5

I do web development for a living but my real passion is security. I have worked with countless open source web application/framework and I have found vulnerabilities in most of them. The main cause of those vulnerabilities is a lack of security education from the developers. I've been thinking about what could be done about those problems. My idea would be to start an "open source web application" penetration testing community. The community would be composed of like-minded security professionals/enthusiasts.

The community :

  • select a specific version of an open source web application and dedicate a 1 to 4 weeks time frame to it (depending on the size of the application).
  • test the application for security problems. Penetration testing + source code review. (maybe following the various OWASP guides)
  • issue a list of vulnerabilities to the open source organization
  • help write/review the patches
  • provide design recommendation and educational materials to the open source organization
  • compile all materials created and publish it for educational purpose

The members of the community can submit their vulnerabilities within the established time frame. The vulnerabilities submissions are only visible to trusted/participating members and remain hidden until X(?) weeks before the publication. I know some people have mixed feelings about vulnerabilities disclosure but I think the benefits far outweigh the disadvantages (and I don't want to start a debate about that here).

Now the questions :

  • How many weeks should the vulnerabilities stay hidden?
  • Should we ask permission to the open source organization? (Is there any law/license against open source pentesting?)
  • Should we invite a member of the open source organization to supervise the process from the inside? (view the vulnerabilities submissions/take part of the discussion)
  • Do you think such community would be relevant to the open source?
Cut Copy
  • 109
  • 1
  • 5

3 Answers3

10

There is already a standard method of reporting vulnerabilities to vendors. CERT is great about contacting vendors and mitigating the issue.

I think that your ideas can be helpful and there is a lot of overlap with your ideas and OWASP. You should look for a local OWASP chapter in your area. If one doesn't exist, MAKE ONE!, and use it as a platform for your workshop. OWASP will help get the word out, and attract more attention to your cause.

rook
  • 46,916
  • 10
  • 92
  • 181
3

I think the main thing is: just do it! Exercise some leadership: just go ahead and start performing such analyses yourself. The biggest challenge here will be to find people to volunteer their time to perform such analyses, so you will need to lead by example. Don't worry too much about community rules or process or meta stuff, until you've found enough others contributing that you need to think about it. I recommend that you start from the assumption you might be the only contributor performing these security evaluations, at least for a while.

I recommend this based upon past experience with similar efforts, e.g., Crispin Cowan's Sardonix project. For more details, see Crispin Cowan's discussion ("we threw a party and no one came"), Why Sardonix Failed, and DARPA-funded Linux security hub withers. Sardonix was itself formed in response to the fact that the Linux Security Auditing Project, another attempt at a community-based security auditing project, fell short of hopes.

D.W.
  • 98,420
  • 30
  • 267
  • 572
3

Depending on exactly what level you want to take it to, I have three thoughts:

  • As @Rook said - OWASP make it very easy to start your own chapter, providing support, expertise, even some budget. You can get guest speakers expenses paid for in some circumstances.

  • Another option is a local Defcon chapter. Have a look at http://www.defcon.org/html/defcon-groups/dc-groups-index.html for a local one, or offer to create one. Usually has more of an attack flavour, but this isn't mandatory by any means.

  • If neither of these suit, creating a local group can be an excellent way to share information and expertise.

Following them up with mailing lists and/or LinkedIn groups also helps to keep them active and growing.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320