[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

johanna curiel curiel johanna.curiel at owasp.org
Fri Feb 12 19:46:25 UTC 2016


*>>For OWASP  website did you conduct a risk analysis, threat modelling,
secure code and security testing ? *
*We must apply these application security on our assets first. We must be a
good example for others.*

Are you serious 😏?
We are a bunch of 'appsec experts' volunteers that have no time for that...
😝

Wait, 😓that looks like the excuse the developer gave me last week when I
tested his app,

🙁 he told me he didn't have time to implement security because he had to
push the release
and all those OWASP's guidelines are making him crazy 😒

We are a volunteer based org that promotes web security🤔
No resources to maintain and manage properly, no time for planning, risk
analysing, patching, testing...😓
just like that Dev without time to implement 😕security, or that company
without budget...😧

OWASP top ten, OpenSAMM, ASVS, Code Review....🤔

XSS bugs on XSS cheat sheet wiki was found and reported months ago 😕

😵 wait...we don't practice what we preach 😨😲😱



Ok folks I'm poking you, seriously, are we now at the same level than those
companies and devs we advise so hardly about security and always with
excuse why they can't ?

You see now how hard is to do it sometimes...those guidelines & knowledge
are worth nothing if there is no proper execution.

On Fri, Feb 12, 2016 at 2:43 PM, Azzeddine Ramrami <
azzeddine.ramrami at owasp.org> wrote:

> Hi,
> For OWASP  website did you conduct a risk analysis, threat modeling,
> secure code and security testing ?
>
> We must apply these application security on our assets first. We must be a
> good example for others.
>
> Regards
> Azzeddine RAMRAMI
> Le 12 févr. 2016 7:34 PM, "Richard Greenberg" <richard.greenberg at owasp.org>
> a écrit :
>
>> +1
>>
>> Richard Greenberg, CISSP
>> President, OWASP Los Angeles, www.owaspla.org <http://www.appsecusa.org/>
>> ISSA Fellow
>> President, ISSA Los Angeles, www.issa-la.org <http://www.appsecusa.org/>
>> LinkedIn:  http://www.linkedin.com/in/richardagreenberg
>> (424) 261-8111
>>
>> On Thu, Feb 11, 2016 at 10:11 PM, Andrew van der Stock <
>> vanderaj at owasp.org> wrote:
>>
>>> Agreed.
>>>
>>> Andrew
>>>
>>> On Fri, Feb 12, 2016 at 4:54 PM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> > we run around with our hands in the air when drama hits Twitter more
>>>> than than normal.
>>>>
>>>> I would rephrase that as "some of us who actually give a sh%t go and
>>>> fix the problem as best we can"
>>>>
>>>> - Jim
>>>>
>>>>
>>>> On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>>>>
>>>> I think this also comes down to the infrastructure transformation that
>>>> I've asked Matt T to get ready for us since our last F2F at AppSec USA. We
>>>> need to simplify our IT fleet, and really get it behind a proper enterprise
>>>> architecture, rather than a rag tag collection of out of date stuff that we
>>>> inherit. We only have so much Matt T time to maintain this stuff, and so
>>>> pen testing it without also addressing the root cause: we have no idea
>>>> where all our stuff is, who has admin, how it authenticates, we don't
>>>> monitor it for attacks, and we don't have an IR plan and we run around with
>>>> our hands in the air when drama hits Twitter more than than normal.
>>>>
>>>> I want a transformation plan, where we have only one of everything, and
>>>> all the things we have is well managed and monitored. This will reduce our
>>>> IT costs, and be better aligned with the resources we currently allocate to
>>>> this task.
>>>>
>>>> This is not rocket science.
>>>>
>>>> thanks,
>>>> Andrew
>>>>
>>>>
>>>> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> +1 Thank you wall for security researchers who have helped us find
>>>>> bugs!
>>>>>
>>>>> Good stuff Tom, thanks for getting this started. I'm sure Josh will be
>>>>> especially interested in this.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>> On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>>>>
>>>>> Post mortem of fixes would be nice to have and a wall of thank you
>>>>> should be established yes?
>>>>>
>>>>> *draft*
>>>>> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>>>>
>>>>> Tom Brennan
>>>>> Global Board of Directors
>>>>> (d) 973-506-9304
>>>>>
>>>>> OWASP Foundation | www.owasp.org
>>>>>
>>>>>
>>>>> On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico < <jim.manico at owasp.org>
>>>>> jim.manico at owasp.org> wrote:
>>>>> > Right, but two OWASP researchers posted live bugs over Twitter
>>>>> today. We
>>>>> > have to deal with it Kevin. I'd rather we know than not know, sooner
>>>>> than
>>>>> > later. One of the bugs noted I fixed earlier today.
>>>>> >
>>>>> > Knowing is half the battle.
>>>>> >
>>>>> > Aloha,
>>>>> > Jim
>>>>> >
>>>>> >
>>>>> > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>>>> >
>>>>> > And to add to Timo's thoughts...if we have an RFP to redo the OWASP
>>>>> site, if
>>>>> > we do put out a bug bounty, perhaps we should wait until that effort
>>>>> is
>>>>> > finished, otherwise we may end up fixing things twice.
>>>>> >
>>>>> > -kevin
>>>>> >
>>>>> > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org>
>>>>> wrote:
>>>>> >>
>>>>> >> "But in the meantime, here are a few resources to report your
>>>>> findings to
>>>>> >> if you run into security issues (and I use "run into" with
>>>>> intention because
>>>>> >> you would never just start actively testing a website for security
>>>>> without
>>>>> >> permission in some way, right? Because doing so is a major criminal
>>>>> act in
>>>>> >> most countries, right?)"
>>>>> >> Depends. I've found bugs on sites before, unintentionally just by
>>>>> clicking
>>>>> >> around.
>>>>> >>
>>>>> >> On the idea of a bug bounty project for OWASP. The idea is good,
>>>>> but I
>>>>> >> don't think that OWASP has the resources to deal with a bug bounty
>>>>> program
>>>>> >> and the flood of reports that will becoming in. Researchers get
>>>>> very annoyed
>>>>> >> if you don't respond promptly and take them seriously. Just
>>>>> something to
>>>>> >> consider.
>>>>> >>
>>>>> >> Regards.
>>>>> >> Timo
>>>>> >>
>>>>> >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org>
>>>>> wrote:
>>>>> >>>
>>>>> >>> Folks,
>>>>> >>>
>>>>> >>> A few OWASP researchers have found bugs on OWASP's wiki and
>>>>> decided to
>>>>> >>> disclose them in public over twitter before reporting to OWASP.
>>>>> >>>
>>>>> >>> Can you please disclose to me or Matt Tesauro or use the contact
>>>>> form or
>>>>> >>> do anything other than disclose in public before discussing this
>>>>> with OWASP
>>>>> >>> IT staff and support?
>>>>> >>>
>>>>> >>> Also, Josh Sokol is in the middle of ramping up a more formal bug
>>>>> bounty
>>>>> >>> program and will provide a more formal method for disclosure in
>>>>> the near
>>>>> >>> future.
>>>>> >>>
>>>>> >>> But in the meantime, here are a few resources to report your
>>>>> findings to
>>>>> >>> if you run into security issues (and I use "run into" with
>>>>> intention because
>>>>> >>> you would never just start actively testing a website for security
>>>>> without
>>>>> >>> permission in some way, right? Because doing so is a major
>>>>> criminal act in
>>>>> >>> most countries, right?)
>>>>> >>>
>>>>> >>> Thanks all.
>>>>> >>>
>>>>> >>> Matt Tesauro: matt.tesauro at owasp.org
>>>>> >>> Jim Manico:  jim at owasp.org
>>>>> >>> Contact Form: <https://www.tfaforms.com/308703>
>>>>> https://www.tfaforms.com/308703
>>>>> >>>
>>>>> >>> Aloha,
>>>>> >>> Jim Manico
>>>>> >>> OWASP Global Board Member
>>>>> >>>
>>>>> >>> _______________________________________________
>>>>> >>> OWASP-Leaders mailing list
>>>>> >>> OWASP-Leaders at lists.owasp.org
>>>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> >>>
>>>>> >>
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> Owasp-community mailing list
>>>>> >> Owasp-community at lists.owasp.org
>>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>> >>
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>>> @KevinWWall
>>>>> > NSA: All your crypto bit are belong to us.
>>>>> >
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > Owasp-community mailing list
>>>>> > Owasp-community at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Tom Brennan
>>>>> Global Board of Directors
>>>>> NYC/NJ Metro Chapter Leader
>>>>> (d) 973-506-9304
>>>>>
>>>>> OWASP Foundation | www.owasp.org
>>>>>
>>>>> The information contained in this message and any attachments may be
>>>>> privileged, confidential, proprietary or otherwise protected from
>>>>> disclosure. If you, the reader of this message, are not the intended
>>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>>> copying or use of this message and any attachment is strictly prohibited.
>>>>> If you have received this message in error, please notify the sender
>>>>> immediately by replying to the message, permanently delete it from your
>>>>> computer and destroy any printout.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>
>>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160212/5522cdc7/attachment-0001.html>


More information about the OWASP-Leaders mailing list