[Owasp-portland] FLOSSHack Details and Potential Targets
matthewl at bit-shift.net
Tue May 1 04:08:30 UTC 2012
I second Keith's suggestions. I think a longer 3-5 hours session on the
weekend would be more interesting as 2 hours can really fly when you're
heads down. But what ever gets the most involvement is good with me.
On Mon, Apr 30, 2012 at 7:59 PM, Keith Seymour <keseymour at gmail.com> wrote:
> Both OpenDocMan and ResourceSpace sound sufficiently open to provide lots
> of opportunities for security flaws. Since they are both targeted at small
> business it would be helpful to the developers to provide feedback. Unless
> of course round two of the workshop will be coding fixes for the problems
> I'd be open to a longer session on the weekend but 2 hours in an evening
> is also easy to arrage given some lead time.
> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan <
> tmorgan-owasp at vsecurity.com> wrote:
>> Hi everyone,
>> Based on some feedback I received from my survey, it seems like a LAMP
>> application would best match peoples' interests in open source project
>> Based on recommendations from others and my own research, I'm proposing
>> we do
>> the first FLOSSHack on one of the following apps:
>> ResourceSpace <http://www.resourcespace.org/>
>> selfoss <http://selfoss.aditu.de/>
>> OpenDocMan <http://www.opendocman.com/>
>> I haven't actually looked at these terribly closely, but let me know if
>> you have
>> any strong opinions about them. In general, I think it would be most
>> useful for
>> us to look at a project that has some kind of built-in access control
>> allows potentially untrusted users to submit persistent content, and of
>> interacts in some way with a SQL database. Also, projects that are under
>> development are also strongly preferred.
>> I thought I'd also throw out some thoughts I had on how a typical
>> session might go:
>> 1. As I mentioned before, we'd choose the application and announce it
>> maybe a week (or more?) before the date of the FLOSSHack session.
>> 2. At the beginning of the session, we may spend up to 30minutes going
>> common vulnerabilities that might affect the application. Perhaps even
>> demos in WebGoat or something similar to ensure everyone has a good idea
>> as to
>> what they are looking for.
>> 3. Share vulnerabilities already found-- for those who have spent the
>> prior week
>> looking for bugs, now would be the time they could share them with
>> else. Much discussion of the flaws, how they were found, and how they
>> could be
>> exploited would ensue.
>> 4. Start hacking. A pre-installed version of the application will be
>> in some way, maybe on a VM or remotely. Collaborate on searching for
>> types of bugs. Occasionally, when folks spot new vulnerabilities,
>> announce it
>> and describe the bug to others. Maybe the resulting discussion sparks
>> new ideas
>> for finding additional flaws. If things are "slow" in this area, perhaps
>> FLOSSHack wrangler can stop everyone once in a while to cover some
>> topic relevant to the application.
>> 5. Conclude the session, hopefully, with a pile of security bugs to send
>> off to
>> the developers in a responsible manner. If we can find sponsors for
>> this, maybe
>> we could have some prizes for those who find the most bugs, or the "best"
>> found, as voted on by the participants.
>> I expect a FLOSSHack session to last at least 2 hours. I know that's
>> long for some people's schedules, but it's designed as a workshop and it
>> quite a while to get familiar with an application.
>> I'm still not sure if it would be best to hold this kind of thing on a
>> or on a weekend. What would people prefer? If it makes sense, we could
>> stretch it out into a longer weekend session (4 hours?) and then invite
>> to come and go as they please; whatever fits peoples' schedules. I
>> setting up some way for people to join remotely as well. Perhaps just
>> via IRC,
>> IM, or some newfangled thing with moving pictures. (I'd appreciate
>> volunteers to
>> help with this or anything else.)
>> Let me know what you all think.
>> Thanks and have a great weekend!
>> PS - If anyone knows any college students who are interested in computer
>> security, this would be a great event for them. Feel free to pass along
>> about this event, or just get them signed up to the mailing list.
>> Owasp-portland mailing list
>> Owasp-portland at lists.owasp.org
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
We are what we repeatedly do. Excellence then is not an act, but a habit.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-portland