[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Tom Brennan - OWASP tomb at owasp.org
Sat Feb 13 16:23:21 UTC 2016


*Organizational*
For the policy people.... OWASP simply needs to set-up a processes and
policies following ISO 29147 and ISO 30111 or a comparable framework,
publishing a security contact at your organization, and publishing your
vulnerability handling preferences and philosophies.

http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170

http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231

This is operational and common to every organization.

Today OWASP has a  "Contact US" form at OWASP and a part time contractor
Matt T who gets paid about 15k per year to maintain systems best-effort
scope: https://www.owasp.org/index.php/ITSupport  and ANY trusted volunteer
who wants to help out is welcomed to do so.

*Communications*
For the community OWASP needs to simply have the ability to receive
incoming vulnerability reports and having a verified channel to distribute
advisories or other relevant security information to affected parties.
This starts with the contact-us form in basic process and could expand to
3rd party providers, tools, systems (HackerONE, BugCrowd etc..)

https://www.owasp.org/index.php/About_OWASP/Bug_Bounty  *DRAFT*

*Analytics*
The first step for OWASP should be to capture basic information about
reported vulnerabilities, such as the date and who submitted it. This is
now in place with a DRAFT outline and will get cleaned up with YOUR help
(it's a wiki edit it or use the discussion tab)

*Incentives*
OWASP offers no incentives today..... but we do have perks like conferences
(free tickets, speaker opportunities, owasp swag and many other items
including available gift cards for thanks and recognition, to any reporter
of a vulnerability on a wall of thank you page

MANY of the individual consultants, researchers, developers etc..etc.. that
are on this list understand that this is a rather straightforward issue and
commonplace in our industry and you know what the best thing is

"........ OWASP does not endorse or recommend commercial products or
services, allowing our community to remain vendor neutral with the
collective wisdom of the best minds in software security worldwide" <snip
from our mission on homepage>

P.S. - If we want to make it more robust there is also a OWASP Top 10 IR
project that everyone is welcomed to get involved in too Policy
https://www.owasp.org/index.php/OWASP_Incident_Response_Project
<https://www.owasp.org/index.php/OWASP_Incident_Response_Project>

Tom Brennan
Global Board of Directors
(d) 973-506-9304

OWASP Foundation | www.owasp.org



On Sat, Feb 13, 2016 at 8:32 AM, Gabriel Gumbs <gabriel at rfc1122.com> wrote:
>
> Add my name to the list. Happy to help.
>
> On Fri, Feb 12, 2016 at 6:01 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:
>>
>> Andrew H, Frank and all of those volunteers that have kindly offer their
help.
>>
>> Thank you very much for volunteering to secure OWASP assets and web
applications.
>>
>> I will set this topic on the board's agenda.
>>
>> For everyone that wants to help instead of preach, I have set this wiki
page:
>> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>>
>> Set you name if you have editing rights to the wiki
>> Otherwise contact me, I'll gladly set you name on the list
>>
>> the purpose of this is to structurize the efforts and no panic moves
>>
>>
>> Cheers
>>
>> Johanna
>>
>>
>> On Fri, Feb 12, 2016 at 6:56 PM, Gregory Disney <gregory.disney at owasp.org>
wrote:
>>>
>>> Two sides of the coin, free testing can be a lot more damaging if the
person hacking is just using some tool and unaware of its doing. Such as
delete /etc/shadow of a production host, which I have seen. Other point is
coverage of weaknesses how do you insure all weakness have been tested. On
the other side less about damages when you pay, and again coverage. The
third wheel is mostly like a combination of the two.
>>>
>>>
>>> On Friday, February 12, 2016, Rahim Jina <rahim.jina at owasp.org> wrote:
>>>>
>>>> I don't think we need to pay for testing - I think there are enough
people willing to test for free.
>>>>
>>>> I'm happy to donate free cycles from our team of edgescan pentesters
if requested.
>>>>
>>>> Rahim
>>>>
>>>> Sent from my iPhone
>>>>
>>>> On 12 Feb 2016, at 19:53, Frank Catucci <frank.catucci at owasp.org>
wrote:
>>>>
>>>> All,
>>>>
>>>> I spoke to Jim briefly about this at AppSec Cali, and I am still
willing to assist but I am afraid we are at a crossroads. I still think a
bug bounty program is a great idea no matter what scope we start with or
progress to. However, the issue of security resources dedicated to this
effort needs to be discussed with a very real and tangible outcome and
timeline. Whether we decide to pay for these positions and resources or
not, the discussion needs to happen. How important is this to OWASP? That's
a great starting point IMO....
>>>>
>>>> Regards,
>>>>
>>>> Frank
>>>>
>>>> On Feb 12, 2016, at 2:46 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:
>>>>
>>>> >>For OWASP  website did you conduct a risk analysis, threat
modelling, secure code and security testing ?
>>>> We must apply these application security on our assets first. We must
be a good example for others.
>>>>
>>>> Are you serious ?
>>>> We are a bunch of 'appsec experts' volunteers that have no time for
that...
>>>>
>>>> Wait, that looks like the excuse the developer gave me last week when
I tested his app,
>>>>
>>>>  he told me he didn't have time to implement security because he had
to push the release
>>>> and all those OWASP's guidelines are making him crazy
>>>>
>>>> We are a volunteer based org that promotes web security
>>>> No resources to maintain and manage properly, no time for planning,
risk analysing, patching, testing...
>>>> just like that Dev without time to implement security, or that company
without budget...
>>>>
>>>> OWASP top ten, OpenSAMM, ASVS, Code Review....
>>>>
>>>> XSS bugs on XSS cheat sheet wiki was found and reported months ago
>>>>
>>>>  wait...we don't practice what we preach
>>>>
>>>>
>>>>
>>>> Ok folks I'm poking you, seriously, are we now at the same level than
those companies and devs we advise so hardly about security and always with
excuse why they can't ?
>>>>
>>>> You see now how hard is to do it sometimes...those guidelines &
knowledge are worth nothing if there is no proper execution.
>>>>
>>>> On Fri, Feb 12, 2016 at 2:43 PM, Azzeddine Ramrami <
azzeddine.ramrami at owasp.org> wrote:
>>>>>
>>>>> Hi,
>>>>> For OWASP  website did you conduct a risk analysis, threat modeling,
secure code and security testing ?
>>>>>
>>>>> We must apply these application security on our assets first. We must
be a good example for others.
>>>>>
>>>>> Regards
>>>>> Azzeddine RAMRAMI
>>>>>
>>>>> Le 12 févr. 2016 7:34 PM, "Richard Greenberg" <
richard.greenberg at owasp.org> a écrit :
>>>>>>
>>>>>> +1
>>>>>>
>>>>>> Richard Greenberg, CISSP
>>>>>> President, OWASP Los Angeles, www.owaspla.org
>>>>>> ISSA Fellow
>>>>>> President, ISSA Los Angeles, www.issa-la.org
>>>>>> LinkedIn:  http://www.linkedin.com/in/richardagreenberg
>>>>>> (424) 261-8111
>>>>>>
>>>>>> On Thu, Feb 11, 2016 at 10:11 PM, Andrew van der Stock <
vanderaj at owasp.org> wrote:
>>>>>>>
>>>>>>> Agreed.
>>>>>>>
>>>>>>> Andrew
>>>>>>>
>>>>>>> On Fri, Feb 12, 2016 at 4:54 PM, Jim Manico <jim.manico at owasp.org>
wrote:
>>>>>>>>
>>>>>>>> > we run around with our hands in the air when drama hits Twitter
more than than normal.
>>>>>>>>
>>>>>>>> I would rephrase that as "some of us who actually give a sh%t go
and fix the problem as best we can"
>>>>>>>>
>>>>>>>> - Jim
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>>>>>>>>
>>>>>>>> I think this also comes down to the infrastructure transformation
that I've asked Matt T to get ready for us since our last F2F at AppSec
USA. We need to simplify our IT fleet, and really get it behind a proper
enterprise architecture, rather than a rag tag collection of out of date
stuff that we inherit. We only have so much Matt T time to maintain this
stuff, and so pen testing it without also addressing the root cause: we
have no idea where all our stuff is, who has admin, how it authenticates,
we don't monitor it for attacks, and we don't have an IR plan and we run
around with our hands in the air when drama hits Twitter more than than
normal.
>>>>>>>>
>>>>>>>> I want a transformation plan, where we have only one of
everything, and all the things we have is well managed and monitored. This
will reduce our IT costs, and be better aligned with the resources we
currently allocate to this task.
>>>>>>>>
>>>>>>>> This is not rocket science.
>>>>>>>>
>>>>>>>> thanks,
>>>>>>>> Andrew
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org>
wrote:
>>>>>>>>>
>>>>>>>>> +1 Thank you wall for security researchers who have helped us
find bugs!
>>>>>>>>>
>>>>>>>>> Good stuff Tom, thanks for getting this started. I'm sure Josh
will be especially interested in this.
>>>>>>>>>
>>>>>>>>> Aloha,
>>>>>>>>> Jim
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>>>>>>>>
>>>>>>>>> Post mortem of fixes would be nice to have and a wall of thank
you should be established yes?
>>>>>>>>>
>>>>>>>>> *draft*
>>>>>>>>> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>>>>>>>>
>>>>>>>>> Tom Brennan
>>>>>>>>> Global Board of Directors
>>>>>>>>> (d) 973-506-9304
>>>>>>>>>
>>>>>>>>> OWASP Foundation | www.owasp.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico <jim.manico at owasp.org>
wrote:
>>>>>>>>> > Right, but two OWASP researchers posted live bugs over Twitter
today. We
>>>>>>>>> > have to deal with it Kevin. I'd rather we know than not know,
sooner than
>>>>>>>>> > later. One of the bugs noted I fixed earlier today.
>>>>>>>>> >
>>>>>>>>> > Knowing is half the battle.
>>>>>>>>> >
>>>>>>>>> > Aloha,
>>>>>>>>> > Jim
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>>>>>>>> >
>>>>>>>>> > And to add to Timo's thoughts...if we have an RFP to redo the
OWASP site, if
>>>>>>>>> > we do put out a bug bounty, perhaps we should wait until that
effort is
>>>>>>>>> > finished, otherwise we may end up fixing things twice.
>>>>>>>>> >
>>>>>>>>> > -kevin
>>>>>>>>> >
>>>>>>>>> > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <
timo.goosen at owasp.org> wrote:
>>>>>>>>> >>
>>>>>>>>> >> "But in the meantime, here are a few resources to report your
findings to
>>>>>>>>> >> if you run into security issues (and I use "run into" with
intention because
>>>>>>>>> >> you would never just start actively testing a website for
security without
>>>>>>>>> >> permission in some way, right? Because doing so is a major
criminal act in
>>>>>>>>> >> most countries, right?)"
>>>>>>>>> >> Depends. I've found bugs on sites before, unintentionally just
by clicking
>>>>>>>>> >> around.
>>>>>>>>> >>
>>>>>>>>> >> On the idea of a bug bounty project for OWASP. The idea is
good, but I
>>>>>>>>> >> don't think that OWASP has the resources to deal with a bug
bounty program
>>>>>>>>> >> and the flood of reports that will becoming in. Researchers
get very annoyed
>>>>>>>>> >> if you don't respond promptly and take them seriously. Just
something to
>>>>>>>>> >> consider.
>>>>>>>>> >>
>>>>>>>>> >> Regards.
>>>>>>>>> >> Timo
>>>>>>>>> >>
>>>>>>>>> >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <
jim.manico at owasp.org> wrote:
>>>>>>>>> >>>
>>>>>>>>> >>> Folks,
>>>>>>>>> >>>
>>>>>>>>> >>> A few OWASP researchers have found bugs on OWASP's wiki and
decided to
>>>>>>>>> >>> disclose them in public over twitter before reporting to
OWASP.
>>>>>>>>> >>>
>>>>>>>>> >>> Can you please disclose to me or Matt Tesauro or use the
contact form or
>>>>>>>>> >>> do anything other than disclose in public before discussing
this with OWASP
>>>>>>>>> >>> IT staff and support?
>>>>>>>>> >>>
>>>>>>>>> >>> Also, Josh Sokol is in the middle of ramping up a more formal
bug bounty
>>>>>>>>> >>> program and will provide a more formal method for disclosure
in the near
>>>>>>>>> >>> future.
>>>>>>>>> >>>
>>>>>>>>> >>> But in the meantime, here are a few resources to report your
findings to
>>>>>>>>> >>> if you run into security issues (and I use "run into" with
intention because
>>>>>>>>> >>> you would never just start actively testing a website for
security without
>>>>>>>>> >>> permission in some way, right? Because doing so is a major
criminal act in
>>>>>>>>> >>> most countries, right?)
>>>>>>>>> >>>
>>>>>>>>> >>> Thanks all.
>>>>>>>>> >>>
>>>>>>>>> >>> Matt Tesauro: matt.tesauro at owasp.org
>>>>>>>>> >>> Jim Manico:  jim at owasp.org
>>>>>>>>> >>> Contact Form: https://www.tfaforms.com/308703
>>>>>>>>> >>>
>>>>>>>>> >>> Aloha,
>>>>>>>>> >>> Jim Manico
>>>>>>>>> >>> OWASP Global Board Member
>>>>>>>>> >>>
>>>>>>>>> >>> _______________________________________________
>>>>>>>>> >>> OWASP-Leaders mailing list
>>>>>>>>> >>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>> >>>
>>>>>>>>> >>
>>>>>>>>> >>
>>>>>>>>> >> _______________________________________________
>>>>>>>>> >> Owasp-community mailing list
>>>>>>>>> >> Owasp-community at lists.owasp.org
>>>>>>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>>>> >>
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> > --
>>>>>>>>> > Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
@KevinWWall
>>>>>>>>> > NSA: All your crypto bit are belong to us.
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> > _______________________________________________
>>>>>>>>> > Owasp-community mailing list
>>>>>>>>> > Owasp-community at lists.owasp.org
>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>>>> >
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Tom Brennan
>>>>>>>>> Global Board of Directors
>>>>>>>>> NYC/NJ Metro Chapter Leader
>>>>>>>>> (d) 973-506-9304
>>>>>>>>>
>>>>>>>>> OWASP Foundation | www.owasp.org
>>>>>>>>>
>>>>>>>>> The information contained in this message and any attachments may
be privileged, confidential, proprietary or otherwise protected from
disclosure. If you, the reader of this message, are not the intended
recipient, you are hereby notified that any dissemination, distribution,
copying or use of this message and any attachment is strictly prohibited.
If you have received this message in error, please notify the sender
immediately by replying to the message, permanently delete it from your
computer and destroy any printout.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-community mailing list
>>>>>>> Owasp-community at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-community mailing list
>>>>>> Owasp-community at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-community mailing list
>>>>> Owasp-community at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-- 
The information contained in this message and any attachments may be 
privileged, confidential, proprietary or otherwise protected from 
disclosure. If you, the reader of this message, are not the intended 
recipient, you are hereby notified that any dissemination, distribution, 
copying or use of this message and any attachment is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by replying to the message, permanently delete it from your 
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160213/56d36b9a/attachment-0001.html>


More information about the OWASP-Leaders mailing list