This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "FLOSSHack for Participants"
From OWASP
(Created page with "==FLOSSHack for Participants== FLOSSHack events are a prefect event for those looking for an hands-on way to learn more about application security. Participants are encourag...") |
|||
| Line 1: | Line 1: | ||
==FLOSSHack for Participants== | ==FLOSSHack for Participants== | ||
| − | FLOSSHack events are a | + | FLOSSHack events are a perfect event for those looking for an hands-on way to learn more about application security. Participants are encouraged to learn as much as they can about various common classes of vulnerabilities and then immediately apply that knowledge by auditing a real-world software system in a friendly hacking competition. A typical FLOSSHack event would work as follows: |
# An event organizer selects an appropriate open source software application for testing. Participants are notified at least one week in advance of the event date as to what the application is. | # An event organizer selects an appropriate open source software application for testing. Participants are notified at least one week in advance of the event date as to what the application is. | ||
| Line 12: | Line 12: | ||
## Conclude the workshop session with, hopefully, a pile of security bugs. Organizers may provide prizes for performances, such as most vulnerabilities found, or the "best" vulnerability found (as decided by participant vote). | ## Conclude the workshop session with, hopefully, a pile of security bugs. Organizers may provide prizes for performances, such as most vulnerabilities found, or the "best" vulnerability found (as decided by participant vote). | ||
# Security flaws are compiled and sent off to application maintainers in a manner consistent with responsible disclosure. FLOSSHack organizers help facilitate this communication, but participants are given full credit for their finds (if they wish) once the issues are released publicly. | # Security flaws are compiled and sent off to application maintainers in a manner consistent with responsible disclosure. FLOSSHack organizers help facilitate this communication, but participants are given full credit for their finds (if they wish) once the issues are released publicly. | ||
| + | |||
| + | |||
| + | Remember, FLOSSHack is about '''helping''' secure target software, '''learning''' the art of hacking, and of course, having '''fun'''! | ||
Revision as of 15:59, 16 June 2012
FLOSSHack for Participants
FLOSSHack events are a perfect event for those looking for an hands-on way to learn more about application security. Participants are encouraged to learn as much as they can about various common classes of vulnerabilities and then immediately apply that knowledge by auditing a real-world software system in a friendly hacking competition. A typical FLOSSHack event would work as follows:
- An event organizer selects an appropriate open source software application for testing. Participants are notified at least one week in advance of the event date as to what the application is.
- Eager participants get familiar with the target software and begin auditing the application on their own.
- FLOSSHack workshop begins. Participants may join in person or remotely. Workshop sessions may last anywhere from 2 to 4 hours.
- At the beginning of the workshop, security experts may cover one or more common vulnerability classes or security topics that may be relevant to the application. This is designed to help participants learn how to find types of vulnerabilities they aren't as familiar.
- Participants share any vulnerabilities found prior to the work shop. Participants briefly describe their bugs and how they could be exploited. Open discussion is encouraged.
- Hacking begins. A pre-installed version of the application may be provided in some way, possibly on a VM or remotely. In this way vulnerabilities can be tested in addition to having code reviewed for flaws.
- Occasionally, when participants spot new vulnerabilities they should announce it and describe the bug to others. The resulting discussion may spark new ideas for finding additional flaws. (If things are "slow" in this area, the FLOSSHack organizer may stop everyone once in a while to cover some security topic that may help in further bug finding.)
- Conclude the workshop session with, hopefully, a pile of security bugs. Organizers may provide prizes for performances, such as most vulnerabilities found, or the "best" vulnerability found (as decided by participant vote).
- Security flaws are compiled and sent off to application maintainers in a manner consistent with responsible disclosure. FLOSSHack organizers help facilitate this communication, but participants are given full credit for their finds (if they wish) once the issues are released publicly.
Remember, FLOSSHack is about helping secure target software, learning the art of hacking, and of course, having fun!
