[Owasp-portland] FLOSSHack Details and Potential Targets

Matthew Lapworth matthewl at bit-shift.net
Tue May 1 04:08:30 UTC 2012


I second Keith's suggestions. I think a longer 3-5 hours session on the
weekend would be more interesting as 2 hours can really fly when you're
heads down.  But what ever gets the most involvement is good with me.

On Mon, Apr 30, 2012 at 7:59 PM, Keith Seymour <keseymour at gmail.com> wrote:

> Tim,
>
> Both OpenDocMan and ResourceSpace sound sufficiently open to provide lots
> of opportunities for security flaws. Since they are both targeted at small
> business it would be helpful to the developers to  provide feedback. Unless
> of course round two of the workshop will be coding fixes for the problems
> discovered!
>
> I'd be open to a longer session on the weekend but 2 hours in an evening
> is also easy to arrage given some lead time.
>
> Thanks,
>
> Keith
>
>
> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan <
> tmorgan-owasp at vsecurity.com> wrote:
>
>> Hi everyone,
>>
>> Based on some feedback I received from my survey, it seems like a LAMP
>> application would best match peoples' interests in open source project
>> targets.
>>  Based on recommendations from others and my own research, I'm proposing
>> we do
>> the first FLOSSHack on one of the following apps:
>>
>>  ResourceSpace <http://www.resourcespace.org/>
>>  selfoss <http://selfoss.aditu.de/>
>>  OpenDocMan <http://www.opendocman.com/>
>>
>>
>> I haven't actually looked at these terribly closely, but let me know if
>> you have
>> any strong opinions about them.  In general, I think it would be most
>> useful for
>> us to look at a project that has some kind of built-in access control
>> system,
>> allows potentially untrusted users to submit persistent content, and of
>> course
>> interacts in some way with a SQL database.  Also, projects that are under
>> active
>> development are also strongly preferred.
>>
>>
>> I thought I'd also throw out some thoughts I had on how a typical
>> FLOSSHack
>> session might go:
>>
>> 1. As I mentioned before, we'd choose the application and announce it
>> officially
>> maybe a week (or more?) before the date of the FLOSSHack session.
>>
>> 2. At the beginning of the session, we may spend up to 30minutes going
>> over
>> common vulnerabilities that might affect the application.  Perhaps even
>> show
>> demos in WebGoat or something similar to ensure everyone has a good idea
>> as to
>> what they are looking for.
>>
>> 3. Share vulnerabilities already found-- for those who have spent the
>> prior week
>> looking for bugs, now would be the time they could share them with
>> everyone
>> else.  Much discussion of the flaws, how they were found, and how they
>> could be
>> exploited would ensue.
>>
>> 4. Start hacking.  A pre-installed version of the application will be
>> provided
>> in some way, maybe on a VM or remotely.  Collaborate on searching for
>> various
>> types of bugs.  Occasionally, when folks spot new vulnerabilities,
>> announce it
>> and describe the bug to others.  Maybe the resulting discussion sparks
>> new ideas
>> for finding additional flaws.  If things are "slow" in this area, perhaps
>> the
>> FLOSSHack wrangler can stop everyone once in a while to cover some
>> security
>> topic relevant to the application.
>>
>> 5. Conclude the session, hopefully, with a pile of security bugs to send
>> off to
>> the developers in a responsible manner.  If we can find sponsors for
>> this, maybe
>> we could have some prizes for those who find the most bugs, or the "best"
>> bug
>> found, as voted on by the participants.
>>
>>
>> I expect a FLOSSHack session to last at least 2 hours.  I know that's
>> pretty
>> long for some people's schedules, but it's designed as a workshop and it
>> takes
>> quite a while to get familiar with an application.
>>
>> I'm still not sure if it would be best to hold this kind of thing on a
>> weeknight
>> or on a weekend.  What would people prefer?  If it makes sense, we could
>> even
>> stretch it out into a longer weekend session (4 hours?) and then invite
>> people
>> to come and go as they please; whatever fits peoples' schedules. I
>> anticipate
>> setting up some way for people to join remotely as well.  Perhaps just
>> via IRC,
>> IM, or some newfangled thing with moving pictures. (I'd appreciate
>> volunteers to
>> help with this or anything else.)
>>
>>
>> Let me know what you all think.
>> Thanks and have a great weekend!
>> tim
>>
>>
>> PS - If anyone knows any college students who are interested in computer
>> security, this would be a great event for them.  Feel free to pass along
>> info
>> about this event, or just get them signed up to the mailing list.
>> _______________________________________________
>> Owasp-portland mailing list
>> Owasp-portland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-portland
>>
>
>
>
> --
> GeekyExplorers.com
>
>
>
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
>
>


-- 
Matthew Lapworth
http://www.bit-shift.net

We are what we repeatedly do. Excellence then is not an act, but a habit.
  - Aristotle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20120430/4d305c79/attachment-0001.html>


More information about the Owasp-portland mailing list