[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Jim Manico jim.manico at owasp.org
Fri Feb 12 05:54:18 UTC 2016


 > we run around with our hands in the air when drama hits Twitter more 
than than normal.

I would rephrase that as "some of us who actually give a sh%t go and fix 
the problem as best we can"

- Jim

On 2/11/16 9:52 PM, Andrew van der Stock wrote:
> I think this also comes down to the infrastructure transformation that 
> I've asked Matt T to get ready for us since our last F2F at AppSec 
> USA. We need to simplify our IT fleet, and really get it behind a 
> proper enterprise architecture, rather than a rag tag collection of 
> out of date stuff that we inherit. We only have so much Matt T time to 
> maintain this stuff, and so pen testing it without also addressing the 
> root cause: we have no idea where all our stuff is, who has admin, how 
> it authenticates, we don't monitor it for attacks, and we don't have 
> an IR plan and we run around with our hands in the air when drama hits 
> Twitter more than than normal.
>
> I want a transformation plan, where we have only one of everything, 
> and all the things we have is well managed and monitored. This will 
> reduce our IT costs, and be better aligned with the resources we 
> currently allocate to this task.
>
> This is not rocket science.
>
> thanks,
> Andrew
>
>
> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     +1 Thank you wall for security researchers who have helped us find
>     bugs!
>
>     Good stuff Tom, thanks for getting this started. I'm sure Josh
>     will be especially interested in this.
>
>     Aloha,
>     Jim
>
>
>
>     On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>     Post mortem of fixes would be nice to have and a wall of thank
>>     you should be established yes?
>>
>>     *draft*
>>     https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>
>>     Tom Brennan
>>     Global Board of Directors
>>     (d) 973-506-9304 <tel:973-506-9304>
>>
>>     OWASP Foundation | www.owasp.org <http://www.owasp.org>
>>
>>
>>     On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>     > Right, but two OWASP researchers posted live bugs over Twitter
>>     today. We
>>     > have to deal with it Kevin. I'd rather we know than not know,
>>     sooner than
>>     > later. One of the bugs noted I fixed earlier today.
>>     >
>>     > Knowing is half the battle.
>>     >
>>     > Aloha,
>>     > Jim
>>     >
>>     >
>>     > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>     >
>>     > And to add to Timo's thoughts...if we have an RFP to redo the
>>     OWASP site, if
>>     > we do put out a bug bounty, perhaps we should wait until that
>>     effort is
>>     > finished, otherwise we may end up fixing things twice.
>>     >
>>     > -kevin
>>     >
>>     > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen
>>     <timo.goosen at owasp.org <mailto:timo.goosen at owasp.org>> wrote:
>>     >>
>>     >> "But in the meantime, here are a few resources to report your
>>     findings to
>>     >> if you run into security issues (and I use "run into" with
>>     intention because
>>     >> you would never just start actively testing a website for
>>     security without
>>     >> permission in some way, right? Because doing so is a major
>>     criminal act in
>>     >> most countries, right?)"
>>     >> Depends. I've found bugs on sites before, unintentionally just
>>     by clicking
>>     >> around.
>>     >>
>>     >> On the idea of a bug bounty project for OWASP. The idea is
>>     good, but I
>>     >> don't think that OWASP has the resources to deal with a bug
>>     bounty program
>>     >> and the flood of reports that will becoming in. Researchers
>>     get very annoyed
>>     >> if you don't respond promptly and take them seriously. Just
>>     something to
>>     >> consider.
>>     >>
>>     >> Regards.
>>     >> Timo
>>     >>
>>     >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico
>>     <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>     >>>
>>     >>> Folks,
>>     >>>
>>     >>> A few OWASP researchers have found bugs on OWASP's wiki and
>>     decided to
>>     >>> disclose them in public over twitter before reporting to OWASP.
>>     >>>
>>     >>> Can you please disclose to me or Matt Tesauro or use the
>>     contact form or
>>     >>> do anything other than disclose in public before discussing
>>     this with OWASP
>>     >>> IT staff and support?
>>     >>>
>>     >>> Also, Josh Sokol is in the middle of ramping up a more formal
>>     bug bounty
>>     >>> program and will provide a more formal method for disclosure
>>     in the near
>>     >>> future.
>>     >>>
>>     >>> But in the meantime, here are a few resources to report your
>>     findings to
>>     >>> if you run into security issues (and I use "run into" with
>>     intention because
>>     >>> you would never just start actively testing a website for
>>     security without
>>     >>> permission in some way, right? Because doing so is a major
>>     criminal act in
>>     >>> most countries, right?)
>>     >>>
>>     >>> Thanks all.
>>     >>>
>>     >>> Matt Tesauro: matt.tesauro at owasp.org
>>     >>> Jim Manico: jim at owasp.org
>>     >>> Contact Form: https://www.tfaforms.com/308703
>>     >>>
>>     >>> Aloha,
>>     >>> Jim Manico
>>     >>> OWASP Global Board Member
>>     >>>
>>     >>> _______________________________________________
>>     >>> OWASP-Leaders mailing list
>>     >>> OWASP-Leaders at lists.owasp.org
>>     >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>     >>>
>>     >>
>>     >>
>>     >> _______________________________________________
>>     >> Owasp-community mailing list
>>     >> Owasp-community at lists.owasp.org
>>     >> https://lists.owasp.org/mailman/listinfo/owasp-community
>>     >>
>>     >
>>     >
>>     >
>>     > --
>>     > Blog: http://off-the-wall-security.blogspot.com/   | Twitter:
>>     @KevinWWall
>>     > NSA: All your crypto bit are belong to us.
>>     >
>>     >
>>     >
>>     > _______________________________________________
>>     > Owasp-community mailing list
>>     > Owasp-community at lists.owasp.org
>>     > https://lists.owasp.org/mailman/listinfo/owasp-community
>>     >
>>
>>
>>
>>     -- 
>>
>>     Tom Brennan
>>     Global Board of Directors
>>     NYC/NJ Metro Chapter Leader
>>     (d) 973-506-9304 <tel:973-506-9304>
>>
>>     OWASP Foundation | www.owasp.org <http://www.owasp.org>
>>
>>     The information contained in this message and any attachments may
>>     be privileged, confidential, proprietary or otherwise protected
>>     from disclosure. If you, the reader of this message, are not the
>>     intended recipient, you are hereby notified that any
>>     dissemination, distribution, copying or use of this message and
>>     any attachment is strictly prohibited. If you have received this
>>     message in error, please notify the sender immediately by
>>     replying to the message, permanently delete it from your computer
>>     and destroy any printout. 
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/7333b493/attachment.html>


More information about the OWASP-Leaders mailing list