[Owasp-portland] FLOSSHack Details and Potential Targets

David Pirolo webmaster at warnerpacific.edu
Tue May 1 23:52:23 UTC 2012


I was actually looking forward to Resourcespace since I use that for our
business, but this sounds like another good opportunity I'd be open to
as well.

-David


On Tue, 2012-05-01 at 16:29 -0700, Wil Clouser wrote:
> I asked if next week would be too soon and it sounds like that would
> work fine.  By the time we figured out our schedule I imagine they'd
> be good to go.
> 
> 
> Wil
> 
> On Tue, May 1, 2012 at 4:06 PM, Matthew Lapworth <matthewl at bit-shift.net> wrote:
> > That sounds like a great project for our first FLOSSHack. How soon were they
> > looking to start the review?
> >
> >
> > On Tue, May 1, 2012 at 4:01 PM, Wil Clouser <clouserw at gmail.com> wrote:
> >>
> >> I was talking with Michael Coates today and he mentioned that he was
> >> trying to get some security review and responsible pen-testing on
> >> www.ushahidi.com 's project which is a young open source mapping
> >> platform.  It sounded like a good opportunity for us since there
> >> hasn't been a security review of their code before, they've asked for
> >> help, it's a limited code size, and it's for an open source non-profit
> >> company.  You can see an example at mozilla.crowdmap.com .
> >>
> >> Michael wanted to coordinate a bit with Ushahidi first and also
> >> offered to be available during our session via skype when we were
> >> looking at the app.  I think it would be a good opportunity (Micheal
> >> is the Chairman of the Board for OWASP and Director of Security
> >> Assurance at Mozilla Corp).
> >>
> >> I'm happy to work as coordinator between all of us if this project is
> >> something we're interested in looking at.
> >>
> >> Cheers,
> >>
> >> Wil
> >>
> >>
> >> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan
> >> <tmorgan-owasp at vsecurity.com> wrote:
> >> > Hi everyone,
> >> >
> >> > Based on some feedback I received from my survey, it seems like a LAMP
> >> > application would best match peoples' interests in open source project
> >> > targets.
> >> >  Based on recommendations from others and my own research, I'm proposing
> >> > we do
> >> > the first FLOSSHack on one of the following apps:
> >> >
> >> >  ResourceSpace <http://www.resourcespace.org/>
> >> >  selfoss <http://selfoss.aditu.de/>
> >> >  OpenDocMan <http://www.opendocman.com/>
> >> >
> >> >
> >> > I haven't actually looked at these terribly closely, but let me know if
> >> > you have
> >> > any strong opinions about them.  In general, I think it would be most
> >> > useful for
> >> > us to look at a project that has some kind of built-in access control
> >> > system,
> >> > allows potentially untrusted users to submit persistent content, and of
> >> > course
> >> > interacts in some way with a SQL database.  Also, projects that are
> >> > under active
> >> > development are also strongly preferred.
> >> >
> >> >
> >> > I thought I'd also throw out some thoughts I had on how a typical
> >> > FLOSSHack
> >> > session might go:
> >> >
> >> > 1. As I mentioned before, we'd choose the application and announce it
> >> > officially
> >> > maybe a week (or more?) before the date of the FLOSSHack session.
> >> >
> >> > 2. At the beginning of the session, we may spend up to 30minutes going
> >> > over
> >> > common vulnerabilities that might affect the application.  Perhaps even
> >> > show
> >> > demos in WebGoat or something similar to ensure everyone has a good idea
> >> > as to
> >> > what they are looking for.
> >> >
> >> > 3. Share vulnerabilities already found-- for those who have spent the
> >> > prior week
> >> > looking for bugs, now would be the time they could share them with
> >> > everyone
> >> > else.  Much discussion of the flaws, how they were found, and how they
> >> > could be
> >> > exploited would ensue.
> >> >
> >> > 4. Start hacking.  A pre-installed version of the application will be
> >> > provided
> >> > in some way, maybe on a VM or remotely.  Collaborate on searching for
> >> > various
> >> > types of bugs.  Occasionally, when folks spot new vulnerabilities,
> >> > announce it
> >> > and describe the bug to others.  Maybe the resulting discussion sparks
> >> > new ideas
> >> > for finding additional flaws.  If things are "slow" in this area,
> >> > perhaps the
> >> > FLOSSHack wrangler can stop everyone once in a while to cover some
> >> > security
> >> > topic relevant to the application.
> >> >
> >> > 5. Conclude the session, hopefully, with a pile of security bugs to send
> >> > off to
> >> > the developers in a responsible manner.  If we can find sponsors for
> >> > this, maybe
> >> > we could have some prizes for those who find the most bugs, or the
> >> > "best" bug
> >> > found, as voted on by the participants.
> >> >
> >> >
> >> > I expect a FLOSSHack session to last at least 2 hours.  I know that's
> >> > pretty
> >> > long for some people's schedules, but it's designed as a workshop and it
> >> > takes
> >> > quite a while to get familiar with an application.
> >> >
> >> > I'm still not sure if it would be best to hold this kind of thing on a
> >> > weeknight
> >> > or on a weekend.  What would people prefer?  If it makes sense, we could
> >> > even
> >> > stretch it out into a longer weekend session (4 hours?) and then invite
> >> > people
> >> > to come and go as they please; whatever fits peoples' schedules. I
> >> > anticipate
> >> > setting up some way for people to join remotely as well.  Perhaps just
> >> > via IRC,
> >> > IM, or some newfangled thing with moving pictures. (I'd appreciate
> >> > volunteers to
> >> > help with this or anything else.)
> >> >
> >> >
> >> > Let me know what you all think.
> >> > Thanks and have a great weekend!
> >> > tim
> >> >
> >> >
> >> > PS - If anyone knows any college students who are interested in computer
> >> > security, this would be a great event for them.  Feel free to pass along
> >> > info
> >> > about this event, or just get them signed up to the mailing list.
> >> > _______________________________________________
> >> > Owasp-portland mailing list
> >> > Owasp-portland at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-portland
> >> _______________________________________________
> >> Owasp-portland mailing list
> >> Owasp-portland at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-portland
> >
> >
> >
> >
> > --
> > Matthew Lapworth
> > http://www.bit-shift.net
> >
> > We are what we repeatedly do. Excellence then is not an act, but a habit.
> >   - Aristotle
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland




More information about the Owasp-portland mailing list