[Owasp-portland] FLOSSHack Details and Potential Targets

Wil Clouser clouserw at gmail.com
Tue May 1 23:01:52 UTC 2012


I was talking with Michael Coates today and he mentioned that he was
trying to get some security review and responsible pen-testing on
www.ushahidi.com 's project which is a young open source mapping
platform.  It sounded like a good opportunity for us since there
hasn't been a security review of their code before, they've asked for
help, it's a limited code size, and it's for an open source non-profit
company.  You can see an example at mozilla.crowdmap.com .

Michael wanted to coordinate a bit with Ushahidi first and also
offered to be available during our session via skype when we were
looking at the app.  I think it would be a good opportunity (Micheal
is the Chairman of the Board for OWASP and Director of Security
Assurance at Mozilla Corp).

I'm happy to work as coordinator between all of us if this project is
something we're interested in looking at.

Cheers,

Wil


On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan
<tmorgan-owasp at vsecurity.com> wrote:
> Hi everyone,
>
> Based on some feedback I received from my survey, it seems like a LAMP
> application would best match peoples' interests in open source project targets.
>  Based on recommendations from others and my own research, I'm proposing we do
> the first FLOSSHack on one of the following apps:
>
>  ResourceSpace <http://www.resourcespace.org/>
>  selfoss <http://selfoss.aditu.de/>
>  OpenDocMan <http://www.opendocman.com/>
>
>
> I haven't actually looked at these terribly closely, but let me know if you have
> any strong opinions about them.  In general, I think it would be most useful for
> us to look at a project that has some kind of built-in access control system,
> allows potentially untrusted users to submit persistent content, and of course
> interacts in some way with a SQL database.  Also, projects that are under active
> development are also strongly preferred.
>
>
> I thought I'd also throw out some thoughts I had on how a typical FLOSSHack
> session might go:
>
> 1. As I mentioned before, we'd choose the application and announce it officially
> maybe a week (or more?) before the date of the FLOSSHack session.
>
> 2. At the beginning of the session, we may spend up to 30minutes going over
> common vulnerabilities that might affect the application.  Perhaps even show
> demos in WebGoat or something similar to ensure everyone has a good idea as to
> what they are looking for.
>
> 3. Share vulnerabilities already found-- for those who have spent the prior week
> looking for bugs, now would be the time they could share them with everyone
> else.  Much discussion of the flaws, how they were found, and how they could be
> exploited would ensue.
>
> 4. Start hacking.  A pre-installed version of the application will be provided
> in some way, maybe on a VM or remotely.  Collaborate on searching for various
> types of bugs.  Occasionally, when folks spot new vulnerabilities, announce it
> and describe the bug to others.  Maybe the resulting discussion sparks new ideas
> for finding additional flaws.  If things are "slow" in this area, perhaps the
> FLOSSHack wrangler can stop everyone once in a while to cover some security
> topic relevant to the application.
>
> 5. Conclude the session, hopefully, with a pile of security bugs to send off to
> the developers in a responsible manner.  If we can find sponsors for this, maybe
> we could have some prizes for those who find the most bugs, or the "best" bug
> found, as voted on by the participants.
>
>
> I expect a FLOSSHack session to last at least 2 hours.  I know that's pretty
> long for some people's schedules, but it's designed as a workshop and it takes
> quite a while to get familiar with an application.
>
> I'm still not sure if it would be best to hold this kind of thing on a weeknight
> or on a weekend.  What would people prefer?  If it makes sense, we could even
> stretch it out into a longer weekend session (4 hours?) and then invite people
> to come and go as they please; whatever fits peoples' schedules. I anticipate
> setting up some way for people to join remotely as well.  Perhaps just via IRC,
> IM, or some newfangled thing with moving pictures. (I'd appreciate volunteers to
> help with this or anything else.)
>
>
> Let me know what you all think.
> Thanks and have a great weekend!
> tim
>
>
> PS - If anyone knows any college students who are interested in computer
> security, this would be a great event for them.  Feel free to pass along info
> about this event, or just get them signed up to the mailing list.
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland


More information about the Owasp-portland mailing list