Assisting open source projects

["Andrew van der Stock" <vanderaj () greebo net>]

Hi there,

This is an interesting case study of how NOT to help a group. Last week,
after several 0day announcements to Bugtraq and full-disclosure, I offered
to help the phpBB team with a code review.

The reasoning for this is multi-fold:

* identify and remediate latent security issues in a structured fashion
* help train the devs in being a bit more secure than they are now
* reduce the amount of times the current installed base of boards (many
millions) has to forcefully upgrade
* test out the proto Guide 2.0 and make sure it works for PHP code bases
(I have tested it on VERY large and commerically important J2EE code
bases, but that doesn't mean that a different asset classification and
volunteer devs will work with it)

As many of you know, I help lead the OWASP Guide 2.0 at the moment, and
this is taking a great deal of my time, so I don't have time to do a
comprehensive code review all by myself in my non-work hours. However,
even if I were to do a code review by myself, this is not ideal - the only
way for devs to learn to code more securely is to learn the process of
doing a security review, why we look for certain things, and the best
techniques of reducing the risk. If I simply produced a report, they
wouldn't learn that.

So, when I first posted to phpBB.com's forum, there was a bunch of
discussion about my motives, and then the thread was deleted. I was asked
to re-post in the area51 dev board. Again, the process was repeated.
Admittedly, I was heated in my responses as they just weren't getting it.
By the end, it was quite acrimonious.

So, if you foolishly decide to help someone, here's my tips on how not to
do it:

* Be absolutely upfront about why you want to help them, and what you're
offering to do and what you think the process will end up doing. I did
this, but it wasn't enough. They thought "Trojan" from post #1
* don't ask for developer help - they think you're trying to "steal"
developers (!)
* don't respond to negativity in any way - my major mistake
* don't respond in an authoritative way (even if you think you are an
authority) as this gets people offside - another mistake of mine
* Ignore posters who cannot or will not help you. Another mistake I made.
If I'd waited patiently for a real dev to post, I think things might have
been different.
* don't try to educate them on why deleting threads which contain links to
bugtraq is silly or why security through obscurity never works. The head
in sand approach is deeply held within this particular group, and nothing
will change it. Work around it.
* don't try to educate them why doing a code review at the earliest
possible stage is beneficial (rather than just at the end of development
for the new, unreleased version).

What does this mean for phpBB? They definitely need help, but they wont
accept it (from me at least). Even when given some good PHP security
resources (such as Chris Shiflett's great sites) they basically refuse to
remediate the issues themselves. I don't know what the solution is for
them, but I refuse to help as they've been so insanely and consistently
negative to me.

What does it mean to me? I think I will avoid trying to "help" any more
groups. My efforts have set phpBB back some considerable time as it will
take them months to get past their very insular and insecure mindset.

Andrew