[Owasp-portland] "FLOSSHack" in early April?

Timothy D. Morgan tmorgan-owasp at vsecurity.com
Mon Mar 19 16:15:06 UTC 2012

I've received just two responses to this posting.  I'm pretty sure more
people than that are interested, considering how many eyes I've seen
light up when I describe it, but I think it is important to get more
input on the types of applications people would be interested in auditing.

Early April is also getting pretty busy for me, so if I don't get some
more feedback, I'll probably postpone this until May where I can get the
word out to more audiences.


On 03/12/2012 01:55 PM, Timothy D. Morgan wrote:
> Hi Everyone,
> Thanks to those were able to make it to our meeting last week.  We had
> about 10-11 attendees plus our speaker and a couple of his friends, so
> it was a solid turn out.
> Next on my radar is to flesh out this idea I've been wanting to try out.
>  In the interest of having a catchy name, I'm calling it "FLOSSHack"
> (for Free/Libre Open Source Software Hacking).  Feel free to suggest a
> catchier name.  Here's the gist of it:
> 1. Gather together folks who are interested in getting down and dirty in
> technical details to sharpen their penetration testing and security code
> review skills.
> 2. Select a FLOSS application that people are interested in testing.
> Let people work on their own for a week or so before a meeting.
> 3. Sit down together to discover and discuss as many vulnerabilities as
> possible that were found in the application.  Discuss secific
> exploitation scenarios and mitigation strategies. Openly share all of
> the results of testing within the group (but avoid sharing publicly just
> yet).
> 4. Work with the developer of the software to address the issues through
> a responsible disclosure process.  Those who discover bugs get full
> public credit for the issues they find (if they wish) and experience in
> responsible notification and interaction with software maintainers.
> I expect there will be a number of details to work out, but I would like
> to take a quick poll on a few things.  If you don't mind taking a couple
> of minutes to answer these questions (sent back to the list,
> preferably), that would be great:
> A. Would you be interested in participating in such an event?
>    If "no", stop here.
> B. What kinds of vulnerabilities are you most interested in learning
>    about? (e.g. SQL injection, buffer overflows, XXE, ...)
> C. What technologies/development platforms are you most experienced
>    with?  What technologies/development platforms are you most
>    interested in learning more about?
> D. Do you have suggestions for what open source projects you would like
>    to perform an audit of?
> E. Will a FLOSSHack session on April 10 or 11 work for your schedule?

More information about the Owasp-portland mailing list