[Owasp-portland] FLOSSHack Details and Potential Targets

Webmaster webmaster at warnerpacific.edu
Tue May 1 05:08:59 UTC 2012


My weekends are booked for the next few months. I'd be more inclined for longer evening sessions on weekdays (2-4hrs is fine) or maybe two nights in a row.
-David


On Apr 30, 2012, at 9:09 PM, "Matthew Lapworth" <matthewl at bit-shift.net> wrote:

> I second Keith's suggestions. I think a longer 3-5 hours session on the weekend would be more interesting as 2 hours can really fly when you're heads down.  But what ever gets the most involvement is good with me.
> 
> On Mon, Apr 30, 2012 at 7:59 PM, Keith Seymour <keseymour at gmail.com> wrote:
> Tim,
> 
> Both OpenDocMan and ResourceSpace sound sufficiently open to provide lots of opportunities for security flaws. Since they are both targeted at small business it would be helpful to the developers to  provide feedback. Unless of course round two of the workshop will be coding fixes for the problems discovered!
> 
> I'd be open to a longer session on the weekend but 2 hours in an evening is also easy to arrage given some lead time.
> 
> Thanks,
> 
> Keith
> 
> 
> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan <tmorgan-owasp at vsecurity.com> wrote:
> Hi everyone,
> 
> Based on some feedback I received from my survey, it seems like a LAMP
> application would best match peoples' interests in open source project targets.
>  Based on recommendations from others and my own research, I'm proposing we do
> the first FLOSSHack on one of the following apps:
> 
>  ResourceSpace <http://www.resourcespace.org/>
>  selfoss <http://selfoss.aditu.de/>
>  OpenDocMan <http://www.opendocman.com/>
> 
> 
> I haven't actually looked at these terribly closely, but let me know if you have
> any strong opinions about them.  In general, I think it would be most useful for
> us to look at a project that has some kind of built-in access control system,
> allows potentially untrusted users to submit persistent content, and of course
> interacts in some way with a SQL database.  Also, projects that are under active
> development are also strongly preferred.
> 
> 
> I thought I'd also throw out some thoughts I had on how a typical FLOSSHack
> session might go:
> 
> 1. As I mentioned before, we'd choose the application and announce it officially
> maybe a week (or more?) before the date of the FLOSSHack session.
> 
> 2. At the beginning of the session, we may spend up to 30minutes going over
> common vulnerabilities that might affect the application.  Perhaps even show
> demos in WebGoat or something similar to ensure everyone has a good idea as to
> what they are looking for.
> 
> 3. Share vulnerabilities already found-- for those who have spent the prior week
> looking for bugs, now would be the time they could share them with everyone
> else.  Much discussion of the flaws, how they were found, and how they could be
> exploited would ensue.
> 
> 4. Start hacking.  A pre-installed version of the application will be provided
> in some way, maybe on a VM or remotely.  Collaborate on searching for various
> types of bugs.  Occasionally, when folks spot new vulnerabilities, announce it
> and describe the bug to others.  Maybe the resulting discussion sparks new ideas
> for finding additional flaws.  If things are "slow" in this area, perhaps the
> FLOSSHack wrangler can stop everyone once in a while to cover some security
> topic relevant to the application.
> 
> 5. Conclude the session, hopefully, with a pile of security bugs to send off to
> the developers in a responsible manner.  If we can find sponsors for this, maybe
> we could have some prizes for those who find the most bugs, or the "best" bug
> found, as voted on by the participants.
> 
> 
> I expect a FLOSSHack session to last at least 2 hours.  I know that's pretty
> long for some people's schedules, but it's designed as a workshop and it takes
> quite a while to get familiar with an application.
> 
> I'm still not sure if it would be best to hold this kind of thing on a weeknight
> or on a weekend.  What would people prefer?  If it makes sense, we could even
> stretch it out into a longer weekend session (4 hours?) and then invite people
> to come and go as they please; whatever fits peoples' schedules. I anticipate
> setting up some way for people to join remotely as well.  Perhaps just via IRC,
> IM, or some newfangled thing with moving pictures. (I'd appreciate volunteers to
> help with this or anything else.)
> 
> 
> Let me know what you all think.
> Thanks and have a great weekend!
> tim
> 
> 
> PS - If anyone knows any college students who are interested in computer
> security, this would be a great event for them.  Feel free to pass along info
> about this event, or just get them signed up to the mailing list.
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
> 
> 
> 
> -- 
> GeekyExplorers.com
> 
> 
> 
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
> 
> 
> 
> 
> -- 
> Matthew Lapworth
> http://www.bit-shift.net
> 
> We are what we repeatedly do. Excellence then is not an act, but a habit.
>   - Aristotle
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20120430/9ca6c5b8/attachment.html>


More information about the Owasp-portland mailing list