From Google GHOP: ""Penetration testing" is the process of trying to break into an application
in order to find security holes. Once the application has been
"penetrated", the security hole can be identified and fixed so actual bad
guys can't break into the application. Routine penetration testing,
especially during development, helps keep programs secure from attackers.

For this task, research penetration testing (black box testing and white
box testing) and available open source penetration testing tools and
procedures. Prepare a written recommendation for regular penetration
testing for Drupal, emphasizing automated tools or scripts that could be
run routinely throughout development to find and fix security holes early
and often.

The deliverable for this task is a written report reviewed by the Primary
Contact and posted to http://drupal.org/project/issues/documentationE. The report should include:

* What open source penetration testing tools are available, and a brief
(3 paragraphs or less) review of each.
* What established best practices for penetration testing exist.
* A recommendation for what procedures and tools Drupal can and should
use for regular penetration testing.

Resources:

* http://en.wikipedia.org/wiki/Penetration_testing

Estimated time:
4 days"

Finished report is attached.

CommentFileSizeAuthor
#19 evaluation.pdf941.37 KBsokrplare

Comments

ddcc’s picture

ddcc commented

2nd attempt to attach.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

Hey, what's the error you're getting? Is it because of the .odt extension, or..?

chx’s picture

chx commented

file hope anonymous users can download... if not we will do something else.

ddcc’s picture

ddcc commented

Oddly enough, I get no error. When I hit attach, I see the bar and network traffic, then when it finishes, nothing shows up.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Title: "Research and evaluate penetration testing options for Drupal" » GHOP #18: "Research and evaluate penetration testing options for Drupal"
Crell’s picture

Crell commented

ddcc: Nicely done! This looks like exactly what we were looking for. I also agree with your recommendation at the end. Pen testing should be part of our standard development routine in order to keep up Drupal's reputation for security. :-)

ddcc’s picture

ddcc commented

No problem. Anything new or planned security-related "jobs"?

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

There certainly could be! :) Could you hint around at something you'd find interesting?

ddcc’s picture

ddcc commented

Well, just general security related stuff. I'm not good enough with coding to do anything over there, nor am I that great with making presentations about the features of Drupal.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

@ddcc: does something like http://code.google.com/p/google-highly-open-participation-drupal/issues/... grab you?

ddcc’s picture

ddcc commented

Indeed it does. :). Unfortunately, I've already picked up another issue, so I'm unable to do that one at the moment. Once I finish with my current one, I'll check if this one is still available, or if an equivalent is available.

As I was examining that issue, I noticed that the deadlines for many Drupal issues are especially short. Thus, I would like to make a general suggestion; extending Drupal issue deadlines. My reasoning is that with finals coming up for most students (except for those in Australia) and homework during the week, four days is a very short deadline. I personally had to plan when I claimed the task so that I could have the weekend to work on it, and even then it was pretty tight.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

Ah, I meant to update the wiki page on our tracker, I'll go do that now... all of our issues are now 7 days, rather than 2 - 5. I agree that it's good to have some leeway there.

I didn't want to make them much longer than that though since the timeline for the contest is so short and there are folks who claim a task and then don't end up following through. For example, if two students do that in a row on a 3-week task, then no one else can claim it. :(

That said, we're very cool with extending deadlines as long as the student keeps in contact with us as to what's going on. And since you already have an extremely well-done task under your belt, I think we could definitely work around your schedule, as long as it's within a couple days. :)

ddcc’s picture

ddcc commented

Darn claimed. ;-D. My current task is taking a while, so I'll probably pick up another task relating to Drupal after Christmas Break since I'll be out of town Christmas week.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

OK awesome. :) Looking forward to working with you again!!

Crell’s picture

Crell commented

ddcc: This task isn't security related, but it's another "research, compare, and contrast" task. I'd love to see your level of detail brought to bear on it. :-)

ddcc’s picture

ddcc commented

Thanks for all the ideas, but I'll probably only be able to get started again after Christmas week, so it'll take a while before I can claim another task. I'll make sure to let you guys know though.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)
Issue tags: +GHOP

Automatically closed -- issue fixed for two weeks with no activity.

sokrplare’s picture

sokrplare commented
Component: Misc » Correction/Clarification
StatusFileSize
new evaluation.pdf941.37 KB

For anyone - many years later - stumbling across this issue and the dead links, here are some updated ones:
GHOP thread: https://code.google.com/p/google-highly-open-participation-drupal/issues...

File was attached to comment 12 in that thread.

I've also attached it here for safe-keeping as a PDF.