[Owasp-portland] FLOSSHack Details and Potential Targets

Wil Clouser clouserw at gmail.com
Tue May 1 23:29:27 UTC 2012


I asked if next week would be too soon and it sounds like that would
work fine.  By the time we figured out our schedule I imagine they'd
be good to go.


Wil

On Tue, May 1, 2012 at 4:06 PM, Matthew Lapworth <matthewl at bit-shift.net> wrote:
> That sounds like a great project for our first FLOSSHack. How soon were they
> looking to start the review?
>
>
> On Tue, May 1, 2012 at 4:01 PM, Wil Clouser <clouserw at gmail.com> wrote:
>>
>> I was talking with Michael Coates today and he mentioned that he was
>> trying to get some security review and responsible pen-testing on
>> www.ushahidi.com 's project which is a young open source mapping
>> platform.  It sounded like a good opportunity for us since there
>> hasn't been a security review of their code before, they've asked for
>> help, it's a limited code size, and it's for an open source non-profit
>> company.  You can see an example at mozilla.crowdmap.com .
>>
>> Michael wanted to coordinate a bit with Ushahidi first and also
>> offered to be available during our session via skype when we were
>> looking at the app.  I think it would be a good opportunity (Micheal
>> is the Chairman of the Board for OWASP and Director of Security
>> Assurance at Mozilla Corp).
>>
>> I'm happy to work as coordinator between all of us if this project is
>> something we're interested in looking at.
>>
>> Cheers,
>>
>> Wil
>>
>>
>> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan
>> <tmorgan-owasp at vsecurity.com> wrote:
>> > Hi everyone,
>> >
>> > Based on some feedback I received from my survey, it seems like a LAMP
>> > application would best match peoples' interests in open source project
>> > targets.
>> >  Based on recommendations from others and my own research, I'm proposing
>> > we do
>> > the first FLOSSHack on one of the following apps:
>> >
>> >  ResourceSpace <http://www.resourcespace.org/>
>> >  selfoss <http://selfoss.aditu.de/>
>> >  OpenDocMan <http://www.opendocman.com/>
>> >
>> >
>> > I haven't actually looked at these terribly closely, but let me know if
>> > you have
>> > any strong opinions about them.  In general, I think it would be most
>> > useful for
>> > us to look at a project that has some kind of built-in access control
>> > system,
>> > allows potentially untrusted users to submit persistent content, and of
>> > course
>> > interacts in some way with a SQL database.  Also, projects that are
>> > under active
>> > development are also strongly preferred.
>> >
>> >
>> > I thought I'd also throw out some thoughts I had on how a typical
>> > FLOSSHack
>> > session might go:
>> >
>> > 1. As I mentioned before, we'd choose the application and announce it
>> > officially
>> > maybe a week (or more?) before the date of the FLOSSHack session.
>> >
>> > 2. At the beginning of the session, we may spend up to 30minutes going
>> > over
>> > common vulnerabilities that might affect the application.  Perhaps even
>> > show
>> > demos in WebGoat or something similar to ensure everyone has a good idea
>> > as to
>> > what they are looking for.
>> >
>> > 3. Share vulnerabilities already found-- for those who have spent the
>> > prior week
>> > looking for bugs, now would be the time they could share them with
>> > everyone
>> > else.  Much discussion of the flaws, how they were found, and how they
>> > could be
>> > exploited would ensue.
>> >
>> > 4. Start hacking.  A pre-installed version of the application will be
>> > provided
>> > in some way, maybe on a VM or remotely.  Collaborate on searching for
>> > various
>> > types of bugs.  Occasionally, when folks spot new vulnerabilities,
>> > announce it
>> > and describe the bug to others.  Maybe the resulting discussion sparks
>> > new ideas
>> > for finding additional flaws.  If things are "slow" in this area,
>> > perhaps the
>> > FLOSSHack wrangler can stop everyone once in a while to cover some
>> > security
>> > topic relevant to the application.
>> >
>> > 5. Conclude the session, hopefully, with a pile of security bugs to send
>> > off to
>> > the developers in a responsible manner.  If we can find sponsors for
>> > this, maybe
>> > we could have some prizes for those who find the most bugs, or the
>> > "best" bug
>> > found, as voted on by the participants.
>> >
>> >
>> > I expect a FLOSSHack session to last at least 2 hours.  I know that's
>> > pretty
>> > long for some people's schedules, but it's designed as a workshop and it
>> > takes
>> > quite a while to get familiar with an application.
>> >
>> > I'm still not sure if it would be best to hold this kind of thing on a
>> > weeknight
>> > or on a weekend.  What would people prefer?  If it makes sense, we could
>> > even
>> > stretch it out into a longer weekend session (4 hours?) and then invite
>> > people
>> > to come and go as they please; whatever fits peoples' schedules. I
>> > anticipate
>> > setting up some way for people to join remotely as well.  Perhaps just
>> > via IRC,
>> > IM, or some newfangled thing with moving pictures. (I'd appreciate
>> > volunteers to
>> > help with this or anything else.)
>> >
>> >
>> > Let me know what you all think.
>> > Thanks and have a great weekend!
>> > tim
>> >
>> >
>> > PS - If anyone knows any college students who are interested in computer
>> > security, this would be a great event for them.  Feel free to pass along
>> > info
>> > about this event, or just get them signed up to the mailing list.
>> > _______________________________________________
>> > Owasp-portland mailing list
>> > Owasp-portland at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-portland
>> _______________________________________________
>> Owasp-portland mailing list
>> Owasp-portland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-portland
>
>
>
>
> --
> Matthew Lapworth
> http://www.bit-shift.net
>
> We are what we repeatedly do. Excellence then is not an act, but a habit.
>   - Aristotle


More information about the Owasp-portland mailing list