[Owasp-portland] FLOSSHack Details and Potential Targets

Webmaster webmaster at warnerpacific.edu
Mon Apr 30 14:17:28 UTC 2012


Vote for Resourcespace. It fits your criteria.
Moodle, wordpress, or joomla for future.



On Apr 27, 2012, at 9:20 PM, "Timothy D. Morgan" <tmorgan-owasp at vsecurity.com> wrote:

> Hi everyone,
> 
> Based on some feedback I received from my survey, it seems like a LAMP
> application would best match peoples' interests in open source project targets.
> Based on recommendations from others and my own research, I'm proposing we do
> the first FLOSSHack on one of the following apps:
> 
>  ResourceSpace <http://www.resourcespace.org/>
>  selfoss <http://selfoss.aditu.de/>
>  OpenDocMan <http://www.opendocman.com/>
> 
> 
> I haven't actually looked at these terribly closely, but let me know if you have
> any strong opinions about them.  In general, I think it would be most useful for
> us to look at a project that has some kind of built-in access control system,
> allows potentially untrusted users to submit persistent content, and of course
> interacts in some way with a SQL database.  Also, projects that are under active
> development are also strongly preferred.
> 
> 
> I thought I'd also throw out some thoughts I had on how a typical FLOSSHack
> session might go:
> 
> 1. As I mentioned before, we'd choose the application and announce it officially
> maybe a week (or more?) before the date of the FLOSSHack session.
> 
> 2. At the beginning of the session, we may spend up to 30minutes going over
> common vulnerabilities that might affect the application.  Perhaps even show
> demos in WebGoat or something similar to ensure everyone has a good idea as to
> what they are looking for.
> 
> 3. Share vulnerabilities already found-- for those who have spent the prior week
> looking for bugs, now would be the time they could share them with everyone
> else.  Much discussion of the flaws, how they were found, and how they could be
> exploited would ensue.
> 
> 4. Start hacking.  A pre-installed version of the application will be provided
> in some way, maybe on a VM or remotely.  Collaborate on searching for various
> types of bugs.  Occasionally, when folks spot new vulnerabilities, announce it
> and describe the bug to others.  Maybe the resulting discussion sparks new ideas
> for finding additional flaws.  If things are "slow" in this area, perhaps the
> FLOSSHack wrangler can stop everyone once in a while to cover some security
> topic relevant to the application.
> 
> 5. Conclude the session, hopefully, with a pile of security bugs to send off to
> the developers in a responsible manner.  If we can find sponsors for this, maybe
> we could have some prizes for those who find the most bugs, or the "best" bug
> found, as voted on by the participants.
> 
> 
> I expect a FLOSSHack session to last at least 2 hours.  I know that's pretty
> long for some people's schedules, but it's designed as a workshop and it takes
> quite a while to get familiar with an application.
> 
> I'm still not sure if it would be best to hold this kind of thing on a weeknight
> or on a weekend.  What would people prefer?  If it makes sense, we could even
> stretch it out into a longer weekend session (4 hours?) and then invite people
> to come and go as they please; whatever fits peoples' schedules. I anticipate
> setting up some way for people to join remotely as well.  Perhaps just via IRC,
> IM, or some newfangled thing with moving pictures. (I'd appreciate volunteers to
> help with this or anything else.)
> 
> 
> Let me know what you all think.
> Thanks and have a great weekend!
> tim
> 
> 
> PS - If anyone knows any college students who are interested in computer
> security, this would be a great event for them.  Feel free to pass along info
> about this event, or just get them signed up to the mailing list.
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland


More information about the Owasp-portland mailing list