[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Jim Manico jim.manico at owasp.org
Thu Jan 27 09:33:58 EST 2011


Now personally, I think this is an excellent idea. :) Dinis?

-Jim Manico
http://manico.net

On Jan 27, 2011, at 12:09 AM, Giorgio Fedon <giorgio.fedon at mindedsecurity.com> wrote:

> Dear list,
> 
> What about a "secure code review" competition on the owasp.org code, or just the opensource components?
> 
> This would be safer and faster to setup
> 
> Inviato da iPhone
> 
> Il giorno 26/gen/2011, alle ore 18:56, Jim Manico <jim.manico at owasp.org> ha scritto:
> 
>> I agree with Larry and others who have tried to steer us away from a
>> OWASP.org hackathon. Until we have written permission from all of the
>> hosting and ISP providers, we should hold off.
>> 
>> However, if you are interested in helping secure OWASP.org's mediawiki,
>> please contact Larry off-list. We are indeed a not-for-profit
>> organization that could use the infrastructure help!
>> 
>> Aloha,
>> Jim
>> 
>> 
>> 
>>> Setting  up a honeypot of OWASP's site is a real bad idea. As Mark said in a
>>> previous email, this could have potential risks to other areas not part of
>>> the "Contest".  I would much rather see people who have experience securing
>>> servers offer assistance in maintaining them. Finding a flaw is the easy
>>> part, helping to mitigate/prevent them would be more important to me.
>>> 
>>> 
>>> 
>>> I've heard the argument that OWASP is free and open and with that we should
>>> fully disclose everything. I don't totally agree with this as this is hosted
>>> at Aspect's facility. On the other hand, the website is Open source, you can
>>> check the wiki for the version number and download it from MediaWiki. 
>>> 
>>> 
>>> 
>>> For those interested in hacking, I suggest Webgoat.
>>> 
>>> 
>>> 
>>> --Larry
>>> 
>>> 
>>> 
>>> 
>>> 
>>> From: owasp-leaders-bounces at lists.owasp.org
>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthew Chalmers
>>> Sent: Wednesday, January 26, 2011 11:08 AM
>>> To: owasp-leaders at lists.owasp.org
>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>> SummitCompetition
>>> 
>>> 
>>> 
>>> Playing a bit of a devil's advocate here, how do we have a "secure
>>> owasp.org" competition without allowing people to look for vulnerabilities
>>> to fix?
>>> 
>>> 
>>> 
>>> Also, there are generally/broadly two methods for finding vulnerabilities:
>>> testing and code-review. If OWASP is free and open, should we not publish
>>> all the code for the website?
>>> 
>>> 
>>> 
>>> I don't know the details of how owasp.org is hosted but it would probably be
>>> best to stand up physically identical but separate hardware with a
>>> bit-for-bit mirror image of the site at a given point in time as a 'test
>>> environment' for this and make sure the Foundation has the OK from any third
>>> parties involved with its hosting. Larry or someone intimately familiar with
>>> the site in all respects might have to cut off any interfaces to make sure
>>> no on 'accidentally' modifies another production site/file/system that
>>> trusts the real owasp.org.
>>> 
>>> 
>>> 
>>> And I'm not saying any of the above will be easy, either.
>>> 
>>> 
>>> 
>>> Matt
>>> 
>>> 
>>> 
>>> On Wed, Jan 26, 2011 at 9:46 AM, Colin Watson <colin.watson at owasp.org>
>>> wrote:
>>> 
>>> I agree with Mark.
>>> 
>>> I think we should have a "secure OWASP.org" competition first.
>>> 
>>> Colin
>>> 
>>> 
>>> On 26 January 2011 15:17, Mark Bristow <mark.bristow at owasp.org> wrote:
>>>> I must have missed this in the flurry of "request for cycles" emails.
>>>> 
>>>> I can't disagree with this initiative more.
>>>> 
>>>> First off, there are tons of operational and legal challenges to this.
>>>> Those of us who to professional web app pen testing know that you really
>>>> should (and in some countries NEED) clear rules of engagement and hold
>>>> harmless and other agreements in place to provide cover for these types of
>>>> activities.  OWASP does not own it's entire infrastructure that supports
>>> the
>>>> website.  Even if OWASP provided cart-blanch approval to anyone who wishes
>>>> to hack the OWASP.org website there could be "collateral dammage" to
>>>> entities other than OWASP.  As I understand it the production wiki server
>>> is
>>>> still housed in an Aspect data center, what if someone, as part of the
>>>> challenge, took down ASPECT's common network?  What if someone used an
>>>> attack on ASPECT's upstream provider?  This type of activity is usually
>>>> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
>>>> upstream would not (completely legally) pull their network connection for
>>>> allowing hacking activities?
>>>> 
>>>> That doesn't even get into the operational aspects.  So we are inviting
>>>> people to potentially take down, compromise and/or deface the OWASP wiki?
>>>> Especially during a time while we are trying to promote the Summit?  What
>>>> happens when they are sucessful and we can't get the site back for hours,
>>> or
>>>> even days?  What if the entire username/password database is compromised?
>>>> Inviting this behavior against a production system, with "real" data in it
>>>> is just crazy.
>>>> 
>>>> Then I have a fundamental objection.  OWASP is about fixing application
>>>> security issues through tools and education.  This is solely a "hey, look
>>>> what I can hack" exercise which IMO does not line up with OWASP core
>>>> values.  We need to promote more FIX and less HAX.
>>>> </soapbox>
>>>> 
>>>> -Mark
>>>> 
>>>> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>
>>>> wrote:
>>>>> 
>>>>> The biggest challenge is that finding solutions to breaking tends to
>>>>> take a lot longer than the actual breaking itself...
>>>>> 
>>>>> -----Original Message-----
>>>>> From: owasp-leaders-bounces at lists.owasp.org
>>>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
>>>>> Harisfazillah Jamel
>>>>> Sent: Wednesday, January 26, 2011 8:13 AM
>>>>> To: owasp-leaders at lists.owasp.org
>>>>> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
>>>>> Durkee; Loredana Mancini
>>>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>>>> SummitCompetition
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> I disagree using hacking to find vulnerabilities, as a way of promoting.
>>>>> 
>>>>> It's hard to find a contest that relate to hardening of server and
>>>>> application or making codes better as part of a contest. We already
>>>>> expose OWASP members with many ways of finding vulnerabilities. Lets
>>>>> we balance with how to defense ourself from attack.
>>>>> 
>>>>> For example. We ask the contestant to fixed problem with all the
>>>>> vulnerabilities listed and make report on the effort.
>>>>> 
>>>>> Or we can balance both. They find the vulnerabilities and do the
>>>>> reports on how to fix it.
>>>>> 
>>>>> Haris ....
>>>>> 
>>>>> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
>>>>> wrote:
>>>>>> This practice is starting to be quite common these days. Google,
>>>>> Microsoft,
>>>>>> Mozilla (and others) have similar arrangements.
>>>>>> 
>>>>>> But you raise good questions, and we should have answers for it on an
>>>>> FAQ
>>>>>> (Loredana can you add an FAQ to that page (here is a good template
>>>>>> http://www.owasp.org/index.php/Summit_2011_FAQ))
>>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
>>>>> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100
>>> sub-list
>>>>> and 2010 FinTech 100 among others.
>>>>> 
>>>>> 
>>>>> 
>>> ----------------------------------------------------------------------------
>>> -----------------
>>>>> 
>>>>> This message, including any attachments, contains confidential
>>> information
>>>>> intended for a specific individual and purpose, and is intended for the
>>>>> addressee only. Any unauthorized disclosure, use, dissemination, copying,
>>> or
>>>>> distribution of this message or any of its attachments or the information
>>>>> contained in this e-mail, or the taking of any action based on it, is
>>>>> strictly prohibited. If you are not the intended recipient, please notify
>>>>> the sender immediately by return e-mail and delete this message.
>>>>> 
>>>>> 
>>>>> 
>>> ----------------------------------------------------------------------------
>>> -----------------
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Mark Bristow
>>>> (703) 596-5175 <tel:+17035965175> 
>>>> mark.bristow at owasp.org
>>>> 
>>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>>> AppSec DC Organizer - https://www.appsecdc.org
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list