Re: eWeek OpenHack challenge

["Marty Block" <marty () kesem net>]

Hi all,
This is a very interesting set of threads. The point of the exercise is 
not so much to show how well E.week can harden a unit or set of 
units, but that it can be done. What's important but not usually 
promoted well in print is the amount of time and effort that goes 
into the prep of these systems prior to release. If they (e-week) do 
a proper job of enumerating manhours and level of effort, we will 
be able to extrapolate the costs of doing so for our employers and 
clients. We'll be able to say 'Here's the number of manhours and 
type of talent necessary to secure a system against several 
thousand hack attempts. How much is compromise of your 
system worth in comparrison to this benchmark cost?"

The real value here for us as professionals, tinkerers, enablers 
and innovators is that an independent party will have enumerated 
the time and effort required to do the right job. (Assuming the 
successful hack is fairly arcane in nature...)

My .02.
Thanks,
Marty Block
Kesem Technology


---------- Original Message ----------------------------------
From: "Kevin Spett" <kspett () spidynamics com>
Date:  Wed, 23 Oct 2002 15:55:31 -0400

> What are you talking about?  Check out
> ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf.  There 
are *ten*
> Unix hosts on the OpenHack network, including Linux 
webservers, database
> servers and OpenBSD nameservers, mailserver and firewalls.
> Secondly, the focus of this is the web application layer.  We're not 
talking
> about kernel hacking here.  The underlying operating system is 
largely (yes,
> there are minor exceptions) irrelevent.  Just look at the kind of 
things
> they expect people to try-- SQL injection, cross-site scripting, etc.  
A
> poorly designed web application is breakable regardless of 
what's running
> underneath it.
> Also, if the competition is "baseless" and "irrelevent", it's simply 
because
> of the unbelievably ridiculous amount of care that went into the 
security
> preparations.  There are probably only a handful of web 
applications in the
> world that got the security treatment that this thing did.  The only 
way in
> is probably through 0-day holes, and no one's wasting precious 
0-day style
> on OpenHack, where they'd find out what the issue was and 
patch it?
> Kevin Spett
> SPI Labs
> http://www.spidynamics.com/
>
> ----- Original Message -----
> From: "Bryce Porter" <bryce () thewebcircuit com>
> To: "David Wong" <david.wong () foundstone com>
> Cc: <webappsec () securityfocus com>
> Sent: Tuesday, October 22, 2002 6:02 PM
> Subject: Re: eWeek OpenHack challenge
>
>
> > this is a joke. they are so narrow in presenting this and they fail 
to
> > realize that the majority of web used in commercial applications 
run on
> some
> > kind of Unix variant like Linux, HP-UX, AIX or some BSD. making 
a contest
> > that applies to the minority of commercial applications is pretty 
shallow
> > and baseless in my opinion.
> >
> > ----- Original Message -----
> > From: "David Wong" <david.wong () foundstone com>
> > To: <webappsec () securityfocus com>
> > Sent: Monday, October 21, 2002 12:27 AM
> > Subject: eWeek OpenHack challenge
> >
> >
> > > eWeek is starting the 4th iteration openhack 
(http://www.openhack.com)
> > > contest this week 
(http://www.eweek.com/category2/1,3960,600431,00.asp)
> > > This year, it's focused on application security.
> > >
> > > Comments?