[Owasp-leaders] Introducing FLOSSHack

Martin Knobloch martin.knobloch at owasp.org
Thu Nov 8 14:38:53 UTC 2012


Hi Jerry,

Yes, this is donated to OWASP by SecurityInnovations. See the agreement:
https://www.owasp.org/index.php/File:LOI_SecurityInnovation.pdf

Cheers,
-martin

On Thu, Nov 8, 2012 at 3:32 PM, Jerry Hoff <jerry at owasp.org> wrote:

> Is the content in http://owasp.teammentor.net/teamMentor creative
> commons?  Can we use it to freely fill out more of the cheat sheets and use
> in tutorial videos and so forth?
>
> --
> Jerry Hoff
> @jerryhoff
> jerry at owasp.org
>
>
>
> On Nov 8, 2012, at 9:26 AM, Michael Hidalgo <michael.hidalgo at owasp.org>
> wrote:
>
> Good job Tim,
>
> I also agree with Dinis stand point about having something similar for
> TeamMentor. I have been following his work really close and there are a lot
> of opportunities there. Dinis approach of having TeamMentor in an open way
> it is interesting because that allow people to have an idea on what are the
> current blocking issues or limitations (most of the process is being
> documented in their blog).
>
> Since there is a TeamMentor's flavor for OWASP (
> http://owasp.teammentor.net/teamMentor) I believe that would be a good
> case of study.
>
> On Thu, Nov 8, 2012 at 7:21 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>
>> Yes, its a great idea. FLOSSHack<https://www.owasp.org/index.php/FLOSSHack> is
>> one of those 'magical' spaces where the OWASP's community and its projects
>> can come together and add a lot of value.
>>
>> In fact I remember the idea of doing something like this at the last
>> Summit(s) but we couldn't find a FLOSS or commercial vendor that wanted to
>> 'play the game' :)
>>
>> Btw, I will be happy to help if a chapter wants to do a similar FLOSSHack
>> on TeamMentor <http://owasp.teammentor.net/> (which is the project I'm
>> currently the lead developer and architect)
>>
>> Although TeamMentor (TM) is not OpenSource, it is very close, since the source
>> code is available <https://github.com/TeamMentor-OWASP/Master> and SI
>> allowed me to 'open it' as much (if not more) as other OpenSource projects
>> (note that TeamMentor uses O2 Platform FluentSharp APIs<https://nuget.org/packages?q=fluentsharp>,
>> and there has been significant changes/features in the latest version of
>> O2 <http://diniscruz.blogspot.co.uk/p/owasp-o2-platform.html> which are
>> a direct consequence of my TeamMentor development activities (for example
>> the O2 VisualStudio Extension<http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d-ea4741905dc2>or the  Real-Time
>> Vulnerability Feedback in VisualStudio<http://diniscruz.blogspot.co.uk/p/real-time-vulnerability-feedback-in.html>
>>  PoC)).
>>
>> I'm quite proud of the level of openness that TM has, and I hope that
>> other commercial tools follow these ideas/activities. Here are a couple
>> blog posts I wrote about TM's Security:
>>
>>    - TeamMentor Vulnerability Disclosures: CSRF , ClickJacking and Get
>>    Password Hash from Browser Memory<http://diniscruz.blogspot.co.uk/2012/10/teammentor-vulnerability-disclosures.html>
>>    - checkout the emdeded pdfs with details of the vulnerabilities
>>    - Couple XSS issues and XSS-By-Design (in TeamMentor)<http://diniscruz.blogspot.co.uk/2012/10/couple-xss-issues-and-xss-by-design-in.html>
>>    - and why they were not fixed in the current 3.2 release
>>    - 'About' page broken due to ClickJacking protection<http://diniscruz.blogspot.co.uk/2012/10/about-page-broken-due-to-clickjacking.html>
>>    - good example of the Security TAX that we (developers) have to pay due to
>>    security fixes
>>    - Creating an TeamMentor Security Bounty Program<http://diniscruz.blogspot.co.uk/2012/10/creating-teammentor-security-bounty.html> -
>>    still need to publicly launch this, but for all practical purposes it is
>>    active
>>    - Test and Hack TeamMentor server with 3.2 RC5 code and SI library<http://diniscruz.blogspot.co.uk/2012/09/test-and-hack-teammentor-server-with-32.html> -
>>    lastest 'please hack TM' invite
>>    - "...O2 in Seattle..." and "...Please Hack TeamMentor (beta)..."<http://diniscruz.blogspot.co.uk/2011/12/o2-in-seattle-and-please-hack.html>
>>    - first 'please hack TM' invite sent last year
>>    - On Testing TM WebServices
>>       - Documenting how to test WebServices using scripts - the story so
>>       far<http://diniscruz.blogspot.co.uk/2012/05/documenting-how-to-test-webservices.html>
>>       - see how hard it is to test WebServices in a real-world app
>>       - Creating a spreadsheet with WebService's Authorization Mappings<http://diniscruz.blogspot.co.uk/2012/05/creating-spreadsheet-with-webservices.html>
>>
>>       - Roadmap for Testing an WebService's Authorization Model<http://diniscruz.blogspot.co.uk/2012/05/roadmap-for-testing-webservices.html>
>>
>>       - What is the formula for the WebServices Authentication mappings?<http://diniscruz.blogspot.co.uk/2012/05/what-is-formula-for-webservices.html> - spreadsheet template
>>       with Authorisation mappings
>>       - Testing TeamMentor 2.0 security using O2<http://diniscruz.blogspot.com/2012/04/testing-teammentor-20-security-using-o2.html> -
>>       how I used a mix of Static and Dynamic Analysis to test the security the
>>       first TM WebService's refactoring
>>    - SecDDev - Security Driven Development<http://diniscruz.blogspot.co.uk/2012/10/secddev-security-driven-development.html> -
>>    an interesting idea :)
>>
>> Note that we really embraced Git and GitHub as part of TeamMentor's
>> development and workflow:
>>
>>    - Pretty cool visualisation of the 'GitHub based' TeamMentor
>>    Development+QA+Release workflow<http://diniscruz.blogspot.co.uk/2012/11/pretty-cool-visualisation-of-github.html>
>>
>>    - Master source code: https://github.com/TeamMentor/master
>>    - Bugs and issues: https://github.com/TeamMentor/master/issues
>>    - Version with OWASP Top 10 Library (
>>    https://github.com/TeamMentor-OWASP/Master) which you can see in
>>    action at http://owasp.teammentor.net (note that this is the full
>>    engine with the OWASP LIbrary content released under a CC License<http://creativecommons.org/licenses/by/3.0/>
>>    )
>>    - Bunch of misc code repositories: https://github.com/TeamMentor
>>
>> My objective is to create a super secure+powerful application, with
>> maximum visibility+openness, while creating documentation on how it
>> happened (which you can see by the current blog posts)
>>
>> I think that TeamMentor is a good case study for the challenges of
>> writing secure code, since it is a real-world app, with real-world
>> complexity, real-world legacy stuff and real-world security compromises.
>> This is a great learning opportunity to *look at the 'sausage making
>> process' that is software/application developmen*t (with a bunch of
>>  .Net, Asmx, jQuery, Javascript, and  xml files which can be easily
>> deployed to the 'cloud'). We always talk how OWASP needs to engage with
>> developers, work with them, help them to secure the app.... well here is a
>> good opportunity to do just that.
>>
>> *I want/need help in securing TeamMentor, and Its not an easy task :)*
>>
>> One area that I really want to move next, is the implementation of
>> AppSensor-like-capabilities so that malicious activities can be detected
>> and mitigated
>>
>> Oh, and I could really do with a good layer of .NET ESAPI
>> controls/capabilities :)
>>
>> Dinis Cruz
>> A Developer
>>
>> On 7 November 2012 23:05, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> I see this as a service that completely serves the mission of OWASP.
>>> You should be proud of yourself for doing this. Bravo!
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> On Nov 7, 2012, at 11:41 PM, Tim Morgan <tim.morgan at owasp.org> wrote:
>>>
>>> >
>>> > Greetings OWASP Leaders,
>>> >
>>> > I want to bring to your attention an experimental project that the
>>> > Portland, Oregon OWASP chapter has been working on this year.  The
>>> > project is structured as a hacking competition and workshop and is
>>> > motivated by two observations I've made over the years:
>>> >
>>> > * It's hard to find good pentesters
>>> >
>>> > * Lots of organizations need application security testing, but simply
>>> >  can't afford it
>>> >
>>> >
>>> > Free/Libre Open Source Software Hacking (FLOSSHack) events are
>>> > designed to bring together individuals interested in learning more
>>> > about application security with open source projects and organizations
>>> > in need of low cost or pro bono security auditing.  FLOSSHack provides
>>> > a friendly, but mildly competitive, workshop environment in which
>>> > participants learn about and search for vulnerabilities in selected
>>> > software. In turn, selected open source projects and qualified
>>> > non-profit organizations benefit from additional quality assurance and
>>> > security guidance.
>>> >
>>> > You can learn more about my thoughts on how best to organize FLOSSHack
>>> > events here:
>>> >  https://www.owasp.org/index.php/FLOSSHack
>>> >
>>> > We held our first FLOSSHack event in July and I think it was quite
>>> > successful(*):
>>> >  https://www.owasp.org/index.php/FLOSSHack_One
>>> >
>>> > We learned a lot about what works and what doesn't, so I hope to make
>>> > our next FLOSSHack even more effective.  My ultimate goal is that
>>> > these events become more streamlined and organized to where other
>>> > OWASP chapters can easily throw their own FLOSSHack events.  If any of
>>> > you are interested in holding a similar event or would like to help in
>>> > other ways, please let me know.
>>> >
>>> > Thanks!
>>> > tim
>>> >
>>> >
>>> > * Thanks much to Wil Clouser, Michael Coates, Ushahidi, and all of the
>>> >  participants who made this possible
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
>
> Michael Hidalgo.
> OWASP Chapter Leader,Costa Rica.
>
> *“If you believe in yourself and have dedication and pride - and never
> quit, you'll be a winner. The price of victory is high but so are the
> rewards.” Paul Bryant*
>
>
>  _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121108/7bd2b84e/attachment.html>


More information about the OWASP-Leaders mailing list