[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Rex Booth rex.booth at owasp.org
Thu Jan 27 15:58:53 EST 2011


Fantastic idea.

On 1/27/2011 3:09 AM, Giorgio Fedon wrote:
> Dear list,
>
> What about a "secure code review" competition on the owasp.org code, or just the opensource components?
>
> This would be safer and faster to setup
>
> Inviato da iPhone
>
> Il giorno 26/gen/2011, alle ore 18:56, Jim Manico<jim.manico at owasp.org>  ha scritto:
>
>> I agree with Larry and others who have tried to steer us away from a
>> OWASP.org hackathon. Until we have written permission from all of the
>> hosting and ISP providers, we should hold off.
>>
>> However, if you are interested in helping secure OWASP.org's mediawiki,
>> please contact Larry off-list. We are indeed a not-for-profit
>> organization that could use the infrastructure help!
>>
>> Aloha,
>> Jim
>>
>>
>>
>>> Setting  up a honeypot of OWASP's site is a real bad idea. As Mark said in a
>>> previous email, this could have potential risks to other areas not part of
>>> the "Contest".  I would much rather see people who have experience securing
>>> servers offer assistance in maintaining them. Finding a flaw is the easy
>>> part, helping to mitigate/prevent them would be more important to me.
>>>
>>>
>>>
>>> I've heard the argument that OWASP is free and open and with that we should
>>> fully disclose everything. I don't totally agree with this as this is hosted
>>> at Aspect's facility. On the other hand, the website is Open source, you can
>>> check the wiki for the version number and download it from MediaWiki.
>>>
>>>
>>>
>>> For those interested in hacking, I suggest Webgoat.
>>>
>>>
>>>
>>> --Larry
>>>
>>>
>>>
>>>
>>>
>>> From: owasp-leaders-bounces at lists.owasp.org
>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthew Chalmers
>>> Sent: Wednesday, January 26, 2011 11:08 AM
>>> To: owasp-leaders at lists.owasp.org
>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>> SummitCompetition
>>>
>>>
>>>
>>> Playing a bit of a devil's advocate here, how do we have a "secure
>>> owasp.org" competition without allowing people to look for vulnerabilities
>>> to fix?
>>>
>>>
>>>
>>> Also, there are generally/broadly two methods for finding vulnerabilities:
>>> testing and code-review. If OWASP is free and open, should we not publish
>>> all the code for the website?
>>>
>>>
>>>
>>> I don't know the details of how owasp.org is hosted but it would probably be
>>> best to stand up physically identical but separate hardware with a
>>> bit-for-bit mirror image of the site at a given point in time as a 'test
>>> environment' for this and make sure the Foundation has the OK from any third
>>> parties involved with its hosting. Larry or someone intimately familiar with
>>> the site in all respects might have to cut off any interfaces to make sure
>>> no on 'accidentally' modifies another production site/file/system that
>>> trusts the real owasp.org.
>>>
>>>
>>>
>>> And I'm not saying any of the above will be easy, either.
>>>
>>>
>>>
>>> Matt
>>>
>>>
>>>
>>> On Wed, Jan 26, 2011 at 9:46 AM, Colin Watson<colin.watson at owasp.org>
>>> wrote:
>>>
>>> I agree with Mark.
>>>
>>> I think we should have a "secure OWASP.org" competition first.
>>>
>>> Colin
>>>
>>>
>>> On 26 January 2011 15:17, Mark Bristow<mark.bristow at owasp.org>  wrote:
>>>> I must have missed this in the flurry of "request for cycles" emails.
>>>>
>>>> I can't disagree with this initiative more.
>>>>
>>>> First off, there are tons of operational and legal challenges to this.
>>>> Those of us who to professional web app pen testing know that you really
>>>> should (and in some countries NEED) clear rules of engagement and hold
>>>> harmless and other agreements in place to provide cover for these types of
>>>> activities.  OWASP does not own it's entire infrastructure that supports
>>> the
>>>> website.  Even if OWASP provided cart-blanch approval to anyone who wishes
>>>> to hack the OWASP.org website there could be "collateral dammage" to
>>>> entities other than OWASP.  As I understand it the production wiki server
>>> is
>>>> still housed in an Aspect data center, what if someone, as part of the
>>>> challenge, took down ASPECT's common network?  What if someone used an
>>>> attack on ASPECT's upstream provider?  This type of activity is usually
>>>> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
>>>> upstream would not (completely legally) pull their network connection for
>>>> allowing hacking activities?
>>>>
>>>> That doesn't even get into the operational aspects.  So we are inviting
>>>> people to potentially take down, compromise and/or deface the OWASP wiki?
>>>> Especially during a time while we are trying to promote the Summit?  What
>>>> happens when they are sucessful and we can't get the site back for hours,
>>> or
>>>> even days?  What if the entire username/password database is compromised?
>>>> Inviting this behavior against a production system, with "real" data in it
>>>> is just crazy.
>>>>
>>>> Then I have a fundamental objection.  OWASP is about fixing application
>>>> security issues through tools and education.  This is solely a "hey, look
>>>> what I can hack" exercise which IMO does not line up with OWASP core
>>>> values.  We need to promote more FIX and less HAX.
>>>> </soapbox>
>>>>
>>>> -Mark
>>>>
>>>> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern<JMcGovern at virtusa.com>
>>>> wrote:
>>>>> The biggest challenge is that finding solutions to breaking tends to
>>>>> take a lot longer than the actual breaking itself...
>>>>>
>>>>> -----Original Message-----
>>>>> From: owasp-leaders-bounces at lists.owasp.org
>>>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
>>>>> Harisfazillah Jamel
>>>>> Sent: Wednesday, January 26, 2011 8:13 AM
>>>>> To: owasp-leaders at lists.owasp.org
>>>>> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
>>>>> Durkee; Loredana Mancini
>>>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>>>> SummitCompetition
>>>>>
>>>>> Hi,
>>>>>
>>>>> I disagree using hacking to find vulnerabilities, as a way of promoting.
>>>>>
>>>>> It's hard to find a contest that relate to hardening of server and
>>>>> application or making codes better as part of a contest. We already
>>>>> expose OWASP members with many ways of finding vulnerabilities. Lets
>>>>> we balance with how to defense ourself from attack.
>>>>>
>>>>> For example. We ask the contestant to fixed problem with all the
>>>>> vulnerabilities listed and make report on the effort.
>>>>>
>>>>> Or we can balance both. They find the vulnerabilities and do the
>>>>> reports on how to fix it.
>>>>>
>>>>> Haris ....
>>>>>
>>>>> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz<dinis.cruz at owasp.org>
>>>>> wrote:
>>>>>> This practice is starting to be quite common these days. Google,
>>>>> Microsoft,
>>>>>> Mozilla (and others) have similar arrangements.
>>>>>>
>>>>>> But you raise good questions, and we should have answers for it on an
>>>>> FAQ
>>>>>> (Loredana can you add an FAQ to that page (here is a good template
>>>>>> http://www.owasp.org/index.php/Summit_2011_FAQ))
>>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
>>>>> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100
>>> sub-list
>>>>> and 2010 FinTech 100 among others.
>>>>>
>>>>>
>>>>>
>>> ----------------------------------------------------------------------------
>>> -----------------
>>>>> This message, including any attachments, contains confidential
>>> information
>>>>> intended for a specific individual and purpose, and is intended for the
>>>>> addressee only. Any unauthorized disclosure, use, dissemination, copying,
>>> or
>>>>> distribution of this message or any of its attachments or the information
>>>>> contained in this e-mail, or the taking of any action based on it, is
>>>>> strictly prohibited. If you are not the intended recipient, please notify
>>>>> the sender immediately by return e-mail and delete this message.
>>>>>
>>>>>
>>>>>
>>> ----------------------------------------------------------------------------
>>> -----------------
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> --
>>>> Mark Bristow
>>>> (703) 596-5175<tel:+17035965175>
>>>> mark.bristow at owasp.org
>>>>
>>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>>> AppSec DC Organizer - https://www.appsecdc.org
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list