[Owasp-portland] FLOSSHack Details and Potential Targets

Wil Clouser clouserw at gmail.com
Wed May 2 15:26:14 UTC 2012


When they approached Michael for help he found a couple problems
(sounded like CSRF) and told them how to fix them but it sounds like
there is a lot of surface area left.  Aside from just finding actual
security holes, they aren't following recommendations like
implementing HTTPOnly flags and STS.  In the unlikely scenario we
didn't find anything we could talk about how to add those things to an
app and why they are important.

Regarding a test environment, you could download the open source
package or you could let them host the map stuff - the mozilla site I
linked to earlier is using their hosted option.  On the other hand, I
did a quick google search and found
https://github.com/ushahidi/virtual-machines which someone else
apparently already made :)

I'm downloading it over hotel wi-fi right now so it'll be a while
(500mb) but if no one else gets there first I'll send an update on how
it goes.

Cheers,

Wil

On Tue, May 1, 2012 at 5:18 PM, Timothy D. Morgan
<tmorgan-owasp at vsecurity.com> wrote:
>
>> I was actually looking forward to Resourcespace since I use that for our
>> business, but this sounds like another good opportunity I'd be open to
>> as well.
>
> Yeah, I definitely do want to get back to Resourcespace, since it seems like a
> good candidate.  Honestly, I thought it might be a better target from an
> architectural perspective, but the possibility that Ushahidi's people might
> actively help us get this going is a big attraction for me.
>
> As we move forward with more of these, I one thing that would mean a lot to me
> in terms of priorities, is if one of our members or a project's developers are
> willing to help us set up the application test environment.  It can be a
> significant investment in time trying to get an application set up for the first
> time with all the bells and whistles that are worth testing, so if someone from
> our group (or the app developer) volunteers to do that, then I'll probably be
> sold on it. =)
>
>
> Thanks,
> tim
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland


More information about the Owasp-portland mailing list