[Owasp-portland] FLOSSHack Details and Potential Targets

Matthew Lapworth matthewl at bit-shift.net
Tue May 1 23:06:29 UTC 2012


That sounds like a great project for our first FLOSSHack. How soon were
they looking to start the review?

On Tue, May 1, 2012 at 4:01 PM, Wil Clouser <clouserw at gmail.com> wrote:

> I was talking with Michael Coates today and he mentioned that he was
> trying to get some security review and responsible pen-testing on
> www.ushahidi.com 's project which is a young open source mapping
> platform.  It sounded like a good opportunity for us since there
> hasn't been a security review of their code before, they've asked for
> help, it's a limited code size, and it's for an open source non-profit
> company.  You can see an example at mozilla.crowdmap.com .
>
> Michael wanted to coordinate a bit with Ushahidi first and also
> offered to be available during our session via skype when we were
> looking at the app.  I think it would be a good opportunity (Micheal
> is the Chairman of the Board for OWASP and Director of Security
> Assurance at Mozilla Corp).
>
> I'm happy to work as coordinator between all of us if this project is
> something we're interested in looking at.
>
> Cheers,
>
> Wil
>
>
> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan
> <tmorgan-owasp at vsecurity.com> wrote:
> > Hi everyone,
> >
> > Based on some feedback I received from my survey, it seems like a LAMP
> > application would best match peoples' interests in open source project
> targets.
> >  Based on recommendations from others and my own research, I'm proposing
> we do
> > the first FLOSSHack on one of the following apps:
> >
> >  ResourceSpace <http://www.resourcespace.org/>
> >  selfoss <http://selfoss.aditu.de/>
> >  OpenDocMan <http://www.opendocman.com/>
> >
> >
> > I haven't actually looked at these terribly closely, but let me know if
> you have
> > any strong opinions about them.  In general, I think it would be most
> useful for
> > us to look at a project that has some kind of built-in access control
> system,
> > allows potentially untrusted users to submit persistent content, and of
> course
> > interacts in some way with a SQL database.  Also, projects that are
> under active
> > development are also strongly preferred.
> >
> >
> > I thought I'd also throw out some thoughts I had on how a typical
> FLOSSHack
> > session might go:
> >
> > 1. As I mentioned before, we'd choose the application and announce it
> officially
> > maybe a week (or more?) before the date of the FLOSSHack session.
> >
> > 2. At the beginning of the session, we may spend up to 30minutes going
> over
> > common vulnerabilities that might affect the application.  Perhaps even
> show
> > demos in WebGoat or something similar to ensure everyone has a good idea
> as to
> > what they are looking for.
> >
> > 3. Share vulnerabilities already found-- for those who have spent the
> prior week
> > looking for bugs, now would be the time they could share them with
> everyone
> > else.  Much discussion of the flaws, how they were found, and how they
> could be
> > exploited would ensue.
> >
> > 4. Start hacking.  A pre-installed version of the application will be
> provided
> > in some way, maybe on a VM or remotely.  Collaborate on searching for
> various
> > types of bugs.  Occasionally, when folks spot new vulnerabilities,
> announce it
> > and describe the bug to others.  Maybe the resulting discussion sparks
> new ideas
> > for finding additional flaws.  If things are "slow" in this area,
> perhaps the
> > FLOSSHack wrangler can stop everyone once in a while to cover some
> security
> > topic relevant to the application.
> >
> > 5. Conclude the session, hopefully, with a pile of security bugs to send
> off to
> > the developers in a responsible manner.  If we can find sponsors for
> this, maybe
> > we could have some prizes for those who find the most bugs, or the
> "best" bug
> > found, as voted on by the participants.
> >
> >
> > I expect a FLOSSHack session to last at least 2 hours.  I know that's
> pretty
> > long for some people's schedules, but it's designed as a workshop and it
> takes
> > quite a while to get familiar with an application.
> >
> > I'm still not sure if it would be best to hold this kind of thing on a
> weeknight
> > or on a weekend.  What would people prefer?  If it makes sense, we could
> even
> > stretch it out into a longer weekend session (4 hours?) and then invite
> people
> > to come and go as they please; whatever fits peoples' schedules. I
> anticipate
> > setting up some way for people to join remotely as well.  Perhaps just
> via IRC,
> > IM, or some newfangled thing with moving pictures. (I'd appreciate
> volunteers to
> > help with this or anything else.)
> >
> >
> > Let me know what you all think.
> > Thanks and have a great weekend!
> > tim
> >
> >
> > PS - If anyone knows any college students who are interested in computer
> > security, this would be a great event for them.  Feel free to pass along
> info
> > about this event, or just get them signed up to the mailing list.
> > _______________________________________________
> > Owasp-portland mailing list
> > Owasp-portland at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-portland
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
>



-- 
Matthew Lapworth
http://www.bit-shift.net

We are what we repeatedly do. Excellence then is not an act, but a habit.
  - Aristotle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20120501/79b02198/attachment-0001.html>


More information about the Owasp-portland mailing list