WebApp Sec mailing list archives
Assisting open source projects
From: "Andrew van der Stock" <vanderaj () greebo net>
Date: Tue, 15 Mar 2005 12:10:58 +1100 (EST)
Hi there, This is an interesting case study of how NOT to help a group. Last week, after several 0day announcements to Bugtraq and full-disclosure, I offered to help the phpBB team with a code review. The reasoning for this is multi-fold: * identify and remediate latent security issues in a structured fashion * help train the devs in being a bit more secure than they are now * reduce the amount of times the current installed base of boards (many millions) has to forcefully upgrade * test out the proto Guide 2.0 and make sure it works for PHP code bases (I have tested it on VERY large and commerically important J2EE code bases, but that doesn't mean that a different asset classification and volunteer devs will work with it) As many of you know, I help lead the OWASP Guide 2.0 at the moment, and this is taking a great deal of my time, so I don't have time to do a comprehensive code review all by myself in my non-work hours. However, even if I were to do a code review by myself, this is not ideal - the only way for devs to learn to code more securely is to learn the process of doing a security review, why we look for certain things, and the best techniques of reducing the risk. If I simply produced a report, they wouldn't learn that. So, when I first posted to phpBB.com's forum, there was a bunch of discussion about my motives, and then the thread was deleted. I was asked to re-post in the area51 dev board. Again, the process was repeated. Admittedly, I was heated in my responses as they just weren't getting it. By the end, it was quite acrimonious. So, if you foolishly decide to help someone, here's my tips on how not to do it: * Be absolutely upfront about why you want to help them, and what you're offering to do and what you think the process will end up doing. I did this, but it wasn't enough. They thought "Trojan" from post #1 * don't ask for developer help - they think you're trying to "steal" developers (!) * don't respond to negativity in any way - my major mistake * don't respond in an authoritative way (even if you think you are an authority) as this gets people offside - another mistake of mine * Ignore posters who cannot or will not help you. Another mistake I made. If I'd waited patiently for a real dev to post, I think things might have been different. * don't try to educate them on why deleting threads which contain links to bugtraq is silly or why security through obscurity never works. The head in sand approach is deeply held within this particular group, and nothing will change it. Work around it. * don't try to educate them why doing a code review at the earliest possible stage is beneficial (rather than just at the end of development for the new, unreleased version). What does this mean for phpBB? They definitely need help, but they wont accept it (from me at least). Even when given some good PHP security resources (such as Chris Shiflett's great sites) they basically refuse to remediate the issues themselves. I don't know what the solution is for them, but I refuse to help as they've been so insanely and consistently negative to me. What does it mean to me? I think I will avoid trying to "help" any more groups. My efforts have set phpBB back some considerable time as it will take them months to get past their very insular and insecure mindset. Andrew
Current thread:
- Assisting open source projects Andrew van der Stock (Mar 18)