[Governance] VPS Windows 2012 Server

Matt Tesauro matt.tesauro at owasp.org
Mon Mar 2 17:15:08 UTC 2015


Jim,

 I do mostly agree with your points.  I guess I'm looking at this from
another direction.

Running that server has opportunity costs for Johanna and Jason which isn't
providing much ROI to the community or Foundation.

Keeping infrastructure up and running, available and providing value to the
community is a non-trivial ask.  It appears to me that usage is minimal so
the community is probably "spending more" then the value its getting back.

While the SWAMP may have warts, its functional and, for those that want to
have their code checked, it can work.  If they have concerns about handing
over their open source project's source code to DHS, well, DHS can just
download it it if they really want it so I don't that's much of a real
issue.

So, since we have had little uptake and its non-free for Johanna and Jason
to run this thing (in terms of _their_ volunteer time), then pointing
projects to the SWAMP seems like a good thing to me.  It will free Johanna
and Jason up to get wins in other areas at OWASP.

HTH clarifies what I was meaning earlier.  Hard to be precise on your phone
in the dentist's office waiting room. ; )

Cheers!

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project

On Mon, Mar 2, 2015 at 8:15 AM, Jim Manico <jim.manico at owasp.org> wrote:

> It's just "scanners in the cloud" and not easy to use last I checked.
> SWAMP has a lot of maturing to do, not to mention the privacy issues of a
> cloud service vs. open source tools.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Mar 2, 2015, at 2:35 PM, Matt Tesauro <matt.tesauro at owasp.org> wrote:
>
> Why don't we point projects to DHS's SWAMP for security scanning?
>
> They have already managed the relationship with vendors, its free to use
> and doesn't require any infrastructure for the Foundation to maintain.
>
> <Matt's 2 cents />
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Mar 2, 2015 5:26 AM, "johanna curiel curiel" <johanna.curiel at owasp.org>
> wrote:
>
>> Hi Jason
>>
>> I think we need to communicate this clear to the leaders in order for
>> them to use this. I also think, Jason, you need to communicate the whole
>> story in order for people to understand about this project.
>>
>> I think it was a very good initiative from you, however, as you can see
>> it requires a lot of work to make it feasible.
>> Last year I setup around 10 projects but I remembered we had issues with
>> SVN repositories.  I saw some emails last month regarding access and
>> renewing the VPS contract that you exchange with Kate and Paul.
>>
>> Like I mentioned, I do not have access right now and since last year. I
>> sent you an email, to Paul and Kate  some week ago, asking if you had
>> access to this server. You did not answer my email and Paul requested me
>>  to fill a contact form to check the access with Kate. The access worked
>> for me through Sarah's account, and when this changed I do not have access
>>
>> Do you have access to the server?
>> I have not use the server since November last year. I also sent you an
>> email to check if you had access but I did not get a response from you.And
>> now suddenly you sent this to a mailing list, so I'm kind of surprise from
>> your reaction.
>>
>> We also need to promote this properly if we want leaders to use this. The
>> project never got at this point because
>> -Getting a sponsor for vulnerability scanning was an issue for some board
>> members
>> -I do not have access to the server after the renewal contract and the
>> account was changed from Sarah's email to Paul or Kate
>> - I did not hear  from you regarding access to the server
>>
>> At this point as you can see, it involves a lot of work pulling these
>> kind of projects.
>>
>> Could you clarify and let me know if you have access to this server? You
>> were the admin of the system.
>>
>> Regards
>>
>> Johanna
>>
>> regards
>>
>> Johanna
>>
>> On Sun, Mar 1, 2015 at 8:25 PM, Jason Johnson <jason.johnson at owasp.org>
>> wrote:
>>
>>> Currently we have a VPS that hosts a build server for OWASP and I was
>>> curious if anyone was using this or if we think it could be used in some
>>> other manner. Another option is to get rid of it all together and save
>>> around 75$ a month.
>>>
>>> The idea behind it was to allow every project to have a space to build
>>> there apps or have them scanned for vulnerabilities. Im not sure how people
>>> feel about it at this point but i'm all for ideas or even decommissioning
>>> it if we think its not bringing value to our cause?
>>>
>>>
>>> I know Johanna was working on this at some point and it is a huge task
>>> to take on so let me know if we want to reappropriate this sever for
>>> something or simple remove it from owasps assets.
>>>
>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "OWASP Projects Task Force" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to projects-task-force+unsubscribe at owasp.org.
> To post to this group, send email to projects-task-force at owasp.org.
> To view this discussion on the web visit
> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BM4LWay4w-FtcnH2HLTq818Uu18zpvtLd5V8L-LJyJFcg%40mail.gmail.com
> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BM4LWay4w-FtcnH2HLTq818Uu18zpvtLd5V8L-LJyJFcg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150302/bf1adaa9/attachment.html>


More information about the Governance mailing list