OWASP @GSOC

Echo $OWASP

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software.

echo $USER

• Hacker

• Loves Macs

• Knows how to cook

• Can be bribed with IPA + singlemalt

According to “close friend” & co-worker:

echo $USER

• Penetration Tester• Hacker (Mindset ?!)

• Involved in OWASP

– Student Chapter Leader

– Student Chapters Project Leader

• Knows how Likes to cook

• Looking for Unicorns

• Can be bribed with IPA + singlemalt

*

@GSoC

• Participating since 2012• 88 submissions last year• This year

– 11 Projects, both new and established

– 30 proposed ideas

• Challenge Pack 2017

• Tech Stack Update

• Your idea

Juice Shop

• Android Code Samples

• Mobile Crackmes and De-Obfuscation Guides

Mobile Hacking Playground

• Field Enumeration

• Scripting Code Completion

• SSRF Detector Integration

• Zest Text Representation and Parser

• Support Java as a Scripting Language

• Bamboo Support

• Backslash Powered Scanner

• Your Idea

OWASP ZAP

• Your idea/open

BLT / Bugheist

• Function examples

• Update existing code examples

• Update knowledge items

• CWE references to existing knowledgebase items

• Verification testing guides

Security Knowledge framework

• New obfuscation modules

• New shellcodes for OSX and Windows

OWASP ZSC

• Behavioral malware and intrusion analysis

• Framework for plugin development

Seraphimdroid mobile security project

• Your idea/open

DefectDojo

• Machine Learning Driven Web Server Log Analysis

• Your Idea

AppSensor

• MiTM proxy interception and replay capabilities

• Report enhancements

• Distributed architecture

• Off-line HTTP traffic uploader

OWTF

• New CMS

• Course Type Challenges

Hackademic Challenges

Participation Instructions

• Choose a good idea

• Contact the mentors/community

• Get familiar with the project

• Research the idea

• Write a very good proposal

Criteria

Selection depends primarily on the mentors and community.

It's crucial to communicate with them to find out what they expect from the project, the proposal and the candidates.

Tips

• Projects are on Github check their open tickets

• Communicate with the community early

• Commits fixing small things are very welcome

• Commits adding documentation are definitely welcome!

Proposal writing

Depends on the project so communicate early to find out what they want. For Hackademic:

• Keep it concise

• One page for your CV

• 1 paragraph motivation/introduction

• Add links to project specific code you may have

• Detail what you want to do

• List how you will do it– Small technical design explaining functionality (e.g. routes list)

– Technology stack if applicable

• Add a timeline in the end, what you plan on doing every week.

Caveats many students fall in

• Poor/No communication with mentors/community

• Lack of familiarity with the project

• Last day submissions (in case of feedback you can't fix your proposal)

• Underestimating the work required (expected)

• Don't communicate prior engagements early (you got to take a week off for something? cool, say so)

Generally GSoC is a tough internship, you should treat it as such

Links

OWASP GSoC 2017 Ideas page https://www.owasp.org/index.php/GSOC2017_Ideas#Challenge_Pack_2017

Student guidelines https://www.owasp.org/index.php/GSOC_2017_for_Students

Questions

?