[Owasp-leaders] Introducing FLOSSHack

Dinis Cruz dinis.cruz at owasp.org
Thu Nov 8 15:24:40 UTC 2012


Yap, it's been like that for a while :)

Here is the repository for the XML files:
https://github.com/TeamMentor-OWASP/Library_OWASP (that is a separate
GitHub account so I can give you access to commit if you want)

There are a bunch of (O2 based) tools to consume this content directly, or
alternatively you can use the TeamMentor CoreLib from
NuGet<http://nuget.org/packages/TeamMentor.CoreLib> (which
has all the classes and APIs needed)

Note that can also link directly to the content (articles, libraries,
folders or views) :

   - by title
   https://owasp.teammentor.net/article/How_to_Protect_From_Injection_Attacks_in_ASP.NET
   - by title
   https://owasp.teammentor.net/article/How_to_Encrypt_Configuration_Sections_in_ASP.NET_Using_DPAPI
   - by title (on articles with the same title):
      - https://owasp.teammentor.net/article/All_Database_Input_Is_Validated
      (Asp.Net 3.5 version)
      -
      https://owasp.teammentor.net/article/All_Database_Input_Is_Validated^OWASP^Java
(Java
      version)
   - by GUID:
   https://owasp.teammentor.net/article/56b0552d-2ceb-4714-a8f1-20a6a8609874
   - by View or folder: sometimes is more user friendly to only expose to
   the end user (for example) the articles in the A08: Failure to Restrict
   URL Access<http://owasp.teammentor.net/teamMentor#load:e07b04c5-67f9-49a4-88fe-1b9ee8511da3&showFilters:false&showTree:false&centerGuidanceItems:true>
view
   (instead of the whole TM GUI: https://owasp.teammentor.net)

In addition to the 'article' pages (linked above) you can also see/consume
the content using:

   - raw: https://owasp.teammentor.net/raw/All_Database_Input_Is_Validated
(this
   is what the xml file stored in disk looks like)
   - html:
   https://owasp.teammentor.net/html/56b0552d-2ceb-4714-a8f1-20a6a8609874(direct
html page with no AJAX loading or editing capabilities) - TM
   suports wikitext, xml and xsl content, but I think that all articles in
   this library are HTML based
   - content:
   https://owasp.teammentor.net/content/56b0552d-2ceb-4714-a8f1-20a6a8609874(the
article's Html content with no TM Branding)
   - jsonp:
   https://owasp.teammentor.net/jsonp/56b0552d-2ceb-4714-a8f1-20a6a8609874(to
allow the easy consumption of TM content without worrying about that
   annoying *same origin policy* security protection :) )
   - wsdl: http://owasp.teammentor.net/aspx_pages/tm_Webservices.asmx  -
   note: if you want to fuzz this, I can set-up a dedicated cloud version for
   you (on AppHarbor or Azure)

For reference the TM Documentation is at: https://docs.teammentor.net

The page https://docs.teammentor.net/xml/Eval contains 4 videos and a
download link (that points to the GitHub version) which allow you to run TM
locally (btw look at the source code of that page and see some XML+XSL foo
action :) )

Dinis Cruz


On 8 November 2012 14:32, Jerry Hoff <jerry at owasp.org> wrote:

> Is the content in http://owasp.teammentor.net/teamMentor creative
> commons?  Can we use it to freely fill out more of the cheat sheets and use
> in tutorial videos and so forth?
>
> --
> Jerry Hoff
> @jerryhoff
> jerry at owasp.org
>
>
>
> On Nov 8, 2012, at 9:26 AM, Michael Hidalgo <michael.hidalgo at owasp.org>
> wrote:
>
> Good job Tim,
>
> I also agree with Dinis stand point about having something similar for
> TeamMentor. I have been following his work really close and there are a lot
> of opportunities there. Dinis approach of having TeamMentor in an open way
> it is interesting because that allow people to have an idea on what are the
> current blocking issues or limitations (most of the process is being
> documented in their blog).
>
> Since there is a TeamMentor's flavor for OWASP (
> http://owasp.teammentor.net/teamMentor) I believe that would be a good
> case of study.
>
> On Thu, Nov 8, 2012 at 7:21 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>
>> Yes, its a great idea. FLOSSHack<https://www.owasp.org/index.php/FLOSSHack> is
>> one of those 'magical' spaces where the OWASP's community and its projects
>> can come together and add a lot of value.
>>
>> In fact I remember the idea of doing something like this at the last
>> Summit(s) but we couldn't find a FLOSS or commercial vendor that wanted to
>> 'play the game' :)
>>
>> Btw, I will be happy to help if a chapter wants to do a similar FLOSSHack
>> on TeamMentor <http://owasp.teammentor.net/> (which is the project I'm
>> currently the lead developer and architect)
>>
>> Although TeamMentor (TM) is not OpenSource, it is very close, since the source
>> code is available <https://github.com/TeamMentor-OWASP/Master> and SI
>> allowed me to 'open it' as much (if not more) as other OpenSource projects
>> (note that TeamMentor uses O2 Platform FluentSharp APIs<https://nuget.org/packages?q=fluentsharp>,
>> and there has been significant changes/features in the latest version of
>> O2 <http://diniscruz.blogspot.co.uk/p/owasp-o2-platform.html> which are
>> a direct consequence of my TeamMentor development activities (for example
>> the O2 VisualStudio Extension<http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d-ea4741905dc2>or the  Real-Time
>> Vulnerability Feedback in VisualStudio<http://diniscruz.blogspot.co.uk/p/real-time-vulnerability-feedback-in.html>
>>  PoC)).
>>
>> I'm quite proud of the level of openness that TM has, and I hope that
>> other commercial tools follow these ideas/activities. Here are a couple
>> blog posts I wrote about TM's Security:
>>
>>    - TeamMentor Vulnerability Disclosures: CSRF , ClickJacking and Get
>>    Password Hash from Browser Memory<http://diniscruz.blogspot.co.uk/2012/10/teammentor-vulnerability-disclosures.html>
>>    - checkout the emdeded pdfs with details of the vulnerabilities
>>    - Couple XSS issues and XSS-By-Design (in TeamMentor)<http://diniscruz.blogspot.co.uk/2012/10/couple-xss-issues-and-xss-by-design-in.html>
>>    - and why they were not fixed in the current 3.2 release
>>    - 'About' page broken due to ClickJacking protection<http://diniscruz.blogspot.co.uk/2012/10/about-page-broken-due-to-clickjacking.html>
>>    - good example of the Security TAX that we (developers) have to pay due to
>>    security fixes
>>    - Creating an TeamMentor Security Bounty Program<http://diniscruz.blogspot.co.uk/2012/10/creating-teammentor-security-bounty.html> -
>>    still need to publicly launch this, but for all practical purposes it is
>>    active
>>    - Test and Hack TeamMentor server with 3.2 RC5 code and SI library<http://diniscruz.blogspot.co.uk/2012/09/test-and-hack-teammentor-server-with-32.html> -
>>    lastest 'please hack TM' invite
>>    - "...O2 in Seattle..." and "...Please Hack TeamMentor (beta)..."<http://diniscruz.blogspot.co.uk/2011/12/o2-in-seattle-and-please-hack.html>
>>    - first 'please hack TM' invite sent last year
>>    - On Testing TM WebServices
>>       - Documenting how to test WebServices using scripts - the story so
>>       far<http://diniscruz.blogspot.co.uk/2012/05/documenting-how-to-test-webservices.html>
>>       - see how hard it is to test WebServices in a real-world app
>>       - Creating a spreadsheet with WebService's Authorization Mappings<http://diniscruz.blogspot.co.uk/2012/05/creating-spreadsheet-with-webservices.html>
>>
>>       - Roadmap for Testing an WebService's Authorization Model<http://diniscruz.blogspot.co.uk/2012/05/roadmap-for-testing-webservices.html>
>>
>>       - What is the formula for the WebServices Authentication mappings?<http://diniscruz.blogspot.co.uk/2012/05/what-is-formula-for-webservices.html> - spreadsheet template
>>       with Authorisation mappings
>>       - Testing TeamMentor 2.0 security using O2<http://diniscruz.blogspot.com/2012/04/testing-teammentor-20-security-using-o2.html> -
>>       how I used a mix of Static and Dynamic Analysis to test the security the
>>       first TM WebService's refactoring
>>    - SecDDev - Security Driven Development<http://diniscruz.blogspot.co.uk/2012/10/secddev-security-driven-development.html> -
>>    an interesting idea :)
>>
>> Note that we really embraced Git and GitHub as part of TeamMentor's
>> development and workflow:
>>
>>    - Pretty cool visualisation of the 'GitHub based' TeamMentor
>>    Development+QA+Release workflow<http://diniscruz.blogspot.co.uk/2012/11/pretty-cool-visualisation-of-github.html>
>>
>>    - Master source code: https://github.com/TeamMentor/master
>>    - Bugs and issues: https://github.com/TeamMentor/master/issues
>>    - Version with OWASP Top 10 Library (
>>    https://github.com/TeamMentor-OWASP/Master) which you can see in
>>    action at http://owasp.teammentor.net (note that this is the full
>>    engine with the OWASP LIbrary content released under a CC License<http://creativecommons.org/licenses/by/3.0/>
>>    )
>>    - Bunch of misc code repositories: https://github.com/TeamMentor
>>
>> My objective is to create a super secure+powerful application, with
>> maximum visibility+openness, while creating documentation on how it
>> happened (which you can see by the current blog posts)
>>
>> I think that TeamMentor is a good case study for the challenges of
>> writing secure code, since it is a real-world app, with real-world
>> complexity, real-world legacy stuff and real-world security compromises.
>> This is a great learning opportunity to *look at the 'sausage making
>> process' that is software/application developmen*t (with a bunch of
>>  .Net, Asmx, jQuery, Javascript, and  xml files which can be easily
>> deployed to the 'cloud'). We always talk how OWASP needs to engage with
>> developers, work with them, help them to secure the app.... well here is a
>> good opportunity to do just that.
>>
>> *I want/need help in securing TeamMentor, and Its not an easy task :)*
>>
>> One area that I really want to move next, is the implementation of
>> AppSensor-like-capabilities so that malicious activities can be detected
>> and mitigated
>>
>> Oh, and I could really do with a good layer of .NET ESAPI
>> controls/capabilities :)
>>
>> Dinis Cruz
>> A Developer
>>
>> On 7 November 2012 23:05, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> I see this as a service that completely serves the mission of OWASP.
>>> You should be proud of yourself for doing this. Bravo!
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> On Nov 7, 2012, at 11:41 PM, Tim Morgan <tim.morgan at owasp.org> wrote:
>>>
>>> >
>>> > Greetings OWASP Leaders,
>>> >
>>> > I want to bring to your attention an experimental project that the
>>> > Portland, Oregon OWASP chapter has been working on this year.  The
>>> > project is structured as a hacking competition and workshop and is
>>> > motivated by two observations I've made over the years:
>>> >
>>> > * It's hard to find good pentesters
>>> >
>>> > * Lots of organizations need application security testing, but simply
>>> >  can't afford it
>>> >
>>> >
>>> > Free/Libre Open Source Software Hacking (FLOSSHack) events are
>>> > designed to bring together individuals interested in learning more
>>> > about application security with open source projects and organizations
>>> > in need of low cost or pro bono security auditing.  FLOSSHack provides
>>> > a friendly, but mildly competitive, workshop environment in which
>>> > participants learn about and search for vulnerabilities in selected
>>> > software. In turn, selected open source projects and qualified
>>> > non-profit organizations benefit from additional quality assurance and
>>> > security guidance.
>>> >
>>> > You can learn more about my thoughts on how best to organize FLOSSHack
>>> > events here:
>>> >  https://www.owasp.org/index.php/FLOSSHack
>>> >
>>> > We held our first FLOSSHack event in July and I think it was quite
>>> > successful(*):
>>> >  https://www.owasp.org/index.php/FLOSSHack_One
>>> >
>>> > We learned a lot about what works and what doesn't, so I hope to make
>>> > our next FLOSSHack even more effective.  My ultimate goal is that
>>> > these events become more streamlined and organized to where other
>>> > OWASP chapters can easily throw their own FLOSSHack events.  If any of
>>> > you are interested in holding a similar event or would like to help in
>>> > other ways, please let me know.
>>> >
>>> > Thanks!
>>> > tim
>>> >
>>> >
>>> > * Thanks much to Wil Clouser, Michael Coates, Ushahidi, and all of the
>>> >  participants who made this possible
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
>
> Michael Hidalgo.
> OWASP Chapter Leader,Costa Rica.
>
> *“If you believe in yourself and have dedication and pride - and never
> quit, you'll be a winner. The price of victory is high but so are the
> rewards.” Paul Bryant*
>
>
>  _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121108/d35af67d/attachment-0001.html>


More information about the OWASP-Leaders mailing list