[Owasp-leaders] New OWASP project

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Tue Nov 1 08:16:51 EDT 2011


 Hi,
I find this project and idea very interesting. This is project is not like
Tripwire because it is not an HIDS.
Why MD5 ? This has function is not still secure.
Questions :
- how this project can ensure the integrity of the has itself ?
- how this project can ensure the integrity of the stored files if it is
the case ?
Regards,
Azzeddine


On Tue, Nov 1, 2011 at 12:58 PM, Lucas Ferreira <lucas.ferreira at owasp.org>wrote:

> Sorry to come back again, but I have to correct that Google safe
> browsing database IS available for download. Kudos to them.
>
> Regards,
>
> Lucas
>
> On Tue, Nov 1, 2011 at 09:37, Lucas Ferreira <lucas.ferreira at owasp.org>
> wrote:
> > Hello all,
> >
> > I'll hijack Michael's email to answer all previous emails in this
> > thread. If I left anything out, please remind me and I'll do my best
> > to provide a suitable answer.
> >
> > First, I also had doubts if this project would fit in OWASP. I then
> > talked to some OWASPers and the conclusion was that it should be given
> > a try. I then submitted the project proposal to the Global Projects
> > Committee and it was approved.
> >
> > Second, I understand that this project is not directly linked to web
> > or application security, but I think it could be used in web or
> > application security tasks. As Dinis pointed out, there is the
> > possibility of using the database to validate scripts or libraries in
> > a convergence-inspired way. A web crawler could be used to check web
> > pages and downloads, as pointed by Christian.
> >
> > In any case, if the OWASP community thinks this project does not
> > belong here, I can withdraw it. No problems with that at all. So far,
> > opinions are divided, so I'd ask the Projects Committee to take care
> > of this and warn me if the project needs to be taken off OWASP.
> >
> > Answering more specific concerns:
> >
> > Christian, the list of data sources for the projects database is not
> > closed. If you know a good source of hash data of web-related files,
> > please let me know and I'll manage to include them. Regarding
> > including tripwire-like functionality, it can be done. We need to
> > finish writing some code to allow users to upload data to the database
> > and also  a web crawler. I will post a roadmap soon. Regarding Google
> > safe browsing, their approach is to work with URLs. We work with file
> > contents. I think the approaches are complementary. The problem I see
> > with Google is that their database is not open, as far as I know. Our
> > database should be available to anyone to copy or query.
> >
> > Mark, I am aware of the MD5 collision attacks. That's why the project
> > includes SHA-1 hashes too. Also, the use of both hashes combined seems
> > beyond current attacks. Please note that the hashes are not stored
> > with the files. Our database only includes the hashes. The process
> > would be for someone to get the file, calculate the hashes and then
> > check the hashes against the database.
> >
> > Well, thanks everyone for the attention and please excuse me if I
> > caused any trouble.
> >
> > Regards,
> >
> > Lucas
> >
> > On Tue, Nov 1, 2011 at 02:48, Michael Coates <michael.coates at owasp.org>
> wrote:
> >> This has been an interesting discussion and its a good sign that the
> >> community is weighing in with various view points.
> >>
> >> I'd like to present a few thoughts for people to consider.
> >> OWASP is built on top of a community of volunteers that are experts in
> their
> >> respective fields. Our guides, tools, resources, outreach, conferences
> (and
> >> more) are excellent because talented people have dedicated their time
> and
> >> skills.
> >> One of the great things that OWASP works towards is making OWASP a
> platform
> >> that is easy for anyone to contribute their time and effort.  A model
> that
> >> requires approval from a centralized body before a project could be
> started
> >> would be a very different model than what we have now and one that I
> think
> >> would diminish the successes of our community.
> >> In the end, good ideas will flourish and attract more participation and
> also
> >> more support from OWASP overall.  However, its very hard to know what
> the
> >> next great idea is unless we experiment with bright minds in a variety
> of
> >> areas.
> >> With that, I say best of luck to this new project and any others that
> are
> >> inline with the principles of OWASP.
> >>
> >>
> >>
> >> --
> >> Michael Coates
> >> OWASP
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >
> >
> >
> > --
> > Homo sapiens non urinat in ventum.
> >
>
>
>
> --
> Homo sapiens non urinat in ventum.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111101/0bf84729/attachment.html 


More information about the OWASP-Leaders mailing list