[Owasp-portland] FLOSSHack Details and Potential Targets
matthewl at bit-shift.net
Tue May 1 23:06:29 UTC 2012
That sounds like a great project for our first FLOSSHack. How soon were
they looking to start the review?
On Tue, May 1, 2012 at 4:01 PM, Wil Clouser <clouserw at gmail.com> wrote:
> I was talking with Michael Coates today and he mentioned that he was
> trying to get some security review and responsible pen-testing on
> www.ushahidi.com 's project which is a young open source mapping
> platform. It sounded like a good opportunity for us since there
> hasn't been a security review of their code before, they've asked for
> help, it's a limited code size, and it's for an open source non-profit
> company. You can see an example at mozilla.crowdmap.com .
> Michael wanted to coordinate a bit with Ushahidi first and also
> offered to be available during our session via skype when we were
> looking at the app. I think it would be a good opportunity (Micheal
> is the Chairman of the Board for OWASP and Director of Security
> Assurance at Mozilla Corp).
> I'm happy to work as coordinator between all of us if this project is
> something we're interested in looking at.
> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan
> <tmorgan-owasp at vsecurity.com> wrote:
> > Hi everyone,
> > Based on some feedback I received from my survey, it seems like a LAMP
> > application would best match peoples' interests in open source project
> > Based on recommendations from others and my own research, I'm proposing
> we do
> > the first FLOSSHack on one of the following apps:
> > ResourceSpace <http://www.resourcespace.org/>
> > selfoss <http://selfoss.aditu.de/>
> > OpenDocMan <http://www.opendocman.com/>
> > I haven't actually looked at these terribly closely, but let me know if
> you have
> > any strong opinions about them. In general, I think it would be most
> useful for
> > us to look at a project that has some kind of built-in access control
> > allows potentially untrusted users to submit persistent content, and of
> > interacts in some way with a SQL database. Also, projects that are
> under active
> > development are also strongly preferred.
> > I thought I'd also throw out some thoughts I had on how a typical
> > session might go:
> > 1. As I mentioned before, we'd choose the application and announce it
> > maybe a week (or more?) before the date of the FLOSSHack session.
> > 2. At the beginning of the session, we may spend up to 30minutes going
> > common vulnerabilities that might affect the application. Perhaps even
> > demos in WebGoat or something similar to ensure everyone has a good idea
> as to
> > what they are looking for.
> > 3. Share vulnerabilities already found-- for those who have spent the
> prior week
> > looking for bugs, now would be the time they could share them with
> > else. Much discussion of the flaws, how they were found, and how they
> could be
> > exploited would ensue.
> > 4. Start hacking. A pre-installed version of the application will be
> > in some way, maybe on a VM or remotely. Collaborate on searching for
> > types of bugs. Occasionally, when folks spot new vulnerabilities,
> announce it
> > and describe the bug to others. Maybe the resulting discussion sparks
> new ideas
> > for finding additional flaws. If things are "slow" in this area,
> perhaps the
> > FLOSSHack wrangler can stop everyone once in a while to cover some
> > topic relevant to the application.
> > 5. Conclude the session, hopefully, with a pile of security bugs to send
> off to
> > the developers in a responsible manner. If we can find sponsors for
> this, maybe
> > we could have some prizes for those who find the most bugs, or the
> "best" bug
> > found, as voted on by the participants.
> > I expect a FLOSSHack session to last at least 2 hours. I know that's
> > long for some people's schedules, but it's designed as a workshop and it
> > quite a while to get familiar with an application.
> > I'm still not sure if it would be best to hold this kind of thing on a
> > or on a weekend. What would people prefer? If it makes sense, we could
> > stretch it out into a longer weekend session (4 hours?) and then invite
> > to come and go as they please; whatever fits peoples' schedules. I
> > setting up some way for people to join remotely as well. Perhaps just
> via IRC,
> > IM, or some newfangled thing with moving pictures. (I'd appreciate
> volunteers to
> > help with this or anything else.)
> > Let me know what you all think.
> > Thanks and have a great weekend!
> > tim
> > PS - If anyone knows any college students who are interested in computer
> > security, this would be a great event for them. Feel free to pass along
> > about this event, or just get them signed up to the mailing list.
> > _______________________________________________
> > Owasp-portland mailing list
> > Owasp-portland at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-portland
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
We are what we repeatedly do. Excellence then is not an act, but a habit.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-portland