Here's an interesting idea I had today: Code an open-source web site without security, for example a forum in PHP. Then provide the source, and have hackers (that's where you all come in) find exploits. Write a simple patch for every exploit that is found. Theoretically, in the end you would be left with a secure piece of software. Does this sound realistic? A good way to implement this would be as a sort of "challenge". For example, give out points for each exploit found and hackers could compete to see who could find the most/best exploit. http://sla.ckers.org/forum/read.php?12,6083,6083#msg-6083 Tue, 18 Jun 2013 18:44:22 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?12,6083,9245#msg-9245 http://sla.ckers.org/forum/read.php?12,6083,9245#msg-9245 hackathology Projects Sat, 31 Mar 2007 23:26:25 -0500 http://sla.ckers.org/forum/read.php?12,6083,9206#msg-9206 http://sla.ckers.org/forum/read.php?12,6083,9206#msg-9206
It is an interesting idea, but I rather see programmers to educate themselfs.]]> jungsonn Projects Sat, 31 Mar 2007 12:15:03 -0500 http://sla.ckers.org/forum/read.php?12,6083,9135#msg-9135 http://sla.ckers.org/forum/read.php?12,6083,9135#msg-9135 hackathology Projects Fri, 30 Mar 2007 03:45:51 -0500 http://sla.ckers.org/forum/read.php?12,6083,9109#msg-9109 http://sla.ckers.org/forum/read.php?12,6083,9109#msg-9109 rsnake Projects Thu, 29 Mar 2007 21:08:25 -0500 http://sla.ckers.org/forum/read.php?12,6083,9082#msg-9082 http://sla.ckers.org/forum/read.php?12,6083,9082#msg-9082 But be aware, there are a lot of stored XSS-es and stuff. It's scary in there! :P

http://testaspnet.acunetix.com/ - acublog
http://testasp.acunetix.com/ - acuforum]]> blad3 Projects Thu, 29 Mar 2007 01:43:41 -0500 http://sla.ckers.org/forum/read.php?12,6083,9057#msg-9057 http://sla.ckers.org/forum/read.php?12,6083,9057#msg-9057 I'll always prefer writing secure code instead of writing unsecure code and then tell someone to test it.]]> FR3DC3RV Projects Wed, 28 Mar 2007 14:40:06 -0500 http://sla.ckers.org/forum/read.php?12,6083,9041#msg-9041 http://sla.ckers.org/forum/read.php?12,6083,9041#msg-9041 Anonymous User Projects Wed, 28 Mar 2007 03:07:21 -0500 http://sla.ckers.org/forum/read.php?12,6083,9034#msg-9034 http://sla.ckers.org/forum/read.php?12,6083,9034#msg-9034 hackathology Projects Wed, 28 Mar 2007 01:16:46 -0500 http://sla.ckers.org/forum/read.php?12,6083,9002#msg-9002 http://sla.ckers.org/forum/read.php?12,6083,9002#msg-9002 If you want other sites:
- Watchfire's http://testfire.com/
- SPI's (don't remember the URL.. :/)

I also plan to release mine (have to configure a sandbox before...)]]> nEUrOO Projects Tue, 27 Mar 2007 13:09:32 -0500 http://sla.ckers.org/forum/read.php?12,6083,9001#msg-9001 http://sla.ckers.org/forum/read.php?12,6083,9001#msg-9001 CrYpTiC_MauleR Projects Tue, 27 Mar 2007 12:58:18 -0500 http://sla.ckers.org/forum/read.php?12,6083,8997#msg-8997 http://sla.ckers.org/forum/read.php?12,6083,8997#msg-8997
http://testphp.acunetix.com]]> hackathology Projects Tue, 27 Mar 2007 11:53:07 -0500 http://sla.ckers.org/forum/read.php?12,6083,6087#msg-6087 http://sla.ckers.org/forum/read.php?12,6083,6087#msg-6087
Most people who are involved with such communities might be good at finding vulnerabilities, but they generally aren't too good at writing code, and even those that are probably don't have too much experience on working in teams and so they aren't that good at writing code that fits into the overall architecture of the software. Of course this is a mass generalisation, but I think it primarily holds true.

If you ask for a patch and its not good quality you face a dilemma on whether or not you will accept the patch or not because if you accept the patch, then all of a sudden you have dodgy or out of place code in your project, but if you don't you risk offending and alienating the user base which is auditing your code.

But as long as the developers realise that if people find no vulnerabilities it doesn't mean they are vulnerability free, it simply means the subset of users from those sites which looked over your code (and probably not very closely at that) didn't find anything.

You might even want to offer some kind of other reward (no matter how small or intangible - these people are generally doing it either to learn or for recognition, those seeking recognition would be happy with more of it) to those who find vulnerabilities so that people from those communities have more incentive to participate.]]> kuza55 Projects Mon, 29 Jan 2007 05:11:18 -0600 http://sla.ckers.org/forum/read.php?12,6083,6086#msg-6086 http://sla.ckers.org/forum/read.php?12,6083,6086#msg-6086
If you want to have an insecure application for testing and practice you can install yourself an instance of WebGoat

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

If you really want to have a secure piece software which is still maintainable after zounds of patches I don't think that your idea is that good - the risk seems pretty high for me that the result is going to be some kind of BBOM...

http://en.wikipedia.org/wiki/Big_ball_of_mud

Greetings,
.mario]]> Anonymous User Projects Mon, 29 Jan 2007 04:35:46 -0600 http://sla.ckers.org/forum/read.php?12,6083,6083#msg-6083 http://sla.ckers.org/forum/read.php?12,6083,6083#msg-6083
A good way to implement this would be as a sort of "challenge". For example, give out points for each exploit found and hackers could compete to see who could find the most/best exploit.]]> Spikeman Projects Mon, 29 Jan 2007 03:03:21 -0600