Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: eWeek OpenHack challenge

Re: eWeek OpenHack challenge

From: Marty Block <marty_at_kesem.net>
Date: Wed, 23 Oct 2002 21:57:43 -0400

Hi all,
This is a very interesting set of threads. The point of the exercise is
not so much to show how well E.week can harden a unit or set of
units, but that it can be done. What's important but not usually
promoted well in print is the amount of time and effort that goes
into the prep of these systems prior to release. If they (e-week) do
a proper job of enumerating manhours and level of effort, we will
be able to extrapolate the costs of doing so for our employers and
clients. We'll be able to say 'Here's the number of manhours and
type of talent necessary to secure a system against several
thousand hack attempts. How much is compromise of your
system worth in comparrison to this benchmark cost?"

The real value here for us as professionals, tinkerers, enablers
and innovators is that an independent party will have enumerated
the time and effort required to do the right job. (Assuming the
successful hack is fairly arcane in nature...)

My .02.
Thanks,
Marty Block
Kesem Technology

---------- Original Message ----------------------------------
From: "Kevin Spett" <kspett_at_spidynamics.com>
Date: Wed, 23 Oct 2002 15:55:31 -0400

>What are you talking about? Check out
>ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf. There
are *ten*
>Unix hosts on the OpenHack network, including Linux
webservers, database
>servers and OpenBSD nameservers, mailserver and firewalls.
>Secondly, the focus of this is the web application layer. We're not
talking
>about kernel hacking here. The underlying operating system is
largely (yes,
>there are minor exceptions) irrelevent. Just look at the kind of
things
>they expect people to try-- SQL injection, cross-site scripting, etc.
A
>poorly designed web application is breakable regardless of
what's running
>underneath it.
>Also, if the competition is "baseless" and "irrelevent", it's simply
because
>of the unbelievably ridiculous amount of care that went into the
security
>preparations. There are probably only a handful of web
applications in the
>world that got the security treatment that this thing did. The only
way in
>is probably through 0-day holes, and no one's wasting precious
0-day style
>on OpenHack, where they'd find out what the issue was and
patch it?
>
>
>
>Kevin Spett
>SPI Labs
>http://www.spidynamics.com/
>
>----- Original Message -----
>From: "Bryce Porter" <bryce_at_thewebcircuit.com>
>To: "David Wong" <david.wong_at_foundstone.com>
>Cc: <webappsec_at_securityfocus.com>
>Sent: Tuesday, October 22, 2002 6:02 PM
>Subject: Re: eWeek OpenHack challenge
>
>
>> this is a joke. they are so narrow in presenting this and they fail
to
>> realize that the majority of web used in commercial applications
run on
>some
>> kind of Unix variant like Linux, HP-UX, AIX or some BSD. making
a contest
>> that applies to the minority of commercial applications is pretty
shallow
>> and baseless in my opinion.
>>
>> ----- Original Message -----
>> From: "David Wong" <david.wong_at_foundstone.com>
>> To: <webappsec_at_securityfocus.com>
>> Sent: Monday, October 21, 2002 12:27 AM
>> Subject: eWeek OpenHack challenge
>>
>>
>> > eWeek is starting the 4th iteration openhack
(http://www.openhack.com)
>> > contest this week
(http://www.eweek.com/category2/1,3960,600431,00.asp)
>> >
>> > This year, it's focused on application security.
>> >
>> > Comments?
>> >
>>
>>
>>
>
>
Received on Oct 24 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos