Here's an interesting idea I had today: Code an open-source web site without security, for example a forum in PHP. Then provide the source, and have hackers (that's where you all come in) find exploits. Write a simple patch for every exploit that is found. Theoretically, in the end you would be left with a secure piece of software. Does this sound realistic?
A good way to implement this would be as a sort of "challenge". For example, give out points for each exploit found and hackers could compete to see who could find the most/best exploit.
If you really want to have a secure piece software which is still maintainable after zounds of patches I don't think that your idea is that good - the risk seems pretty high for me that the result is going to be some kind of BBOM...
It might be a good idea if you can collaborate with either HTS or HBH or a similar community, to get them to add it as a challenge (because they have an existing user base which is willing to do this kind of work), but I don't think requiring (or even asking for people) to submit patches is a good idea for the following reasons:
Most people who are involved with such communities might be good at finding vulnerabilities, but they generally aren't too good at writing code, and even those that are probably don't have too much experience on working in teams and so they aren't that good at writing code that fits into the overall architecture of the software. Of course this is a mass generalisation, but I think it primarily holds true.
If you ask for a patch and its not good quality you face a dilemma on whether or not you will accept the patch or not because if you accept the patch, then all of a sudden you have dodgy or out of place code in your project, but if you don't you risk offending and alienating the user base which is auditing your code.
But as long as the developers realise that if people find no vulnerabilities it doesn't mean they are vulnerability free, it simply means the subset of users from those sites which looked over your code (and probably not very closely at that) didn't find anything.
You might even want to offer some kind of other reward (no matter how small or intangible - these people are generally doing it either to learn or for recognition, those seeking recognition would be happy with more of it) to those who find vulnerabilities so that people from those communities have more incentive to participate.
Anurag also released one: http://www.attacklabs.com/shopcart/
If you want other sites:
- Watchfire's http://testfire.com/
- SPI's (don't remember the URL.. :/)
I also plan to release mine (have to configure a sandbox before...)
I don't think that extensive exploitation is a good idea.
I'll always prefer writing secure code instead of writing unsecure code and then tell someone to test it.
Most commerical software vendors do this; they have code auditors. Most open source software does not, or not much. Cause it's basicly free, and a comercial software builder can't afford to have holes in them. (besides Micro$oft) that is.
It is an interesting idea, but I rather see programmers to educate themselfs.
