
> For those interested in hacking, I suggest Webgoat.
> 
>  
> 
> --Larry
> 
>  
> 
>  
> 
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthew Chalmers
> Sent: Wednesday, January 26, 2011 11:08 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
> SummitCompetition
> 
>  
> 
> Playing a bit of a devil's advocate here, how do we have a "secure
> owasp.org" competition without allowing people to look for vulnerabilities
> to fix?
> 
>  
> 
> Also, there are generally/broadly two methods for finding vulnerabilities:
> testing and code-review. If OWASP is free and open, should we not publish
> all the code for the website?
> 
>  
> 
> I don't know the details of how owasp.org is hosted but it would probably be
> best to stand up physically identical but separate hardware with a
> bit-for-bit mirror image of the site at a given point in time as a 'test
> environment' for this and make sure the Foundation has the OK from any third
> parties involved with its hosting. Larry or someone intimately familiar with
> the site in all respects might have to cut off any interfaces to make sure
> no on 'accidentally' modifies another production site/file/system that
> trusts the real owasp.org.
> 
>  
> 
> And I'm not saying any of the above will be easy, either.
> 
>  
> 
> Matt
> 
>  
> 
> On Wed, Jan 26, 2011 at 9:46 AM, Colin Watson <colin.watson at owasp.org>
> wrote:
> 
> I agree with Mark.
> 
> I think we should have a "secure OWASP.org" competition first.
> 
> Colin
> 
> 
> On 26 January 2011 15:17, Mark Bristow <mark.bristow at owasp.org> wrote:
>> I must have missed this in the flurry of "request for cycles" emails.
>>
>> I can't disagree with this initiative more.
>>
>> First off, there are tons of operational and legal challenges to this.
>> Those of us who to professional web app pen testing know that you really
>> should (and in some countries NEED) clear rules of engagement and hold
>> harmless and other agreements in place to provide cover for these types of
>> activities.  OWASP does not own it's entire infrastructure that supports
> the
>> website.  Even if OWASP provided cart-blanch approval to anyone who wishes
>> to hack the OWASP.org website there could be "collateral dammage" to
>> entities other than OWASP.  As I understand it the production wiki server
> is
>> still housed in an Aspect data center, what if someone, as part of the
>> challenge, took down ASPECT's common network?  What if someone used an
>> attack on ASPECT's upstream provider?  This type of activity is usually
>> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
>> upstream would not (completely legally) pull their network connection for
>> allowing hacking activities?
>>
>> That doesn't even get into the operational aspects.  So we are inviting
>> people to potentially take down, compromise and/or deface the OWASP wiki?
>> Especially during a time while we are trying to promote the Summit?  What
>> happens when they are sucessful and we can't get the site back for hours,
> or
>> even days?  What if the entire username/password database is compromised?
>> Inviting this behavior against a production system, with "real" data in it
>> is just crazy.
>>
>> Then I have a fundamental objection.  OWASP is about fixing application
>> security issues through tools and education.  This is solely a "hey, look
>> what I can hack" exercise which IMO does not line up with OWASP core
>> values.  We need to promote more FIX and less HAX.
>> </soapbox>
>>
>> -Mark
>>
>> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>
>> wrote:
>>>
>>> The biggest challenge is that finding solutions to breaking tends to
>>> take a lot longer than the actual breaking itself...
>>>
>>> -----Original Message-----
>>> From: owasp-leaders-bounces at lists.owasp.org
>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
>>> Harisfazillah Jamel
>>> Sent: Wednesday, January 26, 2011 8:13 AM
>>> To: owasp-leaders at lists.owasp.org
>>> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
>>> Durkee; Loredana Mancini
>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>> SummitCompetition
>>>
>>> Hi,
>>>
>>> I disagree using hacking to find vulnerabilities, as a way of promoting.
>>>
>>> It's hard to find a contest that relate to hardening of server and
>>> application or making codes better as part of a contest. We already
>>> expose OWASP members with many ways of finding vulnerabilities. Lets
>>> we balance with how to defense ourself from attack.
>>>
>>> For example. We ask the contestant to fixed problem with all the
>>> vulnerabilities listed and make report on the effort.
>>>
>>> Or we can balance both. They find the vulnerabilities and do the
>>> reports on how to fix it.
>>>
>>> Haris ....
>>>
>>> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
>>> wrote:
>>>> This practice is starting to be quite common these days. Google,
>>> Microsoft,
>>>> Mozilla (and others) have similar arrangements.
>>>>
>>>> But you raise good questions, and we should have answers for it on an
>>> FAQ
>>>> (Loredana can you add an FAQ to that page (here is a good template
>>>> http://www.owasp.org/index.php/Summit_2011_FAQ))
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
>>> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100
> sub-list
>>> and 2010 FinTech 100 among others.
>>>
>>>
>>>
> ----------------------------------------------------------------------------
> -----------------
>>>
>>> This message, including any attachments, contains confidential
> information
>>> intended for a specific individual and purpose, and is intended for the
>>> addressee only. Any unauthorized disclosure, use, dissemination, copying,
> or
>>> distribution of this message or any of its attachments or the information
>>> contained in this e-mail, or the taking of any action based on it, is
>>> strictly prohibited. If you are not the intended recipient, please notify
>>> the sender immediately by return e-mail and delete this message.
>>>
>>>
>>>
> ----------------------------------------------------------------------------
> -----------------
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> --
>> Mark Bristow
>> (703) 596-5175 <tel:+17035965175> 
>> mark.bristow at owasp.org
>>
>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> AppSec DC Organizer - https://www.appsecdc.org
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> 
> 
> 
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list