[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Giorgio Fedon giorgio.fedon at mindedsecurity.com
Thu Jan 27 03:09:37 EST 2011


Dear list,

What about a "secure code review" competition on the owasp.org code, or just the opensource components?

This would be safer and faster to setup

Inviato da iPhone

Il giorno 26/gen/2011, alle ore 18:56, Jim Manico <jim.manico at owasp.org> ha scritto:

> I agree with Larry and others who have tried to steer us away from a
> OWASP.org hackathon. Until we have written permission from all of the
> hosting and ISP providers, we should hold off.
> 
> However, if you are interested in helping secure OWASP.org's mediawiki,
> please contact Larry off-list. We are indeed a not-for-profit
> organization that could use the infrastructure help!
> 
> Aloha,
> Jim
> 
> 
> 
>> Setting  up a honeypot of OWASP's site is a real bad idea. As Mark said in a
>> previous email, this could have potential risks to other areas not part of
>> the "Contest".  I would much rather see people who have experience securing
>> servers offer assistance in maintaining them. Finding a flaw is the easy
>> part, helping to mitigate/prevent them would be more important to me.
>> 
>> 
>> 
>> I've heard the argument that OWASP is free and open and with that we should
>> fully disclose everything. I don't totally agree with this as this is hosted
>> at Aspect's facility. On the other hand, the website is Open source, you can
>> check the wiki for the version number and download it from MediaWiki. 
>> 
>> 
>> 
>> For those interested in hacking, I suggest Webgoat.
>> 
>> 
>> 
>> --Larry
>> 
>> 
>> 
>> 
>> 
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthew Chalmers
>> Sent: Wednesday, January 26, 2011 11:08 AM
>> To: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>> SummitCompetition
>> 
>> 
>> 
>> Playing a bit of a devil's advocate here, how do we have a "secure
>> owasp.org" competition without allowing people to look for vulnerabilities
>> to fix?
>> 
>> 
>> 
>> Also, there are generally/broadly two methods for finding vulnerabilities:
>> testing and code-review. If OWASP is free and open, should we not publish
>> all the code for the website?
>> 
>> 
>> 
>> I don't know the details of how owasp.org is hosted but it would probably be
>> best to stand up physically identical but separate hardware with a
>> bit-for-bit mirror image of the site at a given point in time as a 'test
>> environment' for this and make sure the Foundation has the OK from any third
>> parties involved with its hosting. Larry or someone intimately familiar with
>> the site in all respects might have to cut off any interfaces to make sure
>> no on 'accidentally' modifies another production site/file/system that
>> trusts the real owasp.org.
>> 
>> 
>> 
>> And I'm not saying any of the above will be easy, either.
>> 
>> 
>> 
>> Matt
>> 
>> 
>> 
>> On Wed, Jan 26, 2011 at 9:46 AM, Colin Watson <colin.watson at owasp.org>
>> wrote:
>> 
>> I agree with Mark.
>> 
>> I think we should have a "secure OWASP.org" competition first.
>> 
>> Colin
>> 
>> 
>> On 26 January 2011 15:17, Mark Bristow <mark.bristow at owasp.org> wrote:
>>> I must have missed this in the flurry of "request for cycles" emails.
>>> 
>>> I can't disagree with this initiative more.
>>> 
>>> First off, there are tons of operational and legal challenges to this.
>>> Those of us who to professional web app pen testing know that you really
>>> should (and in some countries NEED) clear rules of engagement and hold
>>> harmless and other agreements in place to provide cover for these types of
>>> activities.  OWASP does not own it's entire infrastructure that supports
>> the
>>> website.  Even if OWASP provided cart-blanch approval to anyone who wishes
>>> to hack the OWASP.org website there could be "collateral dammage" to
>>> entities other than OWASP.  As I understand it the production wiki server
>> is
>>> still housed in an Aspect data center, what if someone, as part of the
>>> challenge, took down ASPECT's common network?  What if someone used an
>>> attack on ASPECT's upstream provider?  This type of activity is usually
>>> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
>>> upstream would not (completely legally) pull their network connection for
>>> allowing hacking activities?
>>> 
>>> That doesn't even get into the operational aspects.  So we are inviting
>>> people to potentially take down, compromise and/or deface the OWASP wiki?
>>> Especially during a time while we are trying to promote the Summit?  What
>>> happens when they are sucessful and we can't get the site back for hours,
>> or
>>> even days?  What if the entire username/password database is compromised?
>>> Inviting this behavior against a production system, with "real" data in it
>>> is just crazy.
>>> 
>>> Then I have a fundamental objection.  OWASP is about fixing application
>>> security issues through tools and education.  This is solely a "hey, look
>>> what I can hack" exercise which IMO does not line up with OWASP core
>>> values.  We need to promote more FIX and less HAX.
>>> </soapbox>
>>> 
>>> -Mark
>>> 
>>> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>
>>> wrote:
>>>> 
>>>> The biggest challenge is that finding solutions to breaking tends to
>>>> take a lot longer than the actual breaking itself...
>>>> 
>>>> -----Original Message-----
>>>> From: owasp-leaders-bounces at lists.owasp.org
>>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
>>>> Harisfazillah Jamel
>>>> Sent: Wednesday, January 26, 2011 8:13 AM
>>>> To: owasp-leaders at lists.owasp.org
>>>> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
>>>> Durkee; Loredana Mancini
>>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>>> SummitCompetition
>>>> 
>>>> Hi,
>>>> 
>>>> I disagree using hacking to find vulnerabilities, as a way of promoting.
>>>> 
>>>> It's hard to find a contest that relate to hardening of server and
>>>> application or making codes better as part of a contest. We already
>>>> expose OWASP members with many ways of finding vulnerabilities. Lets
>>>> we balance with how to defense ourself from attack.
>>>> 
>>>> For example. We ask the contestant to fixed problem with all the
>>>> vulnerabilities listed and make report on the effort.
>>>> 
>>>> Or we can balance both. They find the vulnerabilities and do the
>>>> reports on how to fix it.
>>>> 
>>>> Haris ....
>>>> 
>>>> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
>>>> wrote:
>>>>> This practice is starting to be quite common these days. Google,
>>>> Microsoft,
>>>>> Mozilla (and others) have similar arrangements.
>>>>> 
>>>>> But you raise good questions, and we should have answers for it on an
>>>> FAQ
>>>>> (Loredana can you add an FAQ to that page (here is a good template
>>>>> http://www.owasp.org/index.php/Summit_2011_FAQ))
>>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
>>>> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100
>> sub-list
>>>> and 2010 FinTech 100 among others.
>>>> 
>>>> 
>>>> 
>> ----------------------------------------------------------------------------
>> -----------------
>>>> 
>>>> This message, including any attachments, contains confidential
>> information
>>>> intended for a specific individual and purpose, and is intended for the
>>>> addressee only. Any unauthorized disclosure, use, dissemination, copying,
>> or
>>>> distribution of this message or any of its attachments or the information
>>>> contained in this e-mail, or the taking of any action based on it, is
>>>> strictly prohibited. If you are not the intended recipient, please notify
>>>> the sender immediately by return e-mail and delete this message.
>>>> 
>>>> 
>>>> 
>> ----------------------------------------------------------------------------
>> -----------------
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> 
>>> 
>>> --
>>> Mark Bristow
>>> (703) 596-5175 <tel:+17035965175> 
>>> mark.bristow at owasp.org
>>> 
>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>> AppSec DC Organizer - https://www.appsecdc.org
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list