[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition
Jim Manico
jim.manico at owasp.org
Thu Jan 27 09:33:58 EST 2011
Now personally, I think this is an excellent idea. :) Dinis?
-Jim Manico
http://manico.net
On Jan 27, 2011, at 12:09 AM, Giorgio Fedon <giorgio.fedon at mindedsecurity.com> wrote:
> Dear list,
>
> What about a "secure code review" competition on the owasp.org code, or just the opensource components?
>
> This would be safer and faster to setup
>
> Inviato da iPhone
>
> Il giorno 26/gen/2011, alle ore 18:56, Jim Manico <jim.manico at owasp.org> ha scritto:
>
>> I agree with Larry and others who have tried to steer us away from a
>> OWASP.org hackathon. Until we have written permission from all of the
>> hosting and ISP providers, we should hold off.
>>
>> However, if you are interested in helping secure OWASP.org's mediawiki,
>> please contact Larry off-list. We are indeed a not-for-profit
>> organization that could use the infrastructure help!
>>
>> Aloha,
>> Jim
>>
>>
>>
>>> Setting up a honeypot of OWASP's site is a real bad idea. As Mark said in a
>>> previous email, this could have potential risks to other areas not part of
>>> the "Contest". I would much rather see people who have experience securing
>>> servers offer assistance in maintaining them. Finding a flaw is the easy
>>> part, helping to mitigate/prevent them would be more important to me.
>>>
>>>
>>>
>>> I've heard the argument that OWASP is free and open and with that we should
>>> fully disclose everything. I don't totally agree with this as this is hosted
>>> at Aspect's facility. On the other hand, the website is Open source, you can
>>> check the wiki for the version number and download it from MediaWiki.
>>>
>>>
>>>
>>> For those interested in hacking, I suggest Webgoat.
>>>
>>>
>>>
>>> --Larry
>>>
>>>
>>>
>>>
>>>
>>> From: owasp-leaders-bounces at lists.owasp.org
>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthew Chalmers
>>> Sent: Wednesday, January 26, 2011 11:08 AM
>>> To: owasp-leaders at lists.owasp.org
>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>> SummitCompetition
>>>
>>>
>>>
>>> Playing a bit of a devil's advocate here, how do we have a "secure
>>> owasp.org" competition without allowing people to look for vulnerabilities
>>> to fix?
>>>
>>>
>>>
>>> Also, there are generally/broadly two methods for finding vulnerabilities:
>>> testing and code-review. If OWASP is free and open, should we not publish
>>> all the code for the website?
>>>
>>>
>>>
>>> I don't know the details of how owasp.org is hosted but it would probably be
>>> best to stand up physically identical but separate hardware with a
>>> bit-for-bit mirror image of the site at a given point in time as a 'test
>>> environment' for this and make sure the Foundation has the OK from any third
>>> parties involved with its hosting. Larry or someone intimately familiar with
>>> the site in all respects might have to cut off any interfaces to make sure
>>> no on 'accidentally' modifies another production site/file/system that
>>> trusts the real owasp.org.
>>>
>>>
>>>
>>> And I'm not saying any of the above will be easy, either.
>>>
>>>
>>>
>>> Matt
>>>
>>>
>>>
>>> On Wed, Jan 26, 2011 at 9:46 AM, Colin Watson <colin.watson at owasp.org>
>>> wrote:
>>>
>>> I agree with Mark.
>>>
>>> I think we should have a "secure OWASP.org" competition first.
>>>
>>> Colin
>>>
>>>
>>> On 26 January 2011 15:17, Mark Bristow <mark.bristow at owasp.org> wrote:
>>>> I must have missed this in the flurry of "request for cycles" emails.
>>>>
>>>> I can't disagree with this initiative more.
>>>>
>>>> First off, there are tons of operational and legal challenges to this.
>>>> Those of us who to professional web app pen testing know that you really
>>>> should (and in some countries NEED) clear rules of engagement and hold
>>>> harmless and other agreements in place to provide cover for these types of
>>>> activities. OWASP does not own it's entire infrastructure that supports
>>> the
>>>> website. Even if OWASP provided cart-blanch approval to anyone who wishes
>>>> to hack the OWASP.org website there could be "collateral dammage" to
>>>> entities other than OWASP. As I understand it the production wiki server
>>> is
>>>> still housed in an Aspect data center, what if someone, as part of the
>>>> challenge, took down ASPECT's common network? What if someone used an
>>>> attack on ASPECT's upstream provider? This type of activity is usually
>>>> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
>>>> upstream would not (completely legally) pull their network connection for
>>>> allowing hacking activities?
>>>>
>>>> That doesn't even get into the operational aspects. So we are inviting
>>>> people to potentially take down, compromise and/or deface the OWASP wiki?
>>>> Especially during a time while we are trying to promote the Summit? What
>>>> happens when they are sucessful and we can't get the site back for hours,
>>> or
>>>> even days? What if the entire username/password database is compromised?
>>>> Inviting this behavior against a production system, with "real" data in it
>>>> is just crazy.
>>>>
>>>> Then I have a fundamental objection. OWASP is about fixing application
>>>> security issues through tools and education. This is solely a "hey, look
>>>> what I can hack" exercise which IMO does not line up with OWASP core
>>>> values. We need to promote more FIX and less HAX.
>>>> </soapbox>
>>>>
>>>> -Mark
>>>>
>>>> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>
>>>> wrote:
>>>>>
>>>>> The biggest challenge is that finding solutions to breaking tends to
>>>>> take a lot longer than the actual breaking itself...
>>>>>
>>>>> -----Original Message-----
>>>>> From: owasp-leaders-bounces at lists.owasp.org
>>>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
>>>>> Harisfazillah Jamel
>>>>> Sent: Wednesday, January 26, 2011 8:13 AM
>>>>> To: owasp-leaders at lists.owasp.org
>>>>> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
>>>>> Durkee; Loredana Mancini
>>>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>>>> SummitCompetition
>>>>>
>>>>> Hi,
>>>>>
>>>>> I disagree using hacking to find vulnerabilities, as a way of promoting.
>>>>>
>>>>> It's hard to find a contest that relate to hardening of server and
>>>>> application or making codes better as part of a contest. We already
>>>>> expose OWASP members with many ways of finding vulnerabilities. Lets
>>>>> we balance with how to defense ourself from attack.
>>>>>
>>>>> For example. We ask the contestant to fixed problem with all the
>>>>> vulnerabilities listed and make report on the effort.
>>>>>
>>>>> Or we can balance both. They find the vulnerabilities and do the
>>>>> reports on how to fix it.
>>>>>
>>>>> Haris ....
>>>>>
>>>>> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
>>>>> wrote:
>>>>>> This practice is starting to be quite common these days. Google,
>>>>> Microsoft,
>>>>>> Mozilla (and others) have similar arrangements.
>>>>>>
>>>>>> But you raise good questions, and we should have answers for it on an
>>>>> FAQ
>>>>>> (Loredana can you add an FAQ to that page (here is a good template
>>>>>> http://www.owasp.org/index.php/Summit_2011_FAQ))
>>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
>>>>> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100
>>> sub-list
>>>>> and 2010 FinTech 100 among others.
>>>>>
>>>>>
>>>>>
>>> ----------------------------------------------------------------------------
>>> -----------------
>>>>>
>>>>> This message, including any attachments, contains confidential
>>> information
>>>>> intended for a specific individual and purpose, and is intended for the
>>>>> addressee only. Any unauthorized disclosure, use, dissemination, copying,
>>> or
>>>>> distribution of this message or any of its attachments or the information
>>>>> contained in this e-mail, or the taking of any action based on it, is
>>>>> strictly prohibited. If you are not the intended recipient, please notify
>>>>> the sender immediately by return e-mail and delete this message.
>>>>>
>>>>>
>>>>>
>>> ----------------------------------------------------------------------------
>>> -----------------
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>> --
>>>> Mark Bristow
>>>> (703) 596-5175 <tel:+17035965175>
>>>> mark.bristow at owasp.org
>>>>
>>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>>> AppSec DC Organizer - https://www.appsecdc.org
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
More information about the OWASP-Leaders
mailing list