[Owasp-portland] "FLOSSHack" in early April?
Timothy D. Morgan
tmorgan-owasp at vsecurity.com
Mon Mar 19 16:15:06 UTC 2012
I've received just two responses to this posting. I'm pretty sure more
people than that are interested, considering how many eyes I've seen
light up when I describe it, but I think it is important to get more
input on the types of applications people would be interested in auditing.
Early April is also getting pretty busy for me, so if I don't get some
more feedback, I'll probably postpone this until May where I can get the
word out to more audiences.
On 03/12/2012 01:55 PM, Timothy D. Morgan wrote:
> Hi Everyone,
> Thanks to those were able to make it to our meeting last week. We had
> about 10-11 attendees plus our speaker and a couple of his friends, so
> it was a solid turn out.
> Next on my radar is to flesh out this idea I've been wanting to try out.
> In the interest of having a catchy name, I'm calling it "FLOSSHack"
> (for Free/Libre Open Source Software Hacking). Feel free to suggest a
> catchier name. Here's the gist of it:
> 1. Gather together folks who are interested in getting down and dirty in
> technical details to sharpen their penetration testing and security code
> review skills.
> 2. Select a FLOSS application that people are interested in testing.
> Let people work on their own for a week or so before a meeting.
> 3. Sit down together to discover and discuss as many vulnerabilities as
> possible that were found in the application. Discuss secific
> exploitation scenarios and mitigation strategies. Openly share all of
> the results of testing within the group (but avoid sharing publicly just
> 4. Work with the developer of the software to address the issues through
> a responsible disclosure process. Those who discover bugs get full
> public credit for the issues they find (if they wish) and experience in
> responsible notification and interaction with software maintainers.
> I expect there will be a number of details to work out, but I would like
> to take a quick poll on a few things. If you don't mind taking a couple
> of minutes to answer these questions (sent back to the list,
> preferably), that would be great:
> A. Would you be interested in participating in such an event?
> If "no", stop here.
> B. What kinds of vulnerabilities are you most interested in learning
> about? (e.g. SQL injection, buffer overflows, XXE, ...)
> C. What technologies/development platforms are you most experienced
> with? What technologies/development platforms are you most
> interested in learning more about?
> D. Do you have suggestions for what open source projects you would like
> to perform an audit of?
> E. Will a FLOSSHack session on April 10 or 11 work for your schedule?
More information about the Owasp-portland